From 8e368e0193acb1877ff2687b72d72686ee3c9280 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 25 Feb 2024 19:06:07 +0200 Subject: [PATCH 01/89] Initial implementation of building and minimizing fw-rules directly from connectivity properties. Signed-off-by: Tanya --- nca/CoreDS/ConnectionSet.py | 123 ------- nca/CoreDS/ConnectivityCube.py | 14 +- nca/CoreDS/ConnectivityProperties.py | 82 ++++- nca/CoreDS/Peer.py | 6 + nca/FWRules/ConnectivityGraph.py | 56 +-- nca/FWRules/FWRule.py | 77 ++-- nca/FWRules/MinimizeBasic.py | 155 ++++++++ nca/FWRules/MinimizeCsFWRulesOpt.py | 446 ++++++++++++++++++++++++ nca/FWRules/MinimizeFWRules.py | 254 ++++++++------ nca/NetworkConfig/NetworkConfigQuery.py | 37 +- 10 files changed, 910 insertions(+), 340 deletions(-) create mode 100644 nca/FWRules/MinimizeBasic.py create mode 100644 nca/FWRules/MinimizeCsFWRulesOpt.py diff --git a/nca/CoreDS/ConnectionSet.py b/nca/CoreDS/ConnectionSet.py index f93142444..1e0626163 100644 --- a/nca/CoreDS/ConnectionSet.py +++ b/nca/CoreDS/ConnectionSet.py @@ -3,13 +3,10 @@ # SPDX-License-Identifier: Apache2.0 # -from collections import defaultdict from .CanonicalIntervalSet import CanonicalIntervalSet from .ConnectivityProperties import ConnectivityProperties from .ProtocolNameResolver import ProtocolNameResolver from .ProtocolSet import ProtocolSet -from .Peer import PeerSet, IpBlock -from nca.FWRules import FWRule class ConnectionSet: @@ -580,123 +577,3 @@ def get_non_tcp_connections(): res.add_all_connections([ProtocolNameResolver.get_protocol_number('TCP')]) return res # return ConnectionSet(True) - ConnectionSet.get_all_TCP_connections() - - # TODO - after moving to the optimized HC set implementation, - # get rid of ConnectionSet and move the code below to ConnectivityProperties.py - - @staticmethod - def get_connection_set_and_peers_from_cube(the_cube, peer_container, - relevant_protocols=ProtocolSet(True)): - conn_cube = the_cube.copy() - src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True) - conn_cube.unset_dim("src_peers") - dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True) - conn_cube.unset_dim("dst_peers") - protocols = conn_cube["protocols"] - conn_cube.unset_dim("protocols") - if not conn_cube.has_active_dim() and (protocols.is_whole_range() or protocols == relevant_protocols): - conns = ConnectionSet(True) - else: - conns = ConnectionSet() - protocol_names = ProtocolSet.get_protocol_names_from_interval_set(protocols) - for protocol in protocol_names: - if conn_cube.has_active_dim(): - conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) - else: - if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): - conns.add_connections(protocol, - ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container)) - else: - conns.add_connections(protocol, True) - return conns, src_peers, dst_peers - - @staticmethod - def conn_props_to_fw_rules(conn_props, cluster_info, peer_container, - connectivity_restriction): - """ - Build FWRules from the given ConnectivityProperties - :param ConnectivityProperties conn_props: properties describing allowed connections - :param ClusterInfo cluster_info: the cluster info - :param PeerContainer peer_container: the peer container - whereas all other values should be filtered out in the output - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to - TCP / non-TCP , or not - :return: FWRules map - """ - relevant_protocols = ProtocolSet() - if connectivity_restriction: - if connectivity_restriction == 'TCP': - relevant_protocols.add_protocol('TCP') - else: # connectivity_restriction == 'non-TCP' - relevant_protocols = ProtocolSet.get_non_tcp_protocols() - - fw_rules_map = defaultdict(list) - for cube in conn_props: - conn_cube = conn_props.get_connectivity_cube(cube) - conns, src_peers, dst_peers = \ - ConnectionSet.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) - # create FWRules for src_peers and dst_peers - fw_rules_map[conns] += ConnectionSet.create_fw_rules_list_from_conns(conns, src_peers, dst_peers, - cluster_info) - return fw_rules_map - - @staticmethod - def create_fw_rules_list_from_conns(conns, src_peers, dst_peers, cluster_info): - src_fw_elements = ConnectionSet.split_peer_set_to_fw_rule_elements(src_peers, cluster_info) - dst_fw_elements = ConnectionSet.split_peer_set_to_fw_rule_elements(dst_peers, cluster_info) - fw_rules_list = [] - for src_elem in src_fw_elements: - for dst_elem in dst_fw_elements: - fw_rules_list.append(FWRule.FWRule(src_elem, dst_elem, conns)) - return fw_rules_list - - @staticmethod - def split_peer_set_to_fw_rule_elements(peer_set, cluster_info): - res = [] - peer_set_copy = peer_set.copy() - ns_set = set() - # first, split by namespaces - while peer_set_copy: - peer = list(peer_set_copy)[0] - if isinstance(peer, IpBlock): - res.append(FWRule.IPBlockElement(peer)) - peer_set_copy.remove(peer) - continue - elif isinstance(peer, FWRule.DNSEntry): - res.append(FWRule.DNSElement(peer)) - peer_set_copy.remove(peer) - continue - ns_peers = PeerSet(cluster_info.ns_dict[peer.namespace]) - if ns_peers.issubset(peer_set_copy): - ns_set.add(peer.namespace) - else: - # TODO try to split the element below by labels - res.append(FWRule.PeerSetElement(ns_peers & peer_set_copy)) - peer_set_copy -= ns_peers - if ns_set: - res.append(FWRule.FWRuleElement(ns_set)) - - return res - - @staticmethod - def fw_rules_to_conn_props(fw_rules, peer_container): - """ - Converting FWRules to ConnectivityProperties format. - This function is used for comparing FWRules output between original and optimized solutions, - when optimized_run == 'debug' - :param MinimizeFWRules fw_rules: the given FWRules. - :param PeerContainer peer_container: the peer container - :return: the resulting ConnectivityProperties. - """ - res = ConnectivityProperties.make_empty_props() - if fw_rules.fw_rules_map is None: - return res - for fw_rules_list in fw_rules.fw_rules_map.values(): - for fw_rule in fw_rules_list: - conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container) - src_peers = PeerSet(fw_rule.src.get_peer_set(fw_rules.cluster_info)) - dst_peers = PeerSet(fw_rule.dst.get_peer_set(fw_rules.cluster_info)) - rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, - "dst_peers": dst_peers}) & conn_props - res |= rule_props - return res diff --git a/nca/CoreDS/ConnectivityCube.py b/nca/CoreDS/ConnectivityCube.py index 44c9b54c7..4279ffdc1 100644 --- a/nca/CoreDS/ConnectivityCube.py +++ b/nca/CoreDS/ConnectivityCube.py @@ -17,15 +17,16 @@ class ConnectivityCube(dict): It is used as an input interface for ConnectivityProperties methods. """ - dimensions_list = ["src_peers", "dst_peers", "protocols", "src_ports", "dst_ports", "methods", "hosts", "paths", - "icmp_type", "icmp_code"] + all_dimensions_list = ["src_peers", "dst_peers", "protocols", "src_ports", "dst_ports", "methods", "hosts", "paths", + "icmp_type", "icmp_code"] - def __init__(self): + def __init__(self, dimensions_list=None): """ By default, each dimension in the cube is initialized with entire domain value, which represents "don't care" or inactive dimension (i.e., the dimension has no impact). """ super().__init__() + self.dimensions_list = dimensions_list if dimensions_list else self.all_dimensions_list self.named_ports = set() # used only in the original solution self.excluded_named_ports = set() # used only in the original solution for dim in self.dimensions_list: @@ -37,7 +38,7 @@ def copy(self): Returns a copy of the given ConnectivityCube object :rtype: ConnectivityCube """ - res = ConnectivityCube() + res = ConnectivityCube(self.dimensions_list) for dim_name, dim_value in self.items(): if isinstance(dim_value, MinDFA): res.set_dim_directly(dim_name, dim_value) @@ -129,6 +130,11 @@ def unset_dim(self, dim_name): dim_value = DimensionsManager().get_dimension_domain_by_name(dim_name, True) self.set_dim_directly(dim_name, dim_value) + def unset_all_but_peers(self): + for dim_name in self.dimensions_list: + if dim_name not in ["src_peers", "dst_peers"]: + self.unset_dim(dim_name) + def __getitem__(self, dim_name): """ Returns a given dimension value after converting it from internal to external format. diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 84d4db0c4..7917fdd84 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -64,12 +64,12 @@ class ConnectivityProperties(CanonicalHyperCubeSet): (2) calico: +ve and -ve named ports, no src named ports, and no use of operators between these objects. """ - def __init__(self, create_all=False): + def __init__(self, dimensions_list=None, create_all=False): """ This will create empty or full connectivity properties, depending on create_all flag. :param create_all: whether to create full connectivity properties. """ - super().__init__(ConnectivityCube.dimensions_list) + super().__init__(dimensions_list if dimensions_list else ConnectivityCube.all_dimensions_list) self.named_ports = {} # a mapping from dst named port (String) to src ports interval set self.excluded_named_ports = {} # a mapping from dst named port (String) to src ports interval set if create_all: @@ -132,7 +132,7 @@ def get_connectivity_cube(self, cube): :return: the cube in ConnectivityCube format :rtype: ConnectivityCube """ - res = ConnectivityCube() + res = ConnectivityCube(self.all_dimensions_list) for i, dim in enumerate(self.active_dimensions): if isinstance(cube[i], MinDFA): res.set_dim_directly(dim, cube[i]) @@ -291,7 +291,7 @@ def copy(self): """ :rtype: ConnectivityProperties """ - res = ConnectivityProperties() + res = ConnectivityProperties(self.all_dimensions_list) for layer in self.layers: res.layers[self._copy_layer_elem(layer)] = self.layers[layer].copy() res.active_dimensions = self.active_dimensions.copy() @@ -470,7 +470,7 @@ def make_all_props(): Returns all connectivity properties, representing logical True :return: ConnectivityProperties """ - return ConnectivityProperties(True) + return ConnectivityProperties(create_all=True) def are_auto_conns(self): """ @@ -496,9 +496,79 @@ def props_without_auto_conns(self): """ Return the properties after removing all connections from peer to itself """ + return self - self.get_auto_conns_from_peers() + + def get_auto_conns_from_peers(self): + """ + Build properties containing all connections from peer to itself, for all peers in the current properties + :return: the resulting auto connections properties + """ peers = self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers") auto_conns = ConnectivityProperties() for peer in peers: auto_conns |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({peer}), "dst_peers": PeerSet({peer})}) - return self - auto_conns + return auto_conns + + def minimize(self): + """ + Try to minimize the current properties by changing the order between "src_peers" and "dst_peers" dimensions + """ + new_all_dims_map = [i for i in range(len(self.all_dimensions_list))] + src_peers_index = self.all_dimensions_list.index("src_peers") + dst_peers_index = self.all_dimensions_list.index("dst_peers") + # switch between "src_peers" and "dst_peers" dimensions + new_all_dims_map[src_peers_index] = dst_peers_index + new_all_dims_map[dst_peers_index] = src_peers_index + new_props = self._reorder_by_dim_list(new_all_dims_map) + return self if len(self) <= len(new_props) else new_props + + def push_back_peers_dimensions(self): + """ + Reorder the current properties by making "src_peers" and "dst_peers" the last two dimensions. + """ + new_all_dims_map = [i for i in range(len(self.all_dimensions_list))] + last_index = len(self.all_dimensions_list) - 1 + src_peers_index = self.all_dimensions_list.index("src_peers") + dst_peers_index = self.all_dimensions_list.index("dst_peers") + # switch between "src_peers", "dst_peers" and last two dimensions + new_all_dims_map[src_peers_index] = last_index - 1 + new_all_dims_map[last_index - 1] = src_peers_index + new_all_dims_map[dst_peers_index] = last_index + new_all_dims_map[last_index] = dst_peers_index + return self._reorder_by_dim_list(new_all_dims_map) + + def _reorder_by_dim_list(self, new_all_dims_map): + """ + Reorder the current properties by the given dimensions order + :param list[int] new_all_dims_map: the given dimensions order + :return: the reordered connectivity properties + """ + # Build reordered all dimensions list + new_all_dimensions_list = self._reorder_list_by_map(self.all_dimensions_list, new_all_dims_map) + new_active_dimensions = [] + new_active_dims_map = [i for i in range(len(self.active_dimensions))] + # Build reordered active dimensions list + for dim in new_all_dimensions_list: + if dim in self.active_dimensions: + new_active_dims_map[len(new_active_dimensions)] = self.active_dimensions.index(dim) + new_active_dimensions.append(dim) + # Build reordered properties by cubes + res = ConnectivityProperties(new_all_dimensions_list) + for cube in self: + new_cube = self._reorder_list_by_map(cube, new_active_dims_map) + res.add_cube(new_cube, new_active_dimensions) + return res + + @staticmethod + def _reorder_list_by_map(orig_list, new_to_old_map): + """ + Reorder a given list by map from new to old indices. + :param list orig_list: the original list + :param list[int] new_to_old_map: the list mapping new to old indices + :return: the resulting list + """ + res = [] + for i in range(len(orig_list)): + res.append(orig_list[new_to_old_map[i]]) + return res diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 02829449f..178c0281a 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -652,6 +652,12 @@ def get_set_without_ip_block(self): """ return set(elem for elem in self if not isinstance(elem, IpBlock)) + def get_set_without_ip_block_or_dns_entry(self): + """ + :return: a set with all elements from self which are not IpBlock or DNSEntry + """ + return set(elem for elem in self if not isinstance(elem, (IpBlock, DNSEntry))) + def get_ip_block_canonical_form(self): """ :return: IpBlock element in canonical form for all elements from self which are IpBlock diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index 02ee57595..536301ce6 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -9,7 +9,7 @@ from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod from nca.CoreDS.ConnectionSet import ConnectionSet from .DotGraph import DotGraph -from .MinimizeFWRules import MinimizeCsFwRules, MinimizeFWRules +from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo @@ -60,7 +60,7 @@ def add_edges_from_cube_dict(self, conn_cube, peer_container): :param PeerContainer peer_container: the peer container """ conns, src_peers, dst_peers = \ - ConnectionSet.get_connection_set_and_peers_from_cube(conn_cube, peer_container) + MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container) for src_peer in src_peers: for dst_peer in dst_peers: self.connections_to_peers[conns].append((src_peer, dst_peer)) @@ -428,57 +428,7 @@ def get_minimized_firewall_rules(self): print(line) print('======================================================') # compute the minimized firewall rules - return self._minimize_firewall_rules(connections_sorted_by_size) - - def _minimize_firewall_rules(self, connections_sorted_by_size): - """ - Creates the set of minimized fw rules and prints to output - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules - """ - cs_containment_map = self._build_connections_containment_map(connections_sorted_by_size) - fw_rules_map = defaultdict(list) - results_map = dict() - minimize_cs = MinimizeCsFwRules(self.cluster_info, self.allowed_labels, self.output_config) - # build fw_rules_map: per connection - a set of its minimized fw rules - for connections, peer_pairs in connections_sorted_by_size: - # currently skip "no connections" - if not connections: - continue - # TODO: figure out why we have pairs with (ip,ip) ? - peer_pairs_filtered = self._get_peer_pairs_filtered(peer_pairs) - peer_pairs_in_containing_connections = cs_containment_map[connections] - fw_rules, results_per_info = minimize_cs.compute_minimized_fw_rules_per_connection( - connections, peer_pairs_filtered, peer_pairs_in_containing_connections) - fw_rules_map[connections] = fw_rules - results_map[connections] = results_per_info - - minimize_fw_rules = MinimizeFWRules(fw_rules_map, self.cluster_info, self.output_config, - results_map) - return minimize_fw_rules - - @staticmethod - def _get_peer_pairs_filtered(peer_pairs): - """ - Filters out peer pairs where both src and dst are IpBlock - :param list peer_pairs: the peer pairs to filter - :return: a filtered set of peer pairs - """ - return set((src, dst) for (src, dst) in peer_pairs if not (isinstance(src, IpBlock) and isinstance(dst, IpBlock))) - - def _build_connections_containment_map(self, connections_sorted_by_size): - """ - Build a map from a connection to a set of peer_pairs from connections it is contained in - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: a map from connection to a set of peer pairs from containing connections - """ - cs_containment_map = defaultdict(set) - for (conn, _) in connections_sorted_by_size: - for (other_conn, peer_pairs) in connections_sorted_by_size: - if other_conn != conn and conn.contained_in(other_conn): - peer_pairs_filtered = self._get_peer_pairs_filtered(peer_pairs) - cs_containment_map[conn] |= peer_pairs_filtered - return cs_containment_map + return MinimizeFWRules.minimize_firewall_rules(self.cluster_info, self.output_config, connections_sorted_by_size) @staticmethod def _merge_ip_blocks(connections_sorted_by_size): diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 3aff93b23..6b8597d4b 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -138,12 +138,14 @@ class FWRuleElement: Every fw-rule element (src,dst) has a ns-level info """ - def __init__(self, ns_info): + def __init__(self, ns_info, cluster_info=None): """ Create a FWRuleElement object :param ns_info: set of namespaces, of type: set[K8sNamespace] + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info """ self.ns_info = ns_info + self.cluster_info = cluster_info def get_elem_list_obj(self): """ @@ -187,34 +189,36 @@ def __hash__(self): def __eq__(self, other): return self.ns_info == other.ns_info + def __le__(self, other): + return self.get_peer_set().issubset(other.get_peer_set()) + def is_system_ns(self): """ :return: True if this element has one namespace and it ends with "system" """ return len(self.ns_info) == 1 and str(list(self.ns_info)[0]).endswith("-system") - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ res = set() for ns in self.ns_info: - res |= cluster_info.ns_dict[ns] + res |= self.cluster_info.ns_dict[ns] return res - def get_peer_set(self, cluster_info): + def get_peer_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a PeerSet (pods and/or IpBlocks) represented by this element """ - return PeerSet(self.get_pods_set(cluster_info)) + return PeerSet(self.get_pods_set()) @staticmethod - def create_fw_elements_from_base_element(base_elem): + def create_fw_elements_from_base_element(base_elem, cluster_info): """ create a list of fw-rule-elements from base-element :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] """ if isinstance(base_elem, ClusterEP): @@ -222,9 +226,22 @@ def create_fw_elements_from_base_element(base_elem): elif isinstance(base_elem, IpBlock): return [IPBlockElement(ip) for ip in base_elem.split()] elif isinstance(base_elem, K8sNamespace): - return [FWRuleElement({base_elem})] + return [FWRuleElement({base_elem}, cluster_info)] elif isinstance(base_elem, DNSEntry): return [DNSElement(base_elem)] + elif isinstance(base_elem, PeerSet): + pods = PeerSet(base_elem.get_set_without_ip_block_or_dns_entry()) + ipblocks_and_dns = base_elem - pods + res = [] + while pods: + ns = list(pods)[0].namespace + ns_pods = pods & PeerSet(cluster_info.ns_dict[ns]) + res.append(PeerSetElement(ns_pods)) + pods -= ns_pods + if ipblocks_and_dns: + for peer in base_elem: + res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info)) + return res # unknown base-elem type return None @@ -287,9 +304,8 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, PodElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ return {self.element} @@ -301,13 +317,14 @@ class PodLabelsElement(FWRuleElement): """ # TODO: is it possible to have such element with len(ns_info)>1? if not, should add support for such merge? - def __init__(self, element, ns_info): + def __init__(self, element, ns_info, cluster_info): """ Create an object of type PodLabelsElement :param element: an element of type LabelExpr :param ns_info: namespace set of type set[K8sNamespace] + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info """ - super().__init__(ns_info) + super().__init__(ns_info, cluster_info) self.element = element def get_elem_list_obj(self): @@ -344,17 +361,16 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, PodLabelsElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ res = set() - ns_pods = super().get_pods_set(cluster_info) + ns_pods = super().get_pods_set() key = self.element.key values = self.element.values for v in values: - pods_with_label_val_in_ns = cluster_info.pods_labels_map[(key, v)] & ns_pods + pods_with_label_val_in_ns = self.cluster_info.pods_labels_map[(key, v)] & ns_pods res |= pods_with_label_val_in_ns return res @@ -420,19 +436,17 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, PeerSetElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ return self.element - def get_peer_set(self, cluster_info): + def get_peer_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a PeerSet (pods and/or IpBlocks) represented by this element """ - return self.get_pods_set(cluster_info) + return self.get_pods_set() # TODO: should it be a sub-type of FWRuleElement? @@ -485,17 +499,15 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, IPBlockElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ # an ip block element does not represent any pods return set() - def get_peer_set(self, cluster_info): + def get_peer_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a PeerSet (pods and/or IpBlocks) represented by this element """ return PeerSet({self.element}) @@ -551,17 +563,15 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, DNSElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ # an dns-entry element does not represent any pods return set() - def get_peer_set(self, cluster_info): + def get_peer_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a PeerSet (pods and/or IpBlocks) represented by this element """ return PeerSet({self.element}) @@ -711,17 +721,18 @@ def get_rule_in_req_format(self, req_format): return None @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections): + def create_fw_rules_from_base_elements(src, dst, connections, cluster_info): """ create fw-rules from single pair of base elements (src,dst) and a given connection set :param ConnectionSet connections: the allowed connections from src to dst :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: list with created fw-rules :rtype list[FWRule] """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst) + src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info) + dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info) if src_elem is None or dst_elem is None: return [] return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py new file mode 100644 index 000000000..61244e7ad --- /dev/null +++ b/nca/FWRules/MinimizeBasic.py @@ -0,0 +1,155 @@ +# +# Copyright 2020- IBM Inc. All rights reserved +# SPDX-License-Identifier: Apache2.0 +# + +from nca.CoreDS.ConnectionSet import ConnectionSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties +from nca.CoreDS.Peer import PeerSet +from nca.CoreDS.ProtocolSet import ProtocolSet + + +class MinimizeBasic: + """ + This is a base class for minimizing fw-rules/peer sets + """ + def __init__(self, cluster_info, output_config): + self.cluster_info = cluster_info + self.output_config = output_config + + def _get_pods_grouping_by_labels_main(self, pods_set, extra_pods_set): + """ + The main function to implement pods grouping by labels. + This function splits the pods into namespaces, and per ns calls get_pods_grouping_by_labels(). + :param pods_set: the pods for grouping + :param extra_pods_set: additional pods that can be used for grouping + :return: + res_chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. + res_remaining_pods: set of pods from pods_set that are not included in the grouping result (could not be grouped). + """ + ns_context_options = set(pod.namespace for pod in pods_set) + res_chosen_rep = [] + res_remaining_pods = set() + # grouping by pod-labels per each namespace separately + for ns in ns_context_options: + pods_set_per_ns = pods_set & PeerSet(self.cluster_info.ns_dict[ns]) + extra_pods_set_per_ns = extra_pods_set & self.cluster_info.ns_dict[ns] + chosen_rep, remaining_pods = self._get_pods_grouping_by_labels(pods_set_per_ns, ns, extra_pods_set_per_ns) + res_chosen_rep.extend(chosen_rep) + res_remaining_pods |= remaining_pods + return res_chosen_rep, res_remaining_pods + + def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): + """ + Implements pods grouping by labels in a single namespace. + :param pods_set: the set of pods for grouping. + :param ns: the namespace + :param extra_pods_set: additional pods that can be used for completing the grouping + (originated in containing connections). + :return: + chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. + remaining_pods: set of pods from pods_list that are not included in the grouping result + """ + if self.output_config.fwRulesDebug: + print('get_pods_grouping_by_labels:') + print('pods_list: ' + ','.join([str(pod) for pod in pods_set])) + print('extra_pods_list: ' + ','.join([str(pod) for pod in extra_pods_set])) + all_pods_set = pods_set | extra_pods_set + allowed_labels = self.cluster_info.allowed_labels + pods_per_ns = self.cluster_info.ns_dict[ns] + # labels_rep_options is a list of tuples (key, (values, pods-set)), where each tuple in this list is a valid + # grouping of pods-set by "key in values" + labels_rep_options = [] + for key in allowed_labels: + values_for_key = self.cluster_info.get_all_values_set_for_key_per_namespace(key, {ns}) + fully_covered_label_values = set() + pods_with_fully_covered_label_values = set() + for v in values_for_key: + all_pods_per_label_val = self.cluster_info.pods_labels_map[(key, v)] & pods_per_ns + if not all_pods_per_label_val: + continue + pods_with_label_val_from_pods_list = all_pods_per_label_val & all_pods_set + pods_with_label_val_from_original_pods_list = all_pods_per_label_val & pods_set + # allow to "borrow" from extra_pods_set only if at least one pod is also in original pods_set + if all_pods_per_label_val == pods_with_label_val_from_pods_list and \ + pods_with_label_val_from_original_pods_list: + fully_covered_label_values |= {v} + pods_with_fully_covered_label_values |= pods_with_label_val_from_pods_list + # TODO: is it OK to ignore label-grouping if only one pod is involved? + if self.output_config.fwRulesGroupByLabelSinglePod: + if fully_covered_label_values and len( + pods_with_fully_covered_label_values) >= 1: # don't ignore label-grouping if only one pod is involved + labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) + else: + if fully_covered_label_values and len( + pods_with_fully_covered_label_values) > 1: # ignore label-grouping if only one pod is involved + labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) + + chosen_rep = [] + remaining_pods = pods_set.copy() + # sort labels_rep_options by length of pods_with_fully_covered_label_values, to prefer label-grouping that + # covers more pods + sorted_rep_options = sorted(labels_rep_options, key=lambda x: len(x[1][1]), reverse=True) + if self.output_config.fwRulesDebug: + print('sorted rep options:') + for (key, (label_vals, pods)) in sorted_rep_options: + print(key, label_vals, len(pods)) + ns_info = {ns} + for (k, (vals, pods)) in sorted_rep_options: + if (pods & pods_set).issubset(remaining_pods): + chosen_rep.append((k, vals, ns_info)) + remaining_pods -= PeerSet(pods) + if not remaining_pods: + break + return chosen_rep, remaining_pods + + # TODO - after moving to the optimized HC set implementation, + # get rid of ConnectionSet and move the code below to ConnectivityProperties.py + @staticmethod + def get_connection_set_and_peers_from_cube(the_cube, peer_container, + relevant_protocols=ProtocolSet(True)): + conn_cube = the_cube.copy() + src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True) + conn_cube.unset_dim("src_peers") + dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True) + conn_cube.unset_dim("dst_peers") + protocols = conn_cube["protocols"] + conn_cube.unset_dim("protocols") + if not conn_cube.has_active_dim() and (protocols.is_whole_range() or protocols == relevant_protocols): + conns = ConnectionSet(True) + else: + conns = ConnectionSet() + protocol_names = ProtocolSet.get_protocol_names_from_interval_set(protocols) + for protocol in protocol_names: + if conn_cube.has_active_dim(): + conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) + else: + if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): + conns.add_connections(protocol, + ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container)) + else: + conns.add_connections(protocol, True) + return conns, src_peers, dst_peers + + @staticmethod + def fw_rules_to_conn_props(fw_rules, peer_container): + """ + Converting FWRules to ConnectivityProperties format. + This function is used for comparing FWRules output between original and optimized solutions, + when optimized_run == 'debug' + :param MinimizeFWRules fw_rules: the given FWRules. + :param PeerContainer peer_container: the peer container + :return: the resulting ConnectivityProperties. + """ + res = ConnectivityProperties.make_empty_props() + if fw_rules.fw_rules_map is None: + return res + for fw_rules_list in fw_rules.fw_rules_map.values(): + for fw_rule in fw_rules_list: + conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container) + src_peers = fw_rule.src.get_peer_set() + dst_peers = fw_rule.dst.get_peer_set() + rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, + "dst_peers": dst_peers}) & conn_props + res |= rule_props + return res diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py new file mode 100644 index 000000000..7e8680ccb --- /dev/null +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -0,0 +1,446 @@ +# +# Copyright 2020- IBM Inc. All rights reserved +# SPDX-License-Identifier: Apache2.0 +# + +from nca.CoreDS.ConnectionSet import ConnectionSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties +from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet +from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ + DNSElement +from .MinimizeBasic import MinimizeBasic + + +class MinimizeCsFwRulesOpt(MinimizeBasic): + """ + This is a class for minimizing fw-rules within a specific connection-set + """ + + def __init__(self, cluster_info, output_config): + """ + create an object of MinimizeCsFwRules + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param output_config: an OutputConfiguration object + + """ + super().__init__(cluster_info, output_config) + self.peer_props = ConnectivityProperties() + self.connections = ConnectionSet() + self.peer_props_in_containing_connections = ConnectivityProperties() + self.ns_pairs = set() + self.ns_ns_props = ConnectivityProperties() + self.peer_pairs_with_partial_ns_expr = set() + self.peer_props_without_ns_expr = ConnectivityProperties() + self.covered_peer_props = ConnectivityProperties() + self.results_info_per_option = dict() + self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules + + def compute_minimized_fw_rules_per_connection(self, connections, peer_props, + peer_props_in_containing_connections): + """ + The main function for creating the minimized set of fw-rules for a given connection set + + :param connections: the allowed connections for the given peer pairs, of type ConnectionSet + :param ConnectivityProperties peer_props: peers (src,dst) for which communication is allowed over the given connections + :param ConnectivityProperties peer_props_in_containing_connections: peers in connections that contain the current + connection set + + class members used in computation of fw-rules: + self.ns_pairs : pairs of namespaces, grouped from peer_pairs and peer_pairs_in_containing_connections + self.peer_pairs_with_partial_ns_expr: pairs of (peer,ns) or (ns,peer), with ns-grouping for one dimension + self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping + self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current + connection-set (but not necessarily only limited to current connection set) + + :return: + minimized_fw_rules: a list of fw-rules (of type list[FWRule]) + (results_info_per_option: for debugging, dict with some info about the computation) + """ + self.peer_props = peer_props + self.connections = connections + self.peer_props_in_containing_connections = peer_props_in_containing_connections + self.ns_pairs = set() + self.ns_ns_props = ConnectivityProperties() + self.peer_pairs_with_partial_ns_expr = set() + self.peer_props_without_ns_expr = ConnectivityProperties() + self.covered_peer_props = ConnectivityProperties() + self.results_info_per_option = dict() + self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules + + self._create_fw_rules() + if self.output_config.fwRulesRunInTestMode: + self._print_firewall_rules(self.minimized_fw_rules) + self._print_results_info() + + return self.minimized_fw_rules, self.results_info_per_option + + def _create_fw_rules(self): + """ + The main function for creating the minimized set of fw-rules for a given connection set + :return: None + """ + # partition peer_pairs to ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + self._compute_basic_namespace_grouping() + + # add all fw-rules: + self._add_all_fw_rules() + + def _compute_basic_namespace_grouping(self): + """ + computation of peer_pairs with possible grouping by namespaces. + Results are at: ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + :return: None + """ + self._compute_covered_peer_props() + # only Pod elements have namespaces (skipping IpBlocks and HostEPs) + src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") + if isinstance(src, ClusterEP)) + dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") + if isinstance(dst, ClusterEP)) + # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs + for src_ns in src_ns_set: + for dst_ns in dst_ns_set: + ns_product_props = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), + "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) + if ns_product_props.contained_in(self.covered_peer_props): + self.ns_ns_props |= ns_product_props + self.ns_pairs |= {(src_ns, dst_ns)} + else: + self.peer_props_without_ns_expr |= ns_product_props & self.peer_props + + # TODO: what about peer pairs with ip blocks from containing connections, not only peer_pairs for this connection? + src_peers_without_ns = PeerSet(set(src for src in self.peer_props.project_on_one_dimension("src_peers") + if isinstance(src, (IpBlock, HostEP, DNSEntry)))) + dst_peers_without_ns = PeerSet(set(dst for dst in self.peer_props.project_on_one_dimension("dst_peers") + if isinstance(dst, (IpBlock, HostEP, DNSEntry)))) + props_with_elems_without_ns = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers_without_ns}) |\ + ConnectivityProperties.make_conn_props_from_dict({"dst_peers": dst_peers_without_ns}) + self.peer_props_without_ns_expr |= props_with_elems_without_ns & self.peer_props + # compute pairs with src as pod/ip-block and dest as namespace + self._compute_peer_pairs_with_partial_ns_expr(dst_ns_set, False) + # compute pairs with src as pod/ip-block namespace dest as pod + self._compute_peer_pairs_with_partial_ns_expr(src_ns_set, True) + # remove pairs of (pod,pod) for trivial cases of communication from pod to itself + self.peer_props_without_ns_expr = self.peer_props_without_ns_expr.props_without_auto_conns() + + def _compute_covered_peer_props(self): + """ + compute the union (set) of all peer pairs for which communication is allowed in current connection-set (but + not necessarily only limited to current connection set) + :return: None + """ + covered_peer_props = self.peer_props | self.peer_props_in_containing_connections + all_peers_set = self.peer_props.project_on_one_dimension("src_peers") |\ + self.peer_props.project_on_one_dimension("dst_peers") + for pod in all_peers_set: + if isinstance(pod, ClusterEP): + covered_peer_props |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({pod}), + "dst_peers": PeerSet({pod})}) + self.covered_peer_props = covered_peer_props + + def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): + """ + computes and updates self.peer_pairs_with_partial_ns_expr with pairs where only one elem (src/dst) + can be grouped to an entire namespace + :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as ns (True) or dst (False) + :return: None + """ + # pod_set is the set of pods in pairs of peer_pairs_without_ns_expr, within elem type (src/dst) which is not + # in the grouping computation + + for ns in ns_set: + dim_name = "src_peers" if is_src_ns else "dst_peers" + other_dim_name = "dst_peers" if is_src_ns else "src_peers" + candidate_peers = self.peer_props_without_ns_expr.project_on_one_dimension(other_dim_name) + for peer in candidate_peers: + peer_with_ns_props = \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: PeerSet(self.cluster_info.ns_dict[ns]), + other_dim_name: PeerSet({peer})}) + if peer_with_ns_props.contained_in(self.peer_props_without_ns_expr): + self.peer_pairs_with_partial_ns_expr.add((ns, peer) if is_src_ns else (peer, ns)) + self.peer_props_without_ns_expr -= peer_with_ns_props + + def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): + """ + create a fw-rule from a fixed-elem and a set of namespaces + :param is_src_fixed: a flag indicating if the fixed elem is src (True) or dst (False) + :param ns_set: a set of namespaces + :param fixed_elem: the fixed element + :return: a list with created FWRule + """ + # currently no grouping of ns-list by labels of namespaces + grouped_elem = FWRuleElement(ns_set, self.cluster_info) + if is_src_fixed: + fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) + else: + fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) + return [fw_rule] + + def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set, + make_peer_sets=False): + """ + Implements grouping in the level of pods labels. + :param is_src_fixed: a bool flag to indicate if fixed_elem is at src or dst. + :param pods_set: the set of pods to be grouped + :param fixed_elem: the fixed element of the original fw-rules + :param extra_pods_set: an additional pods set from containing connections (with same fixed_elem) that can be + used for grouping (completing for a set of pods to cover some label grouping). + :return: a set of fw-rules result after grouping + """ + res = [] + # (1) try grouping by pods-labels: + chosen_rep, remaining_pods = self._get_pods_grouping_by_labels_main(pods_set, extra_pods_set) + for (key, values, ns_info) in chosen_rep: + map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) + all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) + pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) + grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) + if is_src_fixed: + fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) + else: + fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) + res.append(fw_rule) + + # TODO: should avoid having single pods remaining without labels grouping + # (2) add rules for remaining single pods: + if make_peer_sets and remaining_pods: + peer_set_elem = PeerSetElement(PeerSet(remaining_pods)) + if is_src_fixed: + fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) + else: + fw_rule = FWRule(peer_set_elem, fixed_elem, self.connections) + res.append(fw_rule) + else: + for pod in remaining_pods: + single_pod_elem = PodElement(pod, self.output_config.outputEndpoints == 'deployments') + if is_src_fixed: + fw_rule = FWRule(fixed_elem, single_pod_elem, self.connections) + else: + fw_rule = FWRule(single_pod_elem, fixed_elem, self.connections) + res.append(fw_rule) + return res + + def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): + """ + creating initial fw-rules from base elements + :param base_elems_pairs: a set of pairs (src,dst) , each of type: Pod/K8sNamespace/IpBlock + :return: list with created fw-rules + :rtype list[FWRule] + """ + res = [] + for (src, dst) in base_elems_pairs: + res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info)) + return res + + def _create_initial_fw_rules_from_peer_props(self, peer_props): + res = [] + min_peer_props = peer_props.minimize() + for cube in min_peer_props: + conn_cube = min_peer_props.get_connectivity_cube(cube) + src_peers = conn_cube["src_peers"] + dst_peers = conn_cube["dst_peers"] + # whole peers sets were handled in self.ns_pairs and self.peer_pairs_with_partial_ns_expr + assert src_peers and dst_peers + res.extend(FWRule.create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, + self.cluster_info)) + return res + + def _create_all_initial_fw_rules(self): + """ + Creating initial fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) + :return: a list of initial fw-rules of type FWRule + :rtype list[FWRule] + """ + + initial_fw_rules = [] + initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_pairs)) + initial_fw_rules.extend(self._create_initial_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) + initial_fw_rules.extend( + self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_with_partial_ns_expr)) + return initial_fw_rules + + def _add_all_fw_rules(self): + """ + Computation of fw-rules, following the ns-grouping of peer_pairs. + Results are at: self.minimized_rules_set + :return: None + """ + # create initial fw-rules from ns_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr + initial_fw_rules = self._create_all_initial_fw_rules() + # TODO: consider a higher resolution decision between option1 and option2 (per src,dst pair rather than per + # all ConnectionSet pairs) + + # option1 - start computation when src is fixed at first iteration, and merge applies to dst + option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) + # option2 - start computation when dst is fixed at first iteration, and merge applies to src + option2, convergence_iteration_2 = self._create_merged_rules_set(False, initial_fw_rules) + + # self.post_processing_fw_rules(option1) + # self.post_processing_fw_rules(option2) + + if self.output_config.fwRulesRunInTestMode: + # add info for documentation about computation results + self.results_info_per_option['option1_len'] = len(option1) + self.results_info_per_option['option2_len'] = len(option2) + self.results_info_per_option['convergence_iteration_1'] = convergence_iteration_1 + self.results_info_per_option['convergence_iteration_2'] = convergence_iteration_2 + + if self.output_config.fwRulesDebug: + print('option 1 rules:') + self._print_firewall_rules(option1) + print('option 2 rules: ') + self._print_firewall_rules(option2) + + # choose the option with less fw-rules + if len(option1) < len(option2): + self.minimized_fw_rules = option1 + return + self.minimized_fw_rules = option2 + + def _get_grouping_result(self, fixed_elem, set_for_grouping_elems, src_first): + """ + Apply grouping for a set of elements to create grouped fw-rules + :param fixed_elem: the fixed elements from the original fw-rules + :param set_for_grouping_elems: the set of elements to be grouped + :param src_first: a bool flag to indicate if fixed_elem is src or dst + :return: A list of fw-rules after possible grouping operations + """ + res = [] + # partition set_for_grouping_elems into: (1) ns_elems, (2) pod_and_pod_labels_elems, (3) ip_block_elems + peer_set_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, PeerSetElement)) + pod_and_pod_labels_elems = set(elem for elem in set_for_grouping_elems if + isinstance(elem, (PodElement, PodLabelsElement))) + ip_block_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, IPBlockElement)) + dns_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, DNSElement)) + ns_elems = set_for_grouping_elems - (peer_set_elems | pod_and_pod_labels_elems | ip_block_elems | dns_elems) + + if ns_elems: + # grouping of ns elements is straight-forward + ns_set = set.union(*(f.ns_info for f in ns_elems)) + res.extend(self.get_ns_fw_rules_grouped_by_common_elem(src_first, ns_set, fixed_elem)) + + for peer_set_elem in peer_set_elems: + res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, peer_set_elem.get_pods_set(), + fixed_elem, set(), True)) + + # fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) if src_first else \ + # FWRule(peer_set_elem, fixed_elem, self.connections) + # res.append(fw_rule) + + if pod_and_pod_labels_elems: + # grouping of pod and pod-labels elements + # TODO: currently adding this due to example in test24: a single pod-labels elem is replaced by another grouping + if len(pod_and_pod_labels_elems) == 1 and isinstance(list(pod_and_pod_labels_elems)[0], PodLabelsElement): + elem = list(pod_and_pod_labels_elems)[0] + fw_rule = FWRule(fixed_elem, elem, self.connections) if src_first else FWRule(elem, fixed_elem, + self.connections) + res.append(fw_rule) + else: + # set_for_grouping_pods is the set of all pods originated in pods and pod-labels elements, to be grouped + set_for_grouping_pods = set() + for e in pod_and_pod_labels_elems: + set_for_grouping_pods |= e.get_pods_set() + + # allow borrowing pods for labels-grouping from covered_peer_props + fixed_elem_pods = fixed_elem.get_pods_set() + # extra_pods_list is a list of pods sets that are paired with pods in fixed_elem_pods within + # covered_peer_props + extra_pods_list = [] + for p in fixed_elem_pods: + pods_to_add = self._get_peers_paired_with_given_peer(p, src_first) + extra_pods_list.append(pods_to_add) + # extra_pods_list_common is a set of pods that are paired with all pods in fixed_elem_pods within + # covered_peer_props + extra_pods_list_common = set() + if extra_pods_list: + extra_pods_list_common = set.intersection(*extra_pods_list) + + res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, set_for_grouping_pods, + fixed_elem, extra_pods_list_common)) + + if ip_block_elems: + # currently no grouping for ip blocks + for elem in ip_block_elems: + if src_first: + res.append(FWRule(fixed_elem, elem, self.connections)) + else: + res.append(FWRule(elem, fixed_elem, self.connections)) + + if dns_elems: + for elem in dns_elems: + if src_first: # do we need both if else? , dns_elem may be a dst always + res.append(FWRule(fixed_elem, elem, self.connections)) + else: + res.append(FWRule(elem, fixed_elem, self.connections)) + + return res + + def _get_peers_paired_with_given_peer(self, peer, is_src_peer): + this_dim = "src_peers" if is_src_peer else "dst_peers" + other_dim = "dst_peers" if is_src_peer else "src_peers" + props = self.covered_peer_props & ConnectivityProperties.make_conn_props_from_dict({this_dim: PeerSet({peer})}) + return props.project_on_one_dimension(other_dim) + + def _create_merged_rules_set(self, is_src_first, fw_rules): + """ + Computing a minimized set of fw-rules by merging src/dst elements iteratively + :param is_src_first: a bool flag to indicate if merge process starts with src or dest + :param fw_rules: a list of initial fw-rules + :return: a list of minimized fw-rules after merge process + """ + initial_fw_rules = fw_rules.copy() + if not initial_fw_rules: + return [], 0 + count_fw_rules = dict() # map number of fw-rules per iteration number + max_iter = self.output_config.fwRulesMaxIter + convergence_iteration = max_iter + for i in range(0, max_iter): + fw_rules_after_merge = [] + count_fw_rules[i] = len(initial_fw_rules) + if i > 1 and count_fw_rules[i] == count_fw_rules[i - 1]: + convergence_iteration = i + break + if i > 1 and self.output_config.fwRulesRunInTestMode: + assert count_fw_rules[i - 1] > count_fw_rules[i], "Expecting fewer fw_rules after each merge iteration." + # change the grouping target (src/dst) on each iteration + src_first = (i % 2 == 0) if is_src_first else (i % 2 == 1) + first_elem_set = set(f.src for f in initial_fw_rules) if src_first else set(f.dst for f in initial_fw_rules) + for elem in first_elem_set: + if src_first: + # TODO: equals or contained in? + # set_for_grouping_elems = set(f.dst for f in initial_fw_rules if elem <= f.src) + set_for_grouping_elems = set(f.dst for f in initial_fw_rules if elem == f.src) + else: + # set_for_grouping_elems = set(f.src for f in initial_fw_rules if elem <= f.dst) + set_for_grouping_elems = set(f.src for f in initial_fw_rules if elem == f.dst) + res = self._get_grouping_result(elem, set_for_grouping_elems, src_first) + fw_rules_after_merge.extend(res) + # prepare for next iteration + initial_fw_rules = fw_rules_after_merge + if self.output_config.fwRulesDebug: + print('fw rules after iteration: ' + str(i)) + self._print_firewall_rules(initial_fw_rules) + + return initial_fw_rules, convergence_iteration + + # --------------------------------------------------------------------------------------------------------- + # below functions are for debugging : + + def _print_results_info(self): + print('----------------') + print('results_info_per_option: ') + for key in self.results_info_per_option: + val = self.results_info_per_option[key] + print(str(key) + ':' + str(val)) + print('----------------') + + def _print_firewall_rules(self, rules): + print('-------------------') + print('rules for connections: ' + str(self.connections)) + for rule in rules: + # filter out rule of a pod to itslef + # if rule.is_rule_trivial(): + # continue + print(rule) diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index d42cd301c..e373b8538 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -3,30 +3,29 @@ # SPDX-License-Identifier: Apache2.0 # +from collections import defaultdict from nca.CoreDS.ConnectionSet import ConnectionSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod, HostEP, DNSEntry +from nca.CoreDS.ProtocolSet import ProtocolSet from .FWRule import FWRuleElement, FWRule, PodElement, LabelExpr, PodLabelsElement, IPBlockElement, DNSElement +from .MinimizeBasic import MinimizeBasic +from .MinimizeCsFWRulesOpt import MinimizeCsFwRulesOpt -class MinimizeCsFwRules: +class MinimizeCsFwRules(MinimizeBasic): """ This is a class for minimizing fw-rules within a specific connection-set """ - def __init__(self, cluster_info, allowed_labels, output_config): + def __init__(self, cluster_info, output_config): """ create an object of MinimizeCsFwRules :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info - :param allowed_labels: a set of label keys (set[str]) that appear in one of the policy yaml files. - using this set to determine which label can be used for grouping pods in fw-rules computation :param output_config: an OutputConfiguration object """ - - self.cluster_info = cluster_info - self.allowed_labels = allowed_labels - self.output_config = output_config - + super().__init__(cluster_info, output_config) self.peer_pairs = set() self.connections = ConnectionSet() self.peer_pairs_in_containing_connections = set() @@ -48,7 +47,7 @@ def compute_minimized_fw_rules_per_connection(self, connections, peer_pairs, pee class members used in computation of fw-rules: self.ns_pairs : pairs of namespaces, grouped from peer_pairs and peer_pairs_in_containing_connections - self.peer_pairs_with_partial_ns_expr: pairs of (pod,ns) or (ns,pod), with ns-grouping for one dimension + self.peers_with_ns_pairs: pairs of (pod,ns) or (ns,pod), with ns-grouping for one dimension self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current connection-set (but not necessarily only limited to current connection set) @@ -79,7 +78,7 @@ def _create_fw_rules(self): The main function for creating the minimized set of fw-rules for a given connection set :return: None """ - # partition peer_pairs to ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + # partition peer_pairs to ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr self._compute_basic_namespace_grouping() # add all fw-rules: @@ -88,7 +87,7 @@ def _create_fw_rules(self): def _compute_basic_namespace_grouping(self): """ computation of peer_pairs with possible grouping by namespaces. - Results are at: ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + Results are at: ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr :return: None """ self._compute_covered_peer_pairs_union() @@ -184,7 +183,7 @@ def _get_ns_covered_in_one_dimension(self, is_src_fixed, fixed_elem): def _compute_ns_pairs_with_partial_ns_expr(self, is_src_ns): """ - computes and updates self.peer_pairs_with_partial_ns_expr with pairs where only one elem (src/dst) + computes and updates self.peers_with_ns_pairs with pairs where only one elem (src/dst) can be grouped to an entire namespace :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as ns (True) or dst (False) :return: None @@ -221,99 +220,13 @@ def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_ele :return: a list with created FWRule """ # currently no grouping of ns-list by labels of namespaces - grouped_elem = FWRuleElement(ns_set) + grouped_elem = FWRuleElement(ns_set, self.cluster_info) if is_src_fixed: fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) else: fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) return [fw_rule] - def _get_pods_grouping_by_labels_main(self, pods_set, extra_pods_set): - """ - The main function to implement pods grouping by labels. - This function splits the pods into namespaces, and per ns calls get_pods_grouping_by_labels(). - :param pods_set: the pods for grouping - :param extra_pods_set: additional pods that can be used for grouping - :return: - res_chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. - res_remaining_pods: set of pods from pods_set that are not included in the grouping result (could not be grouped). - """ - ns_context_options = set(pod.namespace for pod in pods_set) - res_chosen_rep = [] - res_remaining_pods = set() - # grouping by pod-labels per each namespace separately - for ns in ns_context_options: - pods_set_per_ns = pods_set & self.cluster_info.ns_dict[ns] - extra_pods_set_per_ns = extra_pods_set & self.cluster_info.ns_dict[ns] - chosen_rep, remaining_pods = self._get_pods_grouping_by_labels(pods_set_per_ns, ns, extra_pods_set_per_ns) - res_chosen_rep.extend(chosen_rep) - res_remaining_pods |= remaining_pods - return res_chosen_rep, res_remaining_pods - - def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): - """ - Implements pods grouping by labels in a single namespace. - :param pods_set: the set of pods for grouping. - :param ns: the namespace - :param extra_pods_set: additional pods that can be used for completing the grouping - (originated in containing connections). - :return: - chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. - remaining_pods: set of pods from pods_list that are not included in the grouping result - """ - if self.output_config.fwRulesDebug: - print('get_pods_grouping_by_labels:') - print('pods_list: ' + ','.join([str(pod) for pod in pods_set])) - print('extra_pods_list: ' + ','.join([str(pod) for pod in extra_pods_set])) - all_pods_set = pods_set | extra_pods_set - allowed_labels = self.cluster_info.allowed_labels - pods_per_ns = self.cluster_info.ns_dict[ns] - # labels_rep_options is a list of tuples (key, (values, pods-set)), where each tuple in this list is a valid - # grouping of pods-set by "key in values" - labels_rep_options = [] - for key in allowed_labels: - values_for_key = self.cluster_info.get_all_values_set_for_key_per_namespace(key, {ns}) - fully_covered_label_values = set() - pods_with_fully_covered_label_values = set() - for v in values_for_key: - all_pods_per_label_val = self.cluster_info.pods_labels_map[(key, v)] & pods_per_ns - if not all_pods_per_label_val: - continue - pods_with_label_val_from_pods_list = all_pods_per_label_val & all_pods_set - pods_with_label_val_from_original_pods_list = all_pods_per_label_val & pods_set - # allow to "borrow" from extra_pods_set only if at least one pod is also in original pods_set - if all_pods_per_label_val == pods_with_label_val_from_pods_list and \ - pods_with_label_val_from_original_pods_list: - fully_covered_label_values |= {v} - pods_with_fully_covered_label_values |= pods_with_label_val_from_pods_list - # TODO: is it OK to ignore label-grouping if only one pod is involved? - if self.output_config.fwRulesGroupByLabelSinglePod: - if fully_covered_label_values and len( - pods_with_fully_covered_label_values) >= 1: # don't ignore label-grouping if only one pod is involved - labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) - else: - if fully_covered_label_values and len( - pods_with_fully_covered_label_values) > 1: # ignore label-grouping if only one pod is involved - labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) - - chosen_rep = [] - remaining_pods = pods_set.copy() - # sort labels_rep_options by length of pods_with_fully_covered_label_values, to prefer label-grouping that - # covers more pods - sorted_rep_options = sorted(labels_rep_options, key=lambda x: len(x[1][1]), reverse=True) - if self.output_config.fwRulesDebug: - print('sorted rep options:') - for (key, (label_vals, pods)) in sorted_rep_options: - print(key, label_vals, len(pods)) - ns_info = {ns} - for (k, (vals, pods)) in sorted_rep_options: - if (pods & pods_set).issubset(remaining_pods): - chosen_rep.append((k, vals, ns_info)) - remaining_pods -= pods - if not remaining_pods: - break - return chosen_rep, remaining_pods - def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set): """ Implements grouping in the level of pods labels. @@ -331,7 +244,7 @@ def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_se map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) - grouped_elem = PodLabelsElement(pod_label_expr, ns_info) + grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) if is_src_fixed: fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) else: @@ -358,7 +271,7 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections)) + res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info)) return res def _create_all_initial_fw_rules(self): @@ -380,7 +293,7 @@ def _add_all_fw_rules(self): Results are at: self.minimized_rules_set :return: None """ - # create initial fw-rules from ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + # create initial fw-rules from ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr initial_fw_rules = self._create_all_initial_fw_rules() # TODO: consider a higher resolution decision between option1 and option2 (per src,dst pair rather than per # all ConnectionSet pairs) @@ -451,10 +364,10 @@ def _get_grouping_result(self, fixed_elem, set_for_grouping_elems, src_first): # set_for_grouping_pods is the set of all pods originated in pods and pod-labels elements, to be grouped set_for_grouping_pods = set() for e in pod_and_pod_labels_elems: - set_for_grouping_pods |= e.get_pods_set(self.cluster_info) + set_for_grouping_pods |= e.get_pods_set() # allow borrowing pods for labels-grouping from covered_peer_pairs_union - fixed_elem_pods = fixed_elem.get_pods_set(self.cluster_info) + fixed_elem_pods = fixed_elem.get_pods_set() # extra_pods_list is a list of pods sets that are paired with pods in fixed_elem_pods within # covered_peer_pairs_union extra_pods_list = [] @@ -556,21 +469,21 @@ def get_src_dest_pairs_from_fw_rules(self, rules): # compute set of pods derived from rule src and rule dest if not isinstance(rule.src, (IPBlockElement, DNSElement)) and \ not isinstance(rule.dst, (IPBlockElement, DNSElement)): - src_set = rule.src.get_pods_set(self.cluster_info) - dest_set = rule.dst.get_pods_set(self.cluster_info) + src_set = rule.src.get_pods_set() + dest_set = rule.dst.get_pods_set() for src in src_set: for dst in dest_set: src_dest_pairs.append((src, dst)) elif isinstance(rule.src, IPBlockElement) and not isinstance(rule.dst, (IPBlockElement, DNSElement)): - dest_set = rule.dst.get_pods_set(self.cluster_info) + dest_set = rule.dst.get_pods_set() for dst in dest_set: src_dest_pairs.append((rule.src.element, dst)) elif not isinstance(rule.src, (IPBlockElement, DNSElement)) and \ isinstance(rule.dst, (IPBlockElement, DNSElement)): - src_set = rule.src.get_pods_set(self.cluster_info) + src_set = rule.src.get_pods_set() for src in src_set: src_dest_pairs.append((src, rule.dst.element)) @@ -592,7 +505,7 @@ def validate_ip_blocks(ips_list_1, ips_list_2): ip_block_2 |= ip return ip_block_1.contained_in(ip_block_2) - # for testing- make sure set of peer pairs derived from fw-rules is equivalent to the input peer pairs + # for testing - make sure set of peer pairs derived from fw-rules is equivalent to the input peer pairs def check_peer_pairs_equivalence(self, rules): orig_set = set(self.peer_pairs) allowed_extra_set = set(self.covered_peer_pairs_union) # set(self.peer_pairs_in_containing_connections) @@ -646,7 +559,6 @@ def check_peer_pairs_equivalence(self, rules): return True - # ================================================================================================================== class MinimizeFWRules: @@ -659,7 +571,7 @@ def __init__(self, fw_rules_map, cluster_info, output_config, results_map): create n object of MinimizeFWRules :param fw_rules_map: a map from ConnectionSet to list[FWRule] - the list of minimized fw-rules per connection :param cluster_info: an object of type ClusterInfo - :param output_config: an object of type OutputConiguration + :param output_config: an object of type OutputConfiguration :param results_map: (temp, for debugging) a map from connection to results info """ self.fw_rules_map = fw_rules_map @@ -765,3 +677,121 @@ def _get_all_rules_list_in_req_format(self, req_format): rules_list.append(rule_obj) rules_dict[str(rule_obj)] = 1 return rules_list + + @staticmethod + def minimize_firewall_rules(cluster_info, output_config, connections_sorted_by_size): + """ + Creates the set of minimized fw rules and prints to output + :param ClusterInfo cluster_info: the cluster info + :param OutputConfiguration output_config: the output configuration + :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules + """ + cs_containment_map = MinimizeFWRules._build_connections_containment_map(connections_sorted_by_size) + fw_rules_map = defaultdict(list) + results_map = dict() + minimize_cs = MinimizeCsFwRules(cluster_info, output_config) + # build fw_rules_map: per connection - a set of its minimized fw rules + for connections, peer_pairs in connections_sorted_by_size: + # currently skip "no connections" + if not connections: + continue + # TODO: figure out why we have pairs with (ip,ip) ? + peer_pairs_filtered = MinimizeFWRules._get_peer_pairs_filtered(peer_pairs) + peer_pairs_in_containing_connections = cs_containment_map[connections] + fw_rules, results_per_info = minimize_cs.compute_minimized_fw_rules_per_connection( + connections, peer_pairs_filtered, peer_pairs_in_containing_connections) + fw_rules_map[connections] = fw_rules + results_map[connections] = results_per_info + + minimize_fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, output_config, results_map) + return minimize_fw_rules + + @staticmethod + def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, peer_container, + connectivity_restriction): + relevant_protocols = ProtocolSet() + if connectivity_restriction: + if connectivity_restriction == 'TCP': + relevant_protocols.add_protocol('TCP') + else: # connectivity_restriction == 'non-TCP' + relevant_protocols = ProtocolSet.get_non_tcp_protocols() + + # TODO - Tanya: this reorder does not work + #reordered_conn_props = props.push_back_peers_dimensions() + reordered_conn_props = props + connections_to_peers = defaultdict(ConnectivityProperties) + for cube in reordered_conn_props: + conn_cube = reordered_conn_props.get_connectivity_cube(cube) + conns, src_peers, dst_peers = \ + MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) + conn_cube.unset_all_but_peers() + connections_to_peers[conns] |= ConnectivityProperties.make_conn_props(conn_cube) + connections_sorted_by_size = list(connections_to_peers.items()) + connections_sorted_by_size.sort(reverse=True) + return MinimizeFWRules.minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size) + + @staticmethod + def minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size): + """ + Creates the set of minimized fw rules and prints to output + :param ClusterInfo cluster_info: the cluster info + :param OutputConfiguration output_config: the output configuration + :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules + """ + cs_containment_map = MinimizeFWRules._build_connections_containment_map_opt(connections_sorted_by_size) + fw_rules_map = defaultdict(list) + results_map = dict() + minimize_cs_opt = MinimizeCsFwRulesOpt(cluster_info, output_config) + # build fw_rules_map: per connection - a set of its minimized fw rules + for connections, peer_props in connections_sorted_by_size: + # currently skip "no connections" + if not connections: + continue + # TODO: figure out why we have pairs with (ip,ip) ? + peer_props_in_containing_connections = cs_containment_map[connections] + fw_rules, results_per_info = minimize_cs_opt.compute_minimized_fw_rules_per_connection( + connections, peer_props, peer_props_in_containing_connections) + fw_rules_map[connections] = fw_rules + results_map[connections] = results_per_info + + minimize_fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, output_config, results_map) + return minimize_fw_rules + + @staticmethod + def _get_peer_pairs_filtered(peer_pairs): + """ + Filters out peer pairs where both src and dst are IpBlock + :param list peer_pairs: the peer pairs to filter + :return: a filtered set of peer pairs + """ + return set((src, dst) for (src, dst) in peer_pairs if not (isinstance(src, IpBlock) and isinstance(dst, IpBlock))) + + @staticmethod + def _build_connections_containment_map(connections_sorted_by_size): + """ + Build a map from a connection to a set of peer_pairs from connections it is contained in + :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :return: a map from connection to a set of peer pairs from containing connections + """ + cs_containment_map = defaultdict(set) + for (conn, _) in connections_sorted_by_size: + for (other_conn, peer_pairs) in connections_sorted_by_size: + if other_conn != conn and conn.contained_in(other_conn): + peer_pairs_filtered = MinimizeFWRules._get_peer_pairs_filtered(peer_pairs) + cs_containment_map[conn] |= peer_pairs_filtered + return cs_containment_map + + def _build_connections_containment_map_opt(connections_sorted_by_size): + """ + Build a map from a connection to a set of peer_pairs from connections it is contained in + :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :return: a map from connection to a set of peer pairs from containing connections + """ + cs_containment_map = defaultdict(ConnectivityProperties) + for (conn, _) in connections_sorted_by_size: + for (other_conn, peer_pairs) in connections_sorted_by_size: + if other_conn != conn and conn.contained_in(other_conn): + cs_containment_map[conn] |= peer_pairs + return cs_containment_map diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index a11adc83e..cab08be7b 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -16,6 +16,7 @@ from nca.CoreDS.DimensionsManager import DimensionsManager from nca.FWRules.ConnectivityGraph import ConnectivityGraph from nca.FWRules.MinimizeFWRules import MinimizeFWRules +from nca.FWRules.MinimizeBasic import MinimizeBasic from nca.FWRules.ClusterInfo import ClusterInfo from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnectionsFilter from nca.Resources.PolicyResources.CalicoNetworkPolicy import CalicoNetworkPolicy @@ -157,18 +158,30 @@ def compare_fw_rules(fw_rules1, fw_rules2, peer_container, rules_descr=""): if fw_rules1.fw_rules_map == fw_rules2.fw_rules_map: print(f"{text_prefix} are semantically equivalent") return - conn_props1 = ConnectionSet.fw_rules_to_conn_props(fw_rules1, peer_container) - conn_props2 = ConnectionSet.fw_rules_to_conn_props(fw_rules2, peer_container) - if conn_props1 == conn_props2: + conn_props1 = MinimizeBasic.fw_rules_to_conn_props(fw_rules1, peer_container) + conn_props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules2, peer_container) + BaseNetworkQuery.compare_conn_props(conn_props1, conn_props2, text_prefix) + + @staticmethod + def compare_conn_props(props1, props2, text_prefix): + if props1 == props2: print(f"{text_prefix} are semantically equivalent") else: - diff_prop = (conn_props1 - conn_props2) | (conn_props2 - conn_props1) + diff_prop = (props1 - props2) | (props2 - props1) if diff_prop.are_auto_conns(): print(f"{text_prefix} differ only in auto-connections") else: print(f"Error: {text_prefix} are different") assert False + @staticmethod + def compare_fw_rules_to_conn_props(fw_rules, props, peer_container, rules_descr=""): + text_prefix = "Connectivity properties and fw-rules generated from them" + if rules_descr: + text_prefix += " for " + rules_descr + props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, peer_container) + BaseNetworkQuery.compare_conn_props(props, props2, text_prefix) + class NetworkConfigQuery(BaseNetworkQuery): """ @@ -1105,10 +1118,16 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= :return the connectivity map in fw-rules, considering connectivity_restriction if required :rtype: (Union[str, dict], MinimizeFWRules) """ - cluster_info = ClusterInfo(peers_to_compare, self.config.get_allowed_labels()) - fw_rules_map = ConnectionSet.conn_props_to_fw_rules(props, cluster_info, self.config.peer_container, - connectivity_restriction) - fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, self.output_config, {}) + if self.output_config.fwRulesOverrideAllowedLabels: + allowed_labels = set(label for label in self.output_config.fwRulesOverrideAllowedLabels.split(',')) + else: + allowed_labels = self.config.get_allowed_labels() + cluster_info = ClusterInfo(peers_to_compare, allowed_labels) + + fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props, cluster_info, self.output_config, + self.config.peer_container, + connectivity_restriction) + self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container) # Tanya: debug formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) return formatted_rules, fw_rules @@ -1253,7 +1272,7 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, for cube in conn_diff_props: conn_cube = conn_diff_props.get_connectivity_cube(cube) conns, src_peers, dst_peers = \ - ConnectionSet.get_connection_set_and_peers_from_cube(conn_cube, self.config1.peer_container) + MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, self.config1.peer_container) conns1 = conns if props_based_on_config1 else no_conns conns2 = no_conns if props_based_on_config1 else conns if self.output_config.fullExplanation: From 82404047ed7b243aa8fdee5f99e80945e388f531 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 3 Mar 2024 16:33:02 +0200 Subject: [PATCH 02/89] Fixed lint errors. Signed-off-by: Tanya --- nca/FWRules/ConnectivityGraph.py | 1 - nca/FWRules/FWRule.py | 14 ++++++++------ nca/FWRules/MinimizeCsFWRulesOpt.py | 5 +++-- nca/FWRules/MinimizeFWRules.py | 6 ++++-- 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index 536301ce6..37f369539 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -7,7 +7,6 @@ from collections import defaultdict import networkx from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod -from nca.CoreDS.ConnectionSet import ConnectionSet from .DotGraph import DotGraph from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 6b8597d4b..418c4abf1 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -214,15 +214,16 @@ def get_peer_set(self): return PeerSet(self.get_pods_set()) @staticmethod - def create_fw_elements_from_base_element(base_elem, cluster_info): + def create_fw_elements_from_base_element(base_elem, cluster_info, output_config): """ create a list of fw-rule-elements from base-element :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param OutputConfiguration output_config: an object holding output configuration :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] """ if isinstance(base_elem, ClusterEP): - return [PodElement(base_elem)] + return [PodElement(base_elem, output_config.outputEndpoints == 'deployments')] elif isinstance(base_elem, IpBlock): return [IPBlockElement(ip) for ip in base_elem.split()] elif isinstance(base_elem, K8sNamespace): @@ -240,7 +241,7 @@ def create_fw_elements_from_base_element(base_elem, cluster_info): pods -= ns_pods if ipblocks_and_dns: for peer in base_elem: - res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info)) + res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info, output_config)) return res # unknown base-elem type return None @@ -721,18 +722,19 @@ def get_rule_in_req_format(self, req_format): return None @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections, cluster_info): + def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config): """ create fw-rules from single pair of base elements (src,dst) and a given connection set :param ConnectionSet connections: the allowed connections from src to dst :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param OutputConfiguration output_config: an object holding output configuration :return: list with created fw-rules :rtype list[FWRule] """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info) + src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config) + dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config) if src_elem is None or dst_elem is None: return [] return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 7e8680ccb..84c012627 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -231,7 +231,8 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info)) + res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, + self.output_config)) return res def _create_initial_fw_rules_from_peer_props(self, peer_props): @@ -244,7 +245,7 @@ def _create_initial_fw_rules_from_peer_props(self, peer_props): # whole peers sets were handled in self.ns_pairs and self.peer_pairs_with_partial_ns_expr assert src_peers and dst_peers res.extend(FWRule.create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, - self.cluster_info)) + self.cluster_info, self.output_config)) return res def _create_all_initial_fw_rules(self): diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index e373b8538..5626b6e3e 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -271,7 +271,8 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info)) + res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, + self.output_config)) return res def _create_all_initial_fw_rules(self): @@ -561,6 +562,7 @@ def check_peer_pairs_equivalence(self, rules): # ================================================================================================================== + class MinimizeFWRules: """ This is a class for minimizing and handling fw-rules globally for all connection sets @@ -718,7 +720,7 @@ def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, relevant_protocols = ProtocolSet.get_non_tcp_protocols() # TODO - Tanya: this reorder does not work - #reordered_conn_props = props.push_back_peers_dimensions() + # reordered_conn_props = props.push_back_peers_dimensions() reordered_conn_props = props connections_to_peers = defaultdict(ConnectivityProperties) for cube in reordered_conn_props: From 6466889cbfafce92ca8249cbff96f469671142e7 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 3 Mar 2024 17:44:26 +0200 Subject: [PATCH 03/89] Updating (some of) expected results for explainability queries, according to more condensed optimized output. Signed-off-by: Tanya --- .../basic_connectivity_expl_output.txt | 8 ++++---- ...connectivity_specific_nodes_expl_output.txt | 8 ++++---- .../poc1_expl_output.txt | 18 +++++------------- .../subset_deployment_expl_output.txt | 8 ++++---- .../test25_expl_output.txt | 3 +-- .../test4_expl_output.txt | 10 ++-------- 6 files changed, 20 insertions(+), 35 deletions(-) diff --git a/tests/expected_cmdline_output_files/basic_connectivity_expl_output.txt b/tests/expected_cmdline_output_files/basic_connectivity_expl_output.txt index 6c0f7d1e2..e66c15d80 100644 --- a/tests/expected_cmdline_output_files/basic_connectivity_expl_output.txt +++ b/tests/expected_cmdline_output_files/basic_connectivity_expl_output.txt @@ -2,11 +2,11 @@ final fw rules for query: , config: test_subset_topology.yaml: src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections -src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [deployment-D] conn: All connections +src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections -src_ns: [ns1] src_pods: [deployment-A] dst_ns: [default] dst_pods: [deployment-E] conn: All connections -src_ns: [ns1] src_pods: [deployment-B] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections -src_ns: [ns2] src_pods: [deployment-C] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections +src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections +src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections +src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections src_ns: [ns3] src_pods: [*] dst_ns: [default] dst_pods: [Pod4] conn: All connections diff --git a/tests/expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt b/tests/expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt index e07f0722f..973afd932 100644 --- a/tests/expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt +++ b/tests/expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt @@ -2,11 +2,11 @@ final fw rules for query: , config: test_subset_topology.yaml: src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections -src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [deployment-D] conn: All connections +src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections -src_ns: [ns1] src_pods: [deployment-A] dst_ns: [default] dst_pods: [deployment-E] conn: All connections -src_ns: [ns1] src_pods: [deployment-B] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections -src_ns: [ns2] src_pods: [deployment-C] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections +src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections +src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections +src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections src_ns: [ns3] src_pods: [*] dst_ns: [default] dst_pods: [Pod4] conn: All connections diff --git a/tests/expected_cmdline_output_files/poc1_expl_output.txt b/tests/expected_cmdline_output_files/poc1_expl_output.txt index 5feff2217..e02ea700f 100644 --- a/tests/expected_cmdline_output_files/poc1_expl_output.txt +++ b/tests/expected_cmdline_output_files/poc1_expl_output.txt @@ -1,26 +1,18 @@ final fw rules for query: , config: microservices-netpols.yaml: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [cartservice] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice, shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [frontend] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [recommendationservice] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/expected_cmdline_output_files/subset_deployment_expl_output.txt b/tests/expected_cmdline_output_files/subset_deployment_expl_output.txt index 3811c81e4..94010257f 100644 --- a/tests/expected_cmdline_output_files/subset_deployment_expl_output.txt +++ b/tests/expected_cmdline_output_files/subset_deployment_expl_output.txt @@ -1,8 +1,8 @@ final fw rules for query: , config: test_subset_topology.yaml: -src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [deployment-D] conn: All connections -src_ns: [ns1] src_pods: [deployment-A] dst_ns: [default] dst_pods: [deployment-E] conn: All connections -src_ns: [ns1] src_pods: [deployment-B] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections -src_ns: [ns2] src_pods: [deployment-C] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections +src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections +src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections +src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections +src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections Explainability results: diff --git a/tests/expected_cmdline_output_files/test25_expl_output.txt b/tests/expected_cmdline_output_files/test25_expl_output.txt index 53ff38ac5..781261b48 100644 --- a/tests/expected_cmdline_output_files/test25_expl_output.txt +++ b/tests/expected_cmdline_output_files/test25_expl_output.txt @@ -1,6 +1,5 @@ final fw rules for query: , config: test25-networkpolicy.yaml: -src_ns: [default] src_pods: [my-test-deployment-C] dst_ns: [default] dst_pods: [my-test-deployment-B] conn: All connections - +src_ns: [default] src_pods: [my-test-deployment-C] dst_ns: [default] dst_pods: [app=B] conn: All connections Explainability results: diff --git a/tests/expected_cmdline_output_files/test4_expl_output.txt b/tests/expected_cmdline_output_files/test4_expl_output.txt index 4668d14af..74eaa83ef 100644 --- a/tests/expected_cmdline_output_files/test4_expl_output.txt +++ b/tests/expected_cmdline_output_files/test4_expl_output.txt @@ -1,16 +1,10 @@ final fw rules for query: , config: test4-networkpolicy.yaml: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections +src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 -src_ns: [ibm-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-90 -src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-88 -src_ns: [kube-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections Explainability results: From a615f5c9cdb8805309f0b3f53753119dc8476837 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 3 Mar 2024 18:29:39 +0200 Subject: [PATCH 04/89] Fixed converting fw-rules to connectivity properties, while taking into account TCP/non-TCP protocol restriction. Signed-off-by: Tanya --- nca/CoreDS/ConnectionSet.py | 9 +++++++-- nca/FWRules/MinimizeBasic.py | 13 +++++++++++-- nca/NetworkConfig/NetworkConfigQuery.py | 9 ++++----- .../test25_expl_output.txt | 1 + 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/nca/CoreDS/ConnectionSet.py b/nca/CoreDS/ConnectionSet.py index 1e0626163..42d44d26c 100644 --- a/nca/CoreDS/ConnectionSet.py +++ b/nca/CoreDS/ConnectionSet.py @@ -543,16 +543,21 @@ def print_diff(self, other, self_name, other_name): return 'No diff.' - def convert_to_connectivity_properties(self, peer_container): + def convert_to_connectivity_properties(self, peer_container, relevant_protocols=ProtocolSet()): """ Convert the current ConnectionSet to ConnectivityProperties format. This function is used for comparing fw-rules output between original and optimized implementation, when optimized_run == 'debug' :param PeerContainer peer_container: the peer container + :param ProtocolSet relevant_protocols: specify if all protocols refer to TCP / non-TCP protocols :return: the connection set in ConnectivityProperties format """ if self.allow_all: - return ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container) + if relevant_protocols: + protocols_conn = ConnectivityProperties.make_conn_props_from_dict({"protocols": relevant_protocols}) + else: + protocols_conn = ConnectivityProperties(create_all=True) + return ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container) & protocols_conn res = ConnectivityProperties.make_empty_props() for protocol, properties in self.allowed_protocols.items(): diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 61244e7ad..9fe042af7 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -132,21 +132,30 @@ def get_connection_set_and_peers_from_cube(the_cube, peer_container, return conns, src_peers, dst_peers @staticmethod - def fw_rules_to_conn_props(fw_rules, peer_container): + def fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction=None): """ Converting FWRules to ConnectivityProperties format. This function is used for comparing FWRules output between original and optimized solutions, when optimized_run == 'debug' :param MinimizeFWRules fw_rules: the given FWRules. :param PeerContainer peer_container: the peer container + param Union[str,None] connectivity_restriction: specify if connectivity is restricted to + TCP / non-TCP , or not :return: the resulting ConnectivityProperties. """ + relevant_protocols = ProtocolSet() + if connectivity_restriction: + if connectivity_restriction == 'TCP': + relevant_protocols.add_protocol('TCP') + else: # connectivity_restriction == 'non-TCP' + relevant_protocols = ProtocolSet.get_non_tcp_protocols() + res = ConnectivityProperties.make_empty_props() if fw_rules.fw_rules_map is None: return res for fw_rules_list in fw_rules.fw_rules_map.values(): for fw_rule in fw_rules_list: - conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container) + conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container, relevant_protocols) src_peers = fw_rule.src.get_peer_set() dst_peers = fw_rule.dst.get_peer_set() rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index cab08be7b..1a0795a5d 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -175,11 +175,9 @@ def compare_conn_props(props1, props2, text_prefix): assert False @staticmethod - def compare_fw_rules_to_conn_props(fw_rules, props, peer_container, rules_descr=""): + def compare_fw_rules_to_conn_props(fw_rules, props, peer_container, connectivity_restriction=None): text_prefix = "Connectivity properties and fw-rules generated from them" - if rules_descr: - text_prefix += " for " + rules_descr - props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, peer_container) + props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction) BaseNetworkQuery.compare_conn_props(props, props2, text_prefix) @@ -1127,7 +1125,8 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props, cluster_info, self.output_config, self.config.peer_container, connectivity_restriction) - self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container) # Tanya: debug + self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, + connectivity_restriction=connectivity_restriction) # Tanya: debug formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) return formatted_rules, fw_rules diff --git a/tests/expected_cmdline_output_files/test25_expl_output.txt b/tests/expected_cmdline_output_files/test25_expl_output.txt index 781261b48..ec53c86eb 100644 --- a/tests/expected_cmdline_output_files/test25_expl_output.txt +++ b/tests/expected_cmdline_output_files/test25_expl_output.txt @@ -1,6 +1,7 @@ final fw rules for query: , config: test25-networkpolicy.yaml: src_ns: [default] src_pods: [my-test-deployment-C] dst_ns: [default] dst_pods: [app=B] conn: All connections + Explainability results: From 9c5e89ab194a67acc0360a86f905a93f87f92a38 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 10 Mar 2024 19:38:37 +0200 Subject: [PATCH 05/89] Optimized handling IpBlocks in optimized fw-rules minimization Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 15 --------------- nca/CoreDS/Peer.py | 25 ++++++++++++++++++------- nca/FWRules/FWRule.py | 19 +++++++++++++------ nca/FWRules/MinimizeCsFWRulesOpt.py | 28 +++++++++++++++------------- nca/FWRules/MinimizeFWRules.py | 18 ++++++++++-------- 5 files changed, 56 insertions(+), 49 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 7917fdd84..e8af72468 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -523,21 +523,6 @@ def minimize(self): new_props = self._reorder_by_dim_list(new_all_dims_map) return self if len(self) <= len(new_props) else new_props - def push_back_peers_dimensions(self): - """ - Reorder the current properties by making "src_peers" and "dst_peers" the last two dimensions. - """ - new_all_dims_map = [i for i in range(len(self.all_dimensions_list))] - last_index = len(self.all_dimensions_list) - 1 - src_peers_index = self.all_dimensions_list.index("src_peers") - dst_peers_index = self.all_dimensions_list.index("dst_peers") - # switch between "src_peers", "dst_peers" and last two dimensions - new_all_dims_map[src_peers_index] = last_index - 1 - new_all_dims_map[last_index - 1] = src_peers_index - new_all_dims_map[dst_peers_index] = last_index - new_all_dims_map[last_index] = dst_peers_index - return self._reorder_by_dim_list(new_all_dims_map) - def _reorder_by_dim_list(self, new_all_dims_map): """ Reorder the current properties by the given dimensions order diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 178c0281a..4686f8f75 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -289,6 +289,9 @@ def __init__(self, cidr=None, exceptions=None, interval=None, name=None, namespa if not self.name: self.name = self.get_cidr_list_str() + def full_name(self): + return self.get_cidr_list_str() + def is_global_peer(self): return self.is_global @@ -296,7 +299,7 @@ def canonical_form(self): if self.namespace is None: return self.name else: - return self.namespace.name + '_' + self.name + return self.namespace.name + '_' + self.full_name() def copy(self): res = IpBlock(name=self.name, namespace=self.namespace, is_global=self.is_global) @@ -568,6 +571,10 @@ def __contains__(self, item): return False return super().__contains__(item) + def canonical_form(self): + # TODO: after moving to optimized HC implementation PeerSet may be always maintained in the canonical form + return PeerSet(self.get_set_without_ip_block()) | self.get_ip_block_canonical_form().get_peer_set() + def __eq__(self, other): # set comparison if self.get_set_without_ip_block() != other.get_set_without_ip_block(): @@ -605,6 +612,8 @@ def __and__(self, other): return res def __ior__(self, other): + # TODO - after moving to optimized HC implementation, create in canonical form (like __iand__); + # (in the original implementation we need split IpBlock for disjoint_ip_blocks() to work correctly) res = PeerSet(super().__ior__(other)) return res @@ -766,21 +775,19 @@ def get_peer_set_by_indices(self, peer_interval_set): :return: the PeerSet of peers referenced by the indices in the interval set """ peer_set = PeerSet() + ipv4block = IpBlock() + ipv6block = IpBlock() for interval in peer_interval_set: if interval.end <= self.max_ipv4_index: # this is IPv4Address start = ipaddress.IPv4Address(interval.start - self.min_ipv4_index) end = ipaddress.IPv4Address(interval.end - self.min_ipv4_index) - ipb = IpBlock( - interval=CanonicalIntervalSet.Interval(IPNetworkAddress(start), IPNetworkAddress(end))) - peer_set.add(ipb) + ipv4block.add_interval(CanonicalIntervalSet.Interval(IPNetworkAddress(start), IPNetworkAddress(end))) elif interval.end <= self.max_ipv6_index: # this is IPv6Address start = ipaddress.IPv6Address(interval.start - self.min_ipv6_index) end = ipaddress.IPv6Address(interval.end - self.min_ipv6_index) - ipb = IpBlock( - interval=CanonicalIntervalSet.Interval(IPNetworkAddress(start), IPNetworkAddress(end))) - peer_set.add(ipb) + ipv6block.add_interval(CanonicalIntervalSet.Interval(IPNetworkAddress(start), IPNetworkAddress(end))) else: # this is Pod assert interval.end <= self.max_pod_index @@ -788,6 +795,10 @@ def get_peer_set_by_indices(self, peer_interval_set): for ind in range(min(interval.start - self.min_pod_index, curr_pods_max_ind), min(interval.end - self.min_pod_index, curr_pods_max_ind) + 1): peer_set.add(self.ordered_peer_list[ind]) + if ipv4block: + peer_set.add(ipv4block) + if ipv6block: + peer_set.add(ipv6block) return peer_set instance = None diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 418c4abf1..1d972429a 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -214,18 +214,22 @@ def get_peer_set(self): return PeerSet(self.get_pods_set()) @staticmethod - def create_fw_elements_from_base_element(base_elem, cluster_info, output_config): + def create_fw_elements_from_base_element(base_elem, cluster_info, output_config, split_ip_blocks): """ create a list of fw-rule-elements from base-element :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :param OutputConfiguration output_config: an object holding output configuration + :param bool split_ip_blocks: whether to split IpBlocks. This flag is for alignment with original implementation; + after moving to optimized HC implementation we will never split IpBlocks. :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] """ if isinstance(base_elem, ClusterEP): return [PodElement(base_elem, output_config.outputEndpoints == 'deployments')] elif isinstance(base_elem, IpBlock): - return [IPBlockElement(ip) for ip in base_elem.split()] + if split_ip_blocks: + return [IPBlockElement(ip) for ip in base_elem.split()] + return [IPBlockElement(base_elem)] elif isinstance(base_elem, K8sNamespace): return [FWRuleElement({base_elem}, cluster_info)] elif isinstance(base_elem, DNSEntry): @@ -241,7 +245,8 @@ def create_fw_elements_from_base_element(base_elem, cluster_info, output_config) pods -= ns_pods if ipblocks_and_dns: for peer in base_elem: - res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info, output_config)) + res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info, output_config, + split_ip_blocks)) return res # unknown base-elem type return None @@ -722,7 +727,7 @@ def get_rule_in_req_format(self, req_format): return None @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config): + def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config, split_ip_blocks=False): """ create fw-rules from single pair of base elements (src,dst) and a given connection set :param ConnectionSet connections: the allowed connections from src to dst @@ -730,11 +735,13 @@ def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, outp :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :param OutputConfiguration output_config: an object holding output configuration + :param bool split_ip_blocks: whether to split IpBlocks. This flag is for alignment with original implementation; + after moving to optimized HC implementation we will never split IpBlocks. :return: list with created fw-rules :rtype list[FWRule] """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config) + src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config, split_ip_blocks) + dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config, split_ip_blocks) if src_elem is None or dst_elem is None: return [] return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 84c012627..6387afc90 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -5,7 +5,7 @@ from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet +from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet, Pod from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ DNSElement from .MinimizeBasic import MinimizeBasic @@ -94,9 +94,9 @@ def _compute_basic_namespace_grouping(self): self._compute_covered_peer_props() # only Pod elements have namespaces (skipping IpBlocks and HostEPs) src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") - if isinstance(src, ClusterEP)) + if isinstance(src, Pod)) dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") - if isinstance(dst, ClusterEP)) + if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs for src_ns in src_ns_set: for dst_ns in dst_ns_set: @@ -122,8 +122,6 @@ def _compute_basic_namespace_grouping(self): self._compute_peer_pairs_with_partial_ns_expr(dst_ns_set, False) # compute pairs with src as pod/ip-block namespace dest as pod self._compute_peer_pairs_with_partial_ns_expr(src_ns_set, True) - # remove pairs of (pod,pod) for trivial cases of communication from pod to itself - self.peer_props_without_ns_expr = self.peer_props_without_ns_expr.props_without_auto_conns() def _compute_covered_peer_props(self): """ @@ -151,16 +149,20 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): # in the grouping computation for ns in ns_set: + ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) dim_name = "src_peers" if is_src_ns else "dst_peers" other_dim_name = "dst_peers" if is_src_ns else "src_peers" - candidate_peers = self.peer_props_without_ns_expr.project_on_one_dimension(other_dim_name) - for peer in candidate_peers: - peer_with_ns_props = \ - ConnectivityProperties.make_conn_props_from_dict({dim_name: PeerSet(self.cluster_info.ns_dict[ns]), - other_dim_name: PeerSet({peer})}) - if peer_with_ns_props.contained_in(self.peer_props_without_ns_expr): - self.peer_pairs_with_partial_ns_expr.add((ns, peer) if is_src_ns else (peer, ns)) - self.peer_props_without_ns_expr -= peer_with_ns_props + paired_to_ns_peers = PeerSet() + for cube in self.peer_props_without_ns_expr: + conn_cube = self.peer_props_without_ns_expr.get_connectivity_cube(cube) + dim_peers = conn_cube[dim_name] + if ns_peers.issubset(dim_peers): + paired_to_ns_peers |= conn_cube[other_dim_name] + paired_to_ns_peers = paired_to_ns_peers.canonical_form() + self.peer_pairs_with_partial_ns_expr.add((ns, paired_to_ns_peers) if is_src_ns else (paired_to_ns_peers, ns)) + self.peer_props_without_ns_expr -= \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: PeerSet(self.cluster_info.ns_dict[ns]), + other_dim_name: paired_to_ns_peers}) def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index 5626b6e3e..391de6c03 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -272,7 +272,7 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): res = [] for (src, dst) in base_elems_pairs: res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, - self.output_config)) + self.output_config, True)) return res def _create_all_initial_fw_rules(self): @@ -719,16 +719,18 @@ def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, else: # connectivity_restriction == 'non-TCP' relevant_protocols = ProtocolSet.get_non_tcp_protocols() - # TODO - Tanya: this reorder does not work - # reordered_conn_props = props.push_back_peers_dimensions() - reordered_conn_props = props - connections_to_peers = defaultdict(ConnectivityProperties) - for cube in reordered_conn_props: - conn_cube = reordered_conn_props.get_connectivity_cube(cube) + peers_to_connections = defaultdict(ConnectionSet) + # pick up all connection sets relating to the same peer set pairs + for cube in props: + conn_cube = props.get_connectivity_cube(cube) conns, src_peers, dst_peers = \ MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) conn_cube.unset_all_but_peers() - connections_to_peers[conns] |= ConnectivityProperties.make_conn_props(conn_cube) + peers_to_connections[ConnectivityProperties.make_conn_props(conn_cube)] |= conns + # now combine all peer set pairs relating to the same connection sets + connections_to_peers = defaultdict(ConnectivityProperties) + for peers, conns in peers_to_connections.items(): + connections_to_peers[conns] |= peers connections_sorted_by_size = list(connections_to_peers.items()) connections_sorted_by_size.sort(reverse=True) return MinimizeFWRules.minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size) From 81ac68f4a1c7a35a3fc6a2e4c2219bdfb212792f Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 17 Mar 2024 14:48:11 +0200 Subject: [PATCH 06/89] Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya --- nca/FWRules/FWRule.py | 22 +---- nca/FWRules/MinimizeCsFWRulesOpt.py | 140 +++++++++++++++++++++------- 2 files changed, 110 insertions(+), 52 deletions(-) diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 1d972429a..5b8b4f768 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -214,40 +214,22 @@ def get_peer_set(self): return PeerSet(self.get_pods_set()) @staticmethod - def create_fw_elements_from_base_element(base_elem, cluster_info, output_config, split_ip_blocks): + def create_fw_elements_from_base_element(base_elem, cluster_info, output_config): """ create a list of fw-rule-elements from base-element :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :param OutputConfiguration output_config: an object holding output configuration - :param bool split_ip_blocks: whether to split IpBlocks. This flag is for alignment with original implementation; - after moving to optimized HC implementation we will never split IpBlocks. :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] """ if isinstance(base_elem, ClusterEP): return [PodElement(base_elem, output_config.outputEndpoints == 'deployments')] elif isinstance(base_elem, IpBlock): - if split_ip_blocks: - return [IPBlockElement(ip) for ip in base_elem.split()] - return [IPBlockElement(base_elem)] + return [IPBlockElement(ip) for ip in base_elem.split()] elif isinstance(base_elem, K8sNamespace): return [FWRuleElement({base_elem}, cluster_info)] elif isinstance(base_elem, DNSEntry): return [DNSElement(base_elem)] - elif isinstance(base_elem, PeerSet): - pods = PeerSet(base_elem.get_set_without_ip_block_or_dns_entry()) - ipblocks_and_dns = base_elem - pods - res = [] - while pods: - ns = list(pods)[0].namespace - ns_pods = pods & PeerSet(cluster_info.ns_dict[ns]) - res.append(PeerSetElement(ns_pods)) - pods -= ns_pods - if ipblocks_and_dns: - for peer in base_elem: - res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info, output_config, - split_ip_blocks)) - return res # unknown base-elem type return None diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 6387afc90..c5524d2e3 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -3,9 +3,11 @@ # SPDX-License-Identifier: Apache2.0 # +from collections import defaultdict from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet, Pod +from nca.Resources.OtherResources.K8sNamespace import K8sNamespace from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ DNSElement from .MinimizeBasic import MinimizeBasic @@ -27,8 +29,7 @@ def __init__(self, cluster_info, output_config): self.peer_props = ConnectivityProperties() self.connections = ConnectionSet() self.peer_props_in_containing_connections = ConnectivityProperties() - self.ns_pairs = set() - self.ns_ns_props = ConnectivityProperties() + self.ns_set_pairs = set() self.peer_pairs_with_partial_ns_expr = set() self.peer_props_without_ns_expr = ConnectivityProperties() self.covered_peer_props = ConnectivityProperties() @@ -46,7 +47,7 @@ def compute_minimized_fw_rules_per_connection(self, connections, peer_props, connection set class members used in computation of fw-rules: - self.ns_pairs : pairs of namespaces, grouped from peer_pairs and peer_pairs_in_containing_connections + self.ns_set_pairs : pairs of sets of namespaces, grouped together self.peer_pairs_with_partial_ns_expr: pairs of (peer,ns) or (ns,peer), with ns-grouping for one dimension self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current @@ -59,8 +60,7 @@ class members used in computation of fw-rules: self.peer_props = peer_props self.connections = connections self.peer_props_in_containing_connections = peer_props_in_containing_connections - self.ns_pairs = set() - self.ns_ns_props = ConnectivityProperties() + self.ns_set_pairs = set() self.peer_pairs_with_partial_ns_expr = set() self.peer_props_without_ns_expr = ConnectivityProperties() self.covered_peer_props = ConnectivityProperties() @@ -79,7 +79,7 @@ def _create_fw_rules(self): The main function for creating the minimized set of fw-rules for a given connection set :return: None """ - # partition peer_pairs to ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + # partition peer_props to ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr self._compute_basic_namespace_grouping() # add all fw-rules: @@ -88,7 +88,7 @@ def _create_fw_rules(self): def _compute_basic_namespace_grouping(self): """ computation of peer_pairs with possible grouping by namespaces. - Results are at: ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + Results are at: ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr :return: None """ self._compute_covered_peer_props() @@ -98,16 +98,21 @@ def _compute_basic_namespace_grouping(self): dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs + src_ns_to_dst_ns = defaultdict(set) for src_ns in src_ns_set: for dst_ns in dst_ns_set: ns_product_props = \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) if ns_product_props.contained_in(self.covered_peer_props): - self.ns_ns_props |= ns_product_props - self.ns_pairs |= {(src_ns, dst_ns)} + src_ns_to_dst_ns[src_ns].add(dst_ns) else: self.peer_props_without_ns_expr |= ns_product_props & self.peer_props + dst_ns_to_src_ns = defaultdict(set) + for src_ns, dst_ns_set in src_ns_to_dst_ns.items(): + dst_ns_to_src_ns[frozenset(dst_ns_set)].add(src_ns) + for dst_ns_set, src_ns_set in dst_ns_to_src_ns.items(): + self.ns_set_pairs.add((frozenset(src_ns_set), dst_ns_set)) # TODO: what about peer pairs with ip blocks from containing connections, not only peer_pairs for this connection? src_peers_without_ns = PeerSet(set(src for src in self.peer_props.project_on_one_dimension("src_peers") @@ -148,21 +153,25 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): # pod_set is the set of pods in pairs of peer_pairs_without_ns_expr, within elem type (src/dst) which is not # in the grouping computation - for ns in ns_set: - ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) - dim_name = "src_peers" if is_src_ns else "dst_peers" - other_dim_name = "dst_peers" if is_src_ns else "src_peers" - paired_to_ns_peers = PeerSet() - for cube in self.peer_props_without_ns_expr: - conn_cube = self.peer_props_without_ns_expr.get_connectivity_cube(cube) - dim_peers = conn_cube[dim_name] + dim_name = "src_peers" if is_src_ns else "dst_peers" + other_dim_name = "dst_peers" if is_src_ns else "src_peers" + for cube in self.peer_props_without_ns_expr: + conn_cube = self.peer_props_without_ns_expr.get_connectivity_cube(cube) + dim_peers = conn_cube[dim_name] + other_dim_peers = conn_cube[other_dim_name].canonical_form() + curr_ns_set = set() + curr_ns_peers = PeerSet() + for ns in ns_set: + ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) if ns_peers.issubset(dim_peers): - paired_to_ns_peers |= conn_cube[other_dim_name] - paired_to_ns_peers = paired_to_ns_peers.canonical_form() - self.peer_pairs_with_partial_ns_expr.add((ns, paired_to_ns_peers) if is_src_ns else (paired_to_ns_peers, ns)) - self.peer_props_without_ns_expr -= \ - ConnectivityProperties.make_conn_props_from_dict({dim_name: PeerSet(self.cluster_info.ns_dict[ns]), - other_dim_name: paired_to_ns_peers}) + curr_ns_set.add(ns) + curr_ns_peers |= ns_peers + if curr_ns_set: + self.peer_pairs_with_partial_ns_expr.add((frozenset(curr_ns_set), other_dim_peers) if is_src_ns + else (other_dim_peers, frozenset(curr_ns_set))) + self.peer_props_without_ns_expr -= \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ns_peers, + other_dim_name: other_dim_peers}) def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ @@ -180,6 +189,23 @@ def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_ele fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) return [fw_rule] + def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): + """ + Group a given set of pods by labels, and create FWRuleElements according to the grouping + :param PeerSet pods_set: a set of pods to be grouped by labels + :return: the resulting element list + """ + res = [] + chosen_rep, remaining_pods = self._get_pods_grouping_by_labels_main(pods_set, set()) + for (key, values, ns_info) in chosen_rep: + map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) + all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) + pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) + res.append(PodLabelsElement(pod_label_expr, ns_info, self.cluster_info)) + if remaining_pods: + res.append(PeerSetElement(PeerSet(remaining_pods))) + return res + def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set, make_peer_sets=False): """ @@ -233,8 +259,8 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, - self.output_config)) + res.extend(self._create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, + self.output_config)) return res def _create_initial_fw_rules_from_peer_props(self, peer_props): @@ -244,12 +270,64 @@ def _create_initial_fw_rules_from_peer_props(self, peer_props): conn_cube = min_peer_props.get_connectivity_cube(cube) src_peers = conn_cube["src_peers"] dst_peers = conn_cube["dst_peers"] - # whole peers sets were handled in self.ns_pairs and self.peer_pairs_with_partial_ns_expr + # whole peers sets were handled in self.ns_set_pairs and self.peer_pairs_with_partial_ns_expr assert src_peers and dst_peers - res.extend(FWRule.create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, - self.cluster_info, self.output_config)) + res.extend(self._create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, + self.cluster_info, self.output_config)) return res + def _create_fw_rules_from_base_elements(self, src, dst, connections, cluster_info, output_config): + """ + create fw-rules from single pair of base elements (src,dst) and a given connection set + :param ConnectionSet connections: the allowed connections from src to dst + :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock + :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param OutputConfiguration output_config: an object holding output configuration + :return: list with created fw-rules + :rtype list[FWRule] + """ + src_elem = self._create_fw_elements_from_base_element(src, cluster_info, output_config) + dst_elem = self._create_fw_elements_from_base_element(dst, cluster_info, output_config) + if src_elem is None or dst_elem is None: + return [] + return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] + + def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_config): + """ + create a list of fw-rule-elements from base-element + :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param OutputConfiguration output_config: an object holding output configuration + after moving to optimized HC implementation we will never split IpBlocks. + :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] + """ + if isinstance(base_elem, ClusterEP): + return [PodElement(base_elem, output_config.outputEndpoints == 'deployments')] + elif isinstance(base_elem, IpBlock): + return [IPBlockElement(base_elem)] + elif isinstance(base_elem, K8sNamespace): + return [FWRuleElement({base_elem}, cluster_info)] + elif isinstance(base_elem, DNSEntry): + return [DNSElement(base_elem)] + elif isinstance(base_elem, PeerSet): + pods = PeerSet(base_elem.get_set_without_ip_block_or_dns_entry()) + ipblocks_and_dns = base_elem - pods + res = [] + while pods: + ns = list(pods)[0].namespace + ns_pods = pods & PeerSet(cluster_info.ns_dict[ns]) + res.extend(self._create_fw_elements_by_pods_grouping_by_labels(ns_pods)) + pods -= ns_pods + if ipblocks_and_dns: + for peer in base_elem: + res.extend(self._create_fw_elements_from_base_element(peer, cluster_info, output_config)) + return res + elif isinstance(base_elem, frozenset): # set of namespaces + return [FWRuleElement(set(base_elem), cluster_info)] + # unknown base-elem type + return None + def _create_all_initial_fw_rules(self): """ Creating initial fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) @@ -258,7 +336,7 @@ def _create_all_initial_fw_rules(self): """ initial_fw_rules = [] - initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_pairs)) + initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_set_pairs)) initial_fw_rules.extend(self._create_initial_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) initial_fw_rules.extend( self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_with_partial_ns_expr)) @@ -270,10 +348,8 @@ def _add_all_fw_rules(self): Results are at: self.minimized_rules_set :return: None """ - # create initial fw-rules from ns_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr + # create initial fw-rules from ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr initial_fw_rules = self._create_all_initial_fw_rules() - # TODO: consider a higher resolution decision between option1 and option2 (per src,dst pair rather than per - # all ConnectionSet pairs) # option1 - start computation when src is fixed at first iteration, and merge applies to dst option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) From 06f52504a6e9a5efbbaecf6208d1ab14c5691821 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 17 Mar 2024 14:53:56 +0200 Subject: [PATCH 07/89] Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya --- nca/FWRules/FWRule.py | 8 +++----- nca/FWRules/MinimizeFWRules.py | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 5b8b4f768..c5a28b98c 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -709,7 +709,7 @@ def get_rule_in_req_format(self, req_format): return None @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config, split_ip_blocks=False): + def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config): """ create fw-rules from single pair of base elements (src,dst) and a given connection set :param ConnectionSet connections: the allowed connections from src to dst @@ -717,13 +717,11 @@ def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, outp :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :param OutputConfiguration output_config: an object holding output configuration - :param bool split_ip_blocks: whether to split IpBlocks. This flag is for alignment with original implementation; - after moving to optimized HC implementation we will never split IpBlocks. :return: list with created fw-rules :rtype list[FWRule] """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config, split_ip_blocks) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config, split_ip_blocks) + src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config) + dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config) if src_elem is None or dst_elem is None: return [] return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index 391de6c03..dab616015 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -272,7 +272,7 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): res = [] for (src, dst) in base_elems_pairs: res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, - self.output_config, True)) + self.output_config)) return res def _create_all_initial_fw_rules(self): From 898f222f381830c753031a8ea11ddff9b977b075 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 19 Mar 2024 17:34:10 +0200 Subject: [PATCH 08/89] More optimization in calculation partial ns grouping. Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 10 ++++++++-- nca/FWRules/MinimizeCsFWRulesOpt.py | 30 ++++++++++++++++++---------- 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index e8af72468..ab301cd98 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -514,14 +514,20 @@ def minimize(self): """ Try to minimize the current properties by changing the order between "src_peers" and "dst_peers" dimensions """ + new_props = self.reorder_by_switching_src_dst_peers() + return self if len(self) <= len(new_props) else new_props + + def reorder_by_switching_src_dst_peers(self): + """ + Reorder self by switching the order between "src_peers" and "dst_peers" dimensions + """ new_all_dims_map = [i for i in range(len(self.all_dimensions_list))] src_peers_index = self.all_dimensions_list.index("src_peers") dst_peers_index = self.all_dimensions_list.index("dst_peers") # switch between "src_peers" and "dst_peers" dimensions new_all_dims_map[src_peers_index] = dst_peers_index new_all_dims_map[dst_peers_index] = src_peers_index - new_props = self._reorder_by_dim_list(new_all_dims_map) - return self if len(self) <= len(new_props) else new_props + return self._reorder_by_dim_list(new_all_dims_map) def _reorder_by_dim_list(self, new_all_dims_map): """ diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index c5524d2e3..bb3a27307 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -93,19 +93,20 @@ def _compute_basic_namespace_grouping(self): """ self._compute_covered_peer_props() # only Pod elements have namespaces (skipping IpBlocks and HostEPs) - src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") + all_src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") if isinstance(src, Pod)) - dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") + all_dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs src_ns_to_dst_ns = defaultdict(set) - for src_ns in src_ns_set: - for dst_ns in dst_ns_set: + for src_ns in all_src_ns_set: + for dst_ns in all_dst_ns_set: ns_product_props = \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) if ns_product_props.contained_in(self.covered_peer_props): src_ns_to_dst_ns[src_ns].add(dst_ns) + self.covered_peer_props -= ns_product_props else: self.peer_props_without_ns_expr |= ns_product_props & self.peer_props dst_ns_to_src_ns = defaultdict(set) @@ -124,9 +125,10 @@ def _compute_basic_namespace_grouping(self): ConnectivityProperties.make_conn_props_from_dict({"dst_peers": dst_peers_without_ns}) self.peer_props_without_ns_expr |= props_with_elems_without_ns & self.peer_props # compute pairs with src as pod/ip-block and dest as namespace - self._compute_peer_pairs_with_partial_ns_expr(dst_ns_set, False) + self._compute_peer_pairs_with_partial_ns_expr(all_dst_ns_set, False) # compute pairs with src as pod/ip-block namespace dest as pod - self._compute_peer_pairs_with_partial_ns_expr(src_ns_set, True) + if self.peer_props_without_ns_expr: + self._compute_peer_pairs_with_partial_ns_expr(all_src_ns_set, True) def _compute_covered_peer_props(self): """ @@ -155,8 +157,12 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): dim_name = "src_peers" if is_src_ns else "dst_peers" other_dim_name = "dst_peers" if is_src_ns else "src_peers" - for cube in self.peer_props_without_ns_expr: - conn_cube = self.peer_props_without_ns_expr.get_connectivity_cube(cube) + # We search for partial ns grouping in self.covered_peer_props rather than in self.peer_props_without_ns_expr, + # thus allowing overlapping of fw rules. Also, we start from optimal order betwen src_peers and dst_peers, + # based on whether we search for whole src or dst namespace. + props = self.covered_peer_props.reorder_by_switching_src_dst_peers() if is_src_ns else self.covered_peer_props + for cube in props: + conn_cube = props.get_connectivity_cube(cube) dim_peers = conn_cube[dim_name] other_dim_peers = conn_cube[other_dim_name].canonical_form() curr_ns_set = set() @@ -319,9 +325,8 @@ def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_ ns_pods = pods & PeerSet(cluster_info.ns_dict[ns]) res.extend(self._create_fw_elements_by_pods_grouping_by_labels(ns_pods)) pods -= ns_pods - if ipblocks_and_dns: - for peer in base_elem: - res.extend(self._create_fw_elements_from_base_element(peer, cluster_info, output_config)) + for peer in ipblocks_and_dns: + res.extend(self._create_fw_elements_from_base_element(peer, cluster_info, output_config)) return res elif isinstance(base_elem, frozenset): # set of namespaces return [FWRuleElement(set(base_elem), cluster_info)] @@ -350,6 +355,9 @@ def _add_all_fw_rules(self): """ # create initial fw-rules from ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr initial_fw_rules = self._create_all_initial_fw_rules() + self.minimized_fw_rules = initial_fw_rules + return # Tanya: temp + # TODO - remove the code below after checking and updating all expected results # option1 - start computation when src is fixed at first iteration, and merge applies to dst option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) From ae2ff0ae3e17c9f1c64842f2efe9e2ad3c1200a3 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 19 Mar 2024 17:37:25 +0200 Subject: [PATCH 09/89] Fixed lint error Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index bb3a27307..bdd89c2e9 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -94,9 +94,9 @@ def _compute_basic_namespace_grouping(self): self._compute_covered_peer_props() # only Pod elements have namespaces (skipping IpBlocks and HostEPs) all_src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") - if isinstance(src, Pod)) + if isinstance(src, Pod)) all_dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") - if isinstance(dst, Pod)) + if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs src_ns_to_dst_ns = defaultdict(set) for src_ns in all_src_ns_set: From 06b2905a5e534bb912013d5d748d759f1bf675f5 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 24 Mar 2024 15:47:20 +0200 Subject: [PATCH 10/89] Refining basic namespace grouping by finding more opportunities to use properties in containing connections. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 39 ++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index bdd89c2e9..e142d139e 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -93,9 +93,9 @@ def _compute_basic_namespace_grouping(self): """ self._compute_covered_peer_props() # only Pod elements have namespaces (skipping IpBlocks and HostEPs) - all_src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") + all_src_ns_set = set(src.namespace for src in self.covered_peer_props.project_on_one_dimension("src_peers") if isinstance(src, Pod)) - all_dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") + all_dst_ns_set = set(dst.namespace for dst in self.covered_peer_props.project_on_one_dimension("dst_peers") if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs src_ns_to_dst_ns = defaultdict(set) @@ -105,8 +105,11 @@ def _compute_basic_namespace_grouping(self): ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) if ns_product_props.contained_in(self.covered_peer_props): - src_ns_to_dst_ns[src_ns].add(dst_ns) self.covered_peer_props -= ns_product_props + if ns_product_props & self.peer_props: + # ensure that the found ns-pair is at least partially included in the current connections' properties + # (rather than being wholly contained in containing connections' properties) + src_ns_to_dst_ns[src_ns].add(dst_ns) else: self.peer_props_without_ns_expr |= ns_product_props & self.peer_props dst_ns_to_src_ns = defaultdict(set) @@ -158,9 +161,10 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): dim_name = "src_peers" if is_src_ns else "dst_peers" other_dim_name = "dst_peers" if is_src_ns else "src_peers" # We search for partial ns grouping in self.covered_peer_props rather than in self.peer_props_without_ns_expr, - # thus allowing overlapping of fw rules. Also, we start from optimal order betwen src_peers and dst_peers, + # thus allowing overlapping of fw rules. Also, we start from optimal order between src_peers and dst_peers, # based on whether we search for whole src or dst namespace. props = self.covered_peer_props.reorder_by_switching_src_dst_peers() if is_src_ns else self.covered_peer_props + ns_set_to_peer_set = defaultdict(PeerSet) for cube in props: conn_cube = props.get_connectivity_cube(cube) dim_peers = conn_cube[dim_name] @@ -173,11 +177,28 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): curr_ns_set.add(ns) curr_ns_peers |= ns_peers if curr_ns_set: - self.peer_pairs_with_partial_ns_expr.add((frozenset(curr_ns_set), other_dim_peers) if is_src_ns - else (other_dim_peers, frozenset(curr_ns_set))) - self.peer_props_without_ns_expr -= \ - ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ns_peers, - other_dim_name: other_dim_peers}) + ns_set_to_peer_set[frozenset(curr_ns_set)] |= other_dim_peers + for curr_ns_set, other_dim_peers in ns_set_to_peer_set.items(): + curr_ns_peers = PeerSet(set.union(*[self.cluster_info.ns_dict[ns] for ns in curr_ns_set])) + other_dim_peers_without_ip_block = PeerSet(other_dim_peers.get_set_without_ip_block()) + other_dim_peers_ip_block = other_dim_peers.get_ip_block_canonical_form().get_peer_set() + curr_covered_without_ip_block = \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ns_peers, + other_dim_name: other_dim_peers_without_ip_block}) + curr_covered_ip_block = \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ns_peers, + other_dim_name: other_dim_peers_ip_block}) + # ensure that the found pairs (with and without IpBlocks) are at least partially included + # in the current connections' properties (rather than being wholly contained + # in containing connections' properties) + if self.peer_props_without_ns_expr & curr_covered_without_ip_block: + self.peer_props_without_ns_expr -= curr_covered_without_ip_block + self.peer_pairs_with_partial_ns_expr.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns + else (other_dim_peers_without_ip_block, curr_ns_set)) + if self.peer_props_without_ns_expr & curr_covered_ip_block: + self.peer_props_without_ns_expr -= curr_covered_ip_block + self.peer_pairs_with_partial_ns_expr.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns + else (other_dim_peers_ip_block, curr_ns_set)) def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ From 6b22688fa8ef7e1efe94b33b885053a300dd2a6a Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 24 Mar 2024 17:57:49 +0200 Subject: [PATCH 11/89] One more refinemenet of basic namespace grouping Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index e142d139e..030e3d17c 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -173,7 +173,9 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): curr_ns_peers = PeerSet() for ns in ns_set: ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) - if ns_peers.issubset(dim_peers): + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ns_peers, + other_dim_name: other_dim_peers}) + if ns_peers.issubset(dim_peers) and (curr_covered & self.peer_props_without_ns_expr): curr_ns_set.add(ns) curr_ns_peers |= ns_peers if curr_ns_set: From 368f1b05d12d5e8fe400fd87ba60bcac4780d6fa Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 24 Mar 2024 19:40:24 +0200 Subject: [PATCH 12/89] One more refinemenet of basic namespace grouping Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 030e3d17c..a320f2d83 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -294,9 +294,25 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): def _create_initial_fw_rules_from_peer_props(self, peer_props): res = [] - min_peer_props = peer_props.minimize() - for cube in min_peer_props: - conn_cube = min_peer_props.get_connectivity_cube(cube) + # first, try to group peers paired with src/dst ipblocks + ipblock = IpBlock.get_all_ips_block_peer_set() + src_ipblock_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": ipblock}) & peer_props + if src_ipblock_props: + res.extend(self._create_fw_rules_from_peer_props_aux(src_ipblock_props)) + peer_props -= src_ipblock_props + dst_ipblock_props = ConnectivityProperties.make_conn_props_from_dict({"dst_peers": ipblock}) & peer_props + if dst_ipblock_props: + res.extend(self._create_fw_rules_from_peer_props_aux(dst_ipblock_props)) + peer_props -= dst_ipblock_props + # now group the rest of peers + if peer_props: + res.extend(self._create_fw_rules_from_peer_props_aux(peer_props.minimize())) + return res + + def _create_fw_rules_from_peer_props_aux(self, peer_props): + res = [] + for cube in peer_props: + conn_cube = peer_props.get_connectivity_cube(cube) src_peers = conn_cube["src_peers"] dst_peers = conn_cube["dst_peers"] # whole peers sets were handled in self.ns_set_pairs and self.peer_pairs_with_partial_ns_expr From d027631e5d9dff0cdf180022cd0a720d2e549570 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 26 Mar 2024 16:25:49 +0200 Subject: [PATCH 13/89] More refinemenets of peer grouping from properties Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 6 ++++-- nca/NetworkConfig/NetworkConfigQuery.py | 27 ++++++++++++++----------- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index a320f2d83..b3217f309 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -298,12 +298,14 @@ def _create_initial_fw_rules_from_peer_props(self, peer_props): ipblock = IpBlock.get_all_ips_block_peer_set() src_ipblock_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": ipblock}) & peer_props if src_ipblock_props: - res.extend(self._create_fw_rules_from_peer_props_aux(src_ipblock_props)) peer_props -= src_ipblock_props + src_ipblock_props = src_ipblock_props.reorder_by_switching_src_dst_peers() + res.extend(self._create_fw_rules_from_peer_props_aux(src_ipblock_props)) dst_ipblock_props = ConnectivityProperties.make_conn_props_from_dict({"dst_peers": ipblock}) & peer_props if dst_ipblock_props: - res.extend(self._create_fw_rules_from_peer_props_aux(dst_ipblock_props)) peer_props -= dst_ipblock_props + res.extend(self._create_fw_rules_from_peer_props_aux(dst_ipblock_props)) + # now group the rest of peers if peer_props: res.extend(self._create_fw_rules_from_peer_props_aux(peer_props.minimize())) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 1a0795a5d..d9258951b 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -850,14 +850,11 @@ def compute_connectivity_output_optimized(self): "dst_peers": opt_peers_to_compare}) base_peers_num = len(opt_peers_to_compare) subset_peers = self.compute_subset(opt_peers_to_compare) - all_peers = subset_peers if len(subset_peers) != base_peers_num: # remove connections where both of src_peers and dst_peers are out of the subset subset_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": subset_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"dst_peers": subset_peers}) all_conns_opt &= subset_conns - src_peers, dst_peers = ExplTracker().extract_peers(all_conns_opt) - all_peers = src_peers | dst_peers all_conns_opt = self.config.filter_conns_by_peer_types(all_conns_opt) expl_conns = all_conns_opt if self.config.policies_container.layers.does_contain_istio_layers(): @@ -867,7 +864,7 @@ def compute_connectivity_output_optimized(self): else: output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare) if ExplTracker().is_active(): - ExplTracker().set_connections_and_peers(expl_conns, all_peers) + ExplTracker().set_connections_and_peers(expl_conns, opt_peers_to_compare) return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp def exec(self): @@ -929,14 +926,15 @@ def get_connectivity_output_full(self, connections, peers, peers_to_compare): formatted_rules, fw_rules = self.fw_rules_from_connections_dict(connections, peers_to_compare) return formatted_rules, fw_rules - def get_props_output_full(self, props, peers_to_compare): + def get_props_output_full(self, props, all_peers): """ get the connectivity map output considering all connections in the output :param ConnectivityProperties props: properties describing allowed connections - :param PeerSet peers_to_compare: the peers to consider for dot/fw-rules output + :param PeerSet all_peers: the peers to consider for dot/fw-rules output whereas all other values should be filtered out in the output :rtype ([Union[str, dict], MinimizeFWRules]) """ + peers_to_compare = props.project_on_one_dimension("src_peers") | props.project_on_one_dimension("dst_peers") if self.output_config.outputFormat in ['dot', 'jpg', 'html']: dot_full = self.dot_format_from_props(props, peers_to_compare) return dot_full, None @@ -944,7 +942,7 @@ def get_props_output_full(self, props, peers_to_compare): conns_wo_fw_rules = self.txt_no_fw_rules_format_from_props(props, peers_to_compare) return conns_wo_fw_rules, None # handle other formats - formatted_rules, fw_rules = self.fw_rules_from_props(props, peers_to_compare) + formatted_rules, fw_rules = self.fw_rules_from_props(props, all_peers) return formatted_rules, fw_rules def get_connectivity_output_split_by_tcp(self, connections, peers, peers_to_compare): @@ -991,14 +989,15 @@ def get_connectivity_output_split_by_tcp(self, connections, peers, peers_to_comp res_str = formatted_rules_tcp + formatted_rules_non_tcp return res_str, fw_rules_tcp, fw_rules_non_tcp - def get_props_output_split_by_tcp(self, props, peers_to_compare): + def get_props_output_split_by_tcp(self, props, all_peers): """ get the connectivity map output as two parts: TCP and non-TCP :param ConnectivityProperties props: properties describing allowed connections - :param PeerSet peers_to_compare: the peers to consider for dot/fw-rules output + :param PeerSet all_peers: the peers to consider for dot/fw-rules output whereas all other values should be filtered out in the output :rtype (Union[str, dict], MinimizeFWRules, MinimizeFWRules) """ + peers_to_compare = props.project_on_one_dimension("src_peers") | props.project_on_one_dimension("dst_peers") connectivity_tcp_str = 'TCP' connectivity_non_tcp_str = 'non-TCP' props_tcp, props_non_tcp = self.convert_props_to_split_by_tcp(props) @@ -1015,8 +1014,8 @@ def get_props_output_split_by_tcp(self, props, peers_to_compare): res_str = txt_no_fw_rules_tcp + txt_no_fw_rules_non_tcp return res_str, None, None # handle formats other than dot and txt_no_fw_rules - formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, peers_to_compare, connectivity_tcp_str) - formatted_rules_non_tcp, fw_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, peers_to_compare, + formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, all_peers, connectivity_tcp_str) + formatted_rules_non_tcp, fw_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, all_peers, connectivity_non_tcp_str) if self.output_config.outputFormat in ['json', 'yaml']: # get a dict object containing the two maps on different keys (TCP_rules and non-TCP_rules) @@ -1276,7 +1275,10 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, conns2 = no_conns if props_based_on_config1 else conns if self.output_config.fullExplanation: if self.config1.optimized_run == 'true': - different_conns_list.append(PeersAndConnections(str(src_peers), str(dst_peers), conns1, conns2)) + src_peers_str_sorted = str(sorted([str(peer) for peer in src_peers])) + dst_peers_str_sorted = str(sorted([str(peer) for peer in dst_peers])) + different_conns_list.append(PeersAndConnections(src_peers_str_sorted, dst_peers_str_sorted, + conns1, conns2)) else: # 'debug': produce the same output format as in the original implementation (per peer pairs) for src_peer in src_peers: for dst_peer in dst_peers: @@ -1741,6 +1743,7 @@ def compute_diff_original(self): # noqa: C901 return keys_list, conn_graph_removed_per_key, conn_graph_added_per_key + # TODO - rewrite this function using new optimized fw-rules creation def compute_diff_optimized(self): # noqa: C901 """ Compute changed connections (by optimized implementation) as following: From 8b343d6082bacfcb0ee6316979f32f13174c7919 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 26 Mar 2024 16:56:03 +0200 Subject: [PATCH 14/89] More refinemenets of peer grouping from properties Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 9 ++++++++- nca/FWRules/MinimizeCsFWRulesOpt.py | 3 +-- nca/NetworkConfig/NetworkConfigQuery.py | 12 +++++------- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index ab301cd98..b0e9d36dd 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -472,6 +472,13 @@ def make_all_props(): """ return ConnectivityProperties(create_all=True) + def get_all_peers(self): + """ + Return all peers appearing in self. + :return: PeerSet + """ + return self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers") + def are_auto_conns(self): """ :return: True iff the given connections are connections from peers to themselves, @@ -503,7 +510,7 @@ def get_auto_conns_from_peers(self): Build properties containing all connections from peer to itself, for all peers in the current properties :return: the resulting auto connections properties """ - peers = self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers") + peers = self.get_all_peers() auto_conns = ConnectivityProperties() for peer in peers: auto_conns |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({peer}), diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index b3217f309..bcbaeb784 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -140,8 +140,7 @@ def _compute_covered_peer_props(self): :return: None """ covered_peer_props = self.peer_props | self.peer_props_in_containing_connections - all_peers_set = self.peer_props.project_on_one_dimension("src_peers") |\ - self.peer_props.project_on_one_dimension("dst_peers") + all_peers_set = self.peer_props.get_all_peers() for pod in all_peers_set: if isinstance(pod, ClusterEP): covered_peer_props |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({pod}), diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index d9258951b..c4a8a81d9 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -840,8 +840,7 @@ def compute_connectivity_output_optimized(self): all_conns_opt = opt_conns.all_allowed_conns opt_peers_to_compare = self.config.peer_container.get_all_peers_group(include_dns_entries=True) # add all relevant IpBlocks, used in connections - opt_peers_to_compare |= all_conns_opt.project_on_one_dimension('src_peers') | \ - all_conns_opt.project_on_one_dimension('dst_peers') + opt_peers_to_compare |= all_conns_opt.get_all_peers() if exclude_ipv6: # remove connections where any of src_peers or dst_peers contain automatically-added IPv6 blocks, # while keeping connections with IPv6 blocks directly referenced in policies @@ -864,7 +863,7 @@ def compute_connectivity_output_optimized(self): else: output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare) if ExplTracker().is_active(): - ExplTracker().set_connections_and_peers(expl_conns, opt_peers_to_compare) + ExplTracker().set_connections_and_peers(expl_conns, all_conns_opt.get_all_peers()) return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp def exec(self): @@ -934,7 +933,7 @@ def get_props_output_full(self, props, all_peers): whereas all other values should be filtered out in the output :rtype ([Union[str, dict], MinimizeFWRules]) """ - peers_to_compare = props.project_on_one_dimension("src_peers") | props.project_on_one_dimension("dst_peers") + peers_to_compare = props.get_all_peers() if self.output_config.outputFormat in ['dot', 'jpg', 'html']: dot_full = self.dot_format_from_props(props, peers_to_compare) return dot_full, None @@ -997,7 +996,7 @@ def get_props_output_split_by_tcp(self, props, all_peers): whereas all other values should be filtered out in the output :rtype (Union[str, dict], MinimizeFWRules, MinimizeFWRules) """ - peers_to_compare = props.project_on_one_dimension("src_peers") | props.project_on_one_dimension("dst_peers") + peers_to_compare = props.get_all_peers() connectivity_tcp_str = 'TCP' connectivity_non_tcp_str = 'non-TCP' props_tcp, props_non_tcp = self.convert_props_to_split_by_tcp(props) @@ -1244,8 +1243,7 @@ def filter_conns_by_input_or_internal_constraints(self, conns1, conns2): :rtype: [ConnectivityProperties, ConnectivityProperties] :return: two resulting allowed connections """ - all_peers = conns1.project_on_one_dimension('src_peers') | conns1.project_on_one_dimension('dst_peers') | \ - conns2.project_on_one_dimension('src_peers') | conns2.project_on_one_dimension('dst_peers') + all_peers = conns1.get_all_peers() | conns2.get_all_peers() exclude_ipv6 = self.config1.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) and \ self.config2.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) conns_filter = ConnectivityProperties.make_all_props() From 0bb3094e7186302b091abfa8492c53d658535983 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 26 Mar 2024 17:11:30 +0200 Subject: [PATCH 15/89] More refinements of peer grouping from properties Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index c4a8a81d9..48e7d466a 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -849,11 +849,14 @@ def compute_connectivity_output_optimized(self): "dst_peers": opt_peers_to_compare}) base_peers_num = len(opt_peers_to_compare) subset_peers = self.compute_subset(opt_peers_to_compare) + all_peers = subset_peers if len(subset_peers) != base_peers_num: # remove connections where both of src_peers and dst_peers are out of the subset subset_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": subset_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"dst_peers": subset_peers}) all_conns_opt &= subset_conns + src_peers, dst_peers = ExplTracker().extract_peers(all_conns_opt) + all_peers = src_peers | dst_peers all_conns_opt = self.config.filter_conns_by_peer_types(all_conns_opt) expl_conns = all_conns_opt if self.config.policies_container.layers.does_contain_istio_layers(): @@ -863,7 +866,7 @@ def compute_connectivity_output_optimized(self): else: output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare) if ExplTracker().is_active(): - ExplTracker().set_connections_and_peers(expl_conns, all_conns_opt.get_all_peers()) + ExplTracker().set_connections_and_peers(expl_conns, all_peers) return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp def exec(self): From 0df39388bf988654e611dbbadd57ccac443ec19f Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 31 Mar 2024 17:58:25 +0300 Subject: [PATCH 16/89] Added outputEndpoints option handling to PeerSetElement. Refined ns-set pairs grouping computation -trying starting from src_peers and from dst_peers and choosing a more compact grouping. Added grouping by full IpBlock. Signed-off-by: Tanya --- nca/FWRules/FWRule.py | 6 +- nca/FWRules/MinimizeCsFWRulesOpt.py | 144 +++++++++++++++++++--------- 2 files changed, 102 insertions(+), 48 deletions(-) diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index c5a28b98c..7e511b43b 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -387,8 +387,7 @@ def get_pod_str(self): """ :return: string for the field src_pods or dst_pods in representation for txt rule format """ - sorted_pods_names = ', '.join(sorted(self._get_pods_names().split(', '))) - return f'[{sorted_pods_names}]' + return f'[{self._get_pods_names()}]' def _get_pods_names(self): res = '' @@ -400,7 +399,8 @@ def _get_pods_names(self): unique_names.add(peer.owner_name) else: res += (', ' if res else '') + peer.name - return res + sorted_res = ', '.join(sorted(res.split(', '))) + return sorted_res def __str__(self): """ diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index bcbaeb784..813c65902 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -30,7 +30,7 @@ def __init__(self, cluster_info, output_config): self.connections = ConnectionSet() self.peer_props_in_containing_connections = ConnectivityProperties() self.ns_set_pairs = set() - self.peer_pairs_with_partial_ns_expr = set() + self.base_elem_pairs = set() self.peer_props_without_ns_expr = ConnectivityProperties() self.covered_peer_props = ConnectivityProperties() self.results_info_per_option = dict() @@ -48,10 +48,10 @@ def compute_minimized_fw_rules_per_connection(self, connections, peer_props, class members used in computation of fw-rules: self.ns_set_pairs : pairs of sets of namespaces, grouped together - self.peer_pairs_with_partial_ns_expr: pairs of (peer,ns) or (ns,peer), with ns-grouping for one dimension - self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping - self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current - connection-set (but not necessarily only limited to current connection set) + self.base_elem_pairs: pairs of (peer,ns) or (ns,peer), with ns-grouping for one dimension + self.peer_props_without_ns_expr: properties containing peers without possible ns/full IpBlock grouping + self.covered_peer_props: properties of all peer sets for which communication is allowed in current + or containing connection-set :return: minimized_fw_rules: a list of fw-rules (of type list[FWRule]) @@ -61,7 +61,7 @@ class members used in computation of fw-rules: self.connections = connections self.peer_props_in_containing_connections = peer_props_in_containing_connections self.ns_set_pairs = set() - self.peer_pairs_with_partial_ns_expr = set() + self.base_elem_pairs = set() self.peer_props_without_ns_expr = ConnectivityProperties() self.covered_peer_props = ConnectivityProperties() self.results_info_per_option = dict() @@ -79,7 +79,7 @@ def _create_fw_rules(self): The main function for creating the minimized set of fw-rules for a given connection set :return: None """ - # partition peer_props to ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr + # partition peer_props to ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr self._compute_basic_namespace_grouping() # add all fw-rules: @@ -87,8 +87,8 @@ def _create_fw_rules(self): def _compute_basic_namespace_grouping(self): """ - computation of peer_pairs with possible grouping by namespaces. - Results are at: ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + computation of peer sets with possible grouping by namespaces. + Results are at: ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr :return: None """ self._compute_covered_peer_props() @@ -97,28 +97,7 @@ def _compute_basic_namespace_grouping(self): if isinstance(src, Pod)) all_dst_ns_set = set(dst.namespace for dst in self.covered_peer_props.project_on_one_dimension("dst_peers") if isinstance(dst, Pod)) - # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs - src_ns_to_dst_ns = defaultdict(set) - for src_ns in all_src_ns_set: - for dst_ns in all_dst_ns_set: - ns_product_props = \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), - "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) - if ns_product_props.contained_in(self.covered_peer_props): - self.covered_peer_props -= ns_product_props - if ns_product_props & self.peer_props: - # ensure that the found ns-pair is at least partially included in the current connections' properties - # (rather than being wholly contained in containing connections' properties) - src_ns_to_dst_ns[src_ns].add(dst_ns) - else: - self.peer_props_without_ns_expr |= ns_product_props & self.peer_props - dst_ns_to_src_ns = defaultdict(set) - for src_ns, dst_ns_set in src_ns_to_dst_ns.items(): - dst_ns_to_src_ns[frozenset(dst_ns_set)].add(src_ns) - for dst_ns_set, src_ns_set in dst_ns_to_src_ns.items(): - self.ns_set_pairs.add((frozenset(src_ns_set), dst_ns_set)) - - # TODO: what about peer pairs with ip blocks from containing connections, not only peer_pairs for this connection? + self._compute_full_ns_grouping(all_src_ns_set, all_dst_ns_set) src_peers_without_ns = PeerSet(set(src for src in self.peer_props.project_on_one_dimension("src_peers") if isinstance(src, (IpBlock, HostEP, DNSEntry)))) dst_peers_without_ns = PeerSet(set(dst for dst in self.peer_props.project_on_one_dimension("dst_peers") @@ -128,10 +107,14 @@ def _compute_basic_namespace_grouping(self): ConnectivityProperties.make_conn_props_from_dict({"dst_peers": dst_peers_without_ns}) self.peer_props_without_ns_expr |= props_with_elems_without_ns & self.peer_props # compute pairs with src as pod/ip-block and dest as namespace - self._compute_peer_pairs_with_partial_ns_expr(all_dst_ns_set, False) + self._compute_partial_ns_grouping(all_dst_ns_set, False) # compute pairs with src as pod/ip-block namespace dest as pod if self.peer_props_without_ns_expr: - self._compute_peer_pairs_with_partial_ns_expr(all_src_ns_set, True) + self._compute_partial_ns_grouping(all_src_ns_set, True) + if self.peer_props_without_ns_expr: + self._compute_full_ipblock_grouping(False) + if self.peer_props_without_ns_expr: + self._compute_full_ipblock_grouping(True) def _compute_covered_peer_props(self): """ @@ -147,16 +130,55 @@ def _compute_covered_peer_props(self): "dst_peers": PeerSet({pod})}) self.covered_peer_props = covered_peer_props - def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): + def _compute_full_ns_grouping(self, all_src_ns_set, all_dst_ns_set): + """ + Compute pairs of ns sets that are grouped together, according to peer_props, + while possibly borrowing from covered_peer_props. Put the result in self.ns_set_pairs. + :param all_src_ns_set: relevant ns set of src peers + :param all_dst_ns_set: relevant ns set of dst peers """ - computes and updates self.peer_pairs_with_partial_ns_expr with pairs where only one elem (src/dst) + src_ns_to_dst_ns = defaultdict(set) + dst_ns_to_src_ns = defaultdict(set) + for src_ns in all_src_ns_set: + for dst_ns in all_dst_ns_set: + ns_product_props = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), + "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) + if ns_product_props.contained_in(self.covered_peer_props): + self.covered_peer_props -= ns_product_props + if ns_product_props & self.peer_props: + # ensure that the found ns-pair is at least partially included in the current connections' properties + # (rather than being wholly contained in containing connections' properties) + src_ns_to_dst_ns[src_ns].add(dst_ns) + dst_ns_to_src_ns[dst_ns].add(src_ns) + else: + self.peer_props_without_ns_expr |= ns_product_props & self.peer_props + # Try src ns first or dst ns first, and choose the more compact grouping + final_src_ns_to_dst_ns = defaultdict(set) + final_dst_ns_to_src_ns = defaultdict(set) + for src_ns, dst_ns_set in src_ns_to_dst_ns.items(): + final_dst_ns_to_src_ns[frozenset(dst_ns_set)].add(src_ns) + for dst_ns, src_ns_set in dst_ns_to_src_ns.items(): + final_src_ns_to_dst_ns[frozenset(src_ns_set)].add(dst_ns) + if len(final_dst_ns_to_src_ns) <= len(final_src_ns_to_dst_ns): + for dst_ns_set, src_ns_set in final_dst_ns_to_src_ns.items(): + self.ns_set_pairs.add((frozenset(src_ns_set), dst_ns_set)) + else: + for src_ns_set, dst_ns_set in final_src_ns_to_dst_ns.items(): + self.ns_set_pairs.add((src_ns_set, frozenset(dst_ns_set))) + + @staticmethod + def is_full_ipblock(ipblock): + return ipblock == IpBlock.get_all_ips_block() or ipblock == IpBlock.get_all_ips_block(True, False) \ + or ipblock == IpBlock.get_all_ips_block(False, True) + + def _compute_partial_ns_grouping(self, ns_set, is_src_ns): + """ + computes and updates self.base_elem_pairs with pairs where only one elem (src/dst) can be grouped to an entire namespace :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as ns (True) or dst (False) :return: None """ - # pod_set is the set of pods in pairs of peer_pairs_without_ns_expr, within elem type (src/dst) which is not - # in the grouping computation - dim_name = "src_peers" if is_src_ns else "dst_peers" other_dim_name = "dst_peers" if is_src_ns else "src_peers" # We search for partial ns grouping in self.covered_peer_props rather than in self.peer_props_without_ns_expr, @@ -194,13 +216,45 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): # in containing connections' properties) if self.peer_props_without_ns_expr & curr_covered_without_ip_block: self.peer_props_without_ns_expr -= curr_covered_without_ip_block - self.peer_pairs_with_partial_ns_expr.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns + self.base_elem_pairs.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns else (other_dim_peers_without_ip_block, curr_ns_set)) if self.peer_props_without_ns_expr & curr_covered_ip_block: self.peer_props_without_ns_expr -= curr_covered_ip_block - self.peer_pairs_with_partial_ns_expr.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns + self.base_elem_pairs.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns else (other_dim_peers_ip_block, curr_ns_set)) + def _compute_full_ipblock_grouping(self, is_src_ns): + """ + computes and updates self.base_elem_pairs with pairs where one elem (src/dst) + can be grouped to an entire IpBlock + :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as IpBlock (True) or dst (False) + :return: None + """ + + dim_name = "src_peers" if is_src_ns else "dst_peers" + other_dim_name = "dst_peers" if is_src_ns else "src_peers" + # We search for grouping by full IpBlock in self.covered_peer_props rather than in self.peer_props_without_ns_expr, + # thus allowing overlapping of fw rules. Also, we start from optimal order between src_peers and dst_peers, + # based on whether we search for full src or dst IpBlock + props = self.covered_peer_props.reorder_by_switching_src_dst_peers() if is_src_ns else self.covered_peer_props + ipblock_to_peer_set = defaultdict(PeerSet) + for cube in props: + conn_cube = props.get_connectivity_cube(cube) + dim_peers = conn_cube[dim_name] + other_dim_peers = conn_cube[other_dim_name].canonical_form() + ipblock = dim_peers.get_ip_block_canonical_form() + if self.is_full_ipblock(ipblock): + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ipblock.get_peer_set(), + other_dim_name: other_dim_peers}) + if curr_covered & self.peer_props_without_ns_expr: + ipblock_to_peer_set[ipblock] |= other_dim_peers + for curr_ipblock, other_dim_peers in ipblock_to_peer_set.items(): + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ipblock.get_peer_set(), + other_dim_name: other_dim_peers}) + self.peer_props_without_ns_expr -= curr_covered + self.base_elem_pairs.add((curr_ipblock.get_peer_set(), other_dim_peers) if is_src_ns + else (other_dim_peers, curr_ipblock.get_peer_set())) + def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ create a fw-rule from a fixed-elem and a set of namespaces @@ -231,7 +285,7 @@ def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) res.append(PodLabelsElement(pod_label_expr, ns_info, self.cluster_info)) if remaining_pods: - res.append(PeerSetElement(PeerSet(remaining_pods))) + res.append(PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments')) return res def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set, @@ -262,7 +316,7 @@ def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_se # TODO: should avoid having single pods remaining without labels grouping # (2) add rules for remaining single pods: if make_peer_sets and remaining_pods: - peer_set_elem = PeerSetElement(PeerSet(remaining_pods)) + peer_set_elem = PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments') if is_src_fixed: fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) else: @@ -316,7 +370,7 @@ def _create_fw_rules_from_peer_props_aux(self, peer_props): conn_cube = peer_props.get_connectivity_cube(cube) src_peers = conn_cube["src_peers"] dst_peers = conn_cube["dst_peers"] - # whole peers sets were handled in self.ns_set_pairs and self.peer_pairs_with_partial_ns_expr + # whole peers sets were handled in self.ns_set_pairs and self.base_elem_pairs assert src_peers and dst_peers res.extend(self._create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, self.cluster_info, self.output_config)) @@ -384,7 +438,7 @@ def _create_all_initial_fw_rules(self): initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_set_pairs)) initial_fw_rules.extend(self._create_initial_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) initial_fw_rules.extend( - self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_with_partial_ns_expr)) + self._create_initial_fw_rules_from_base_elements_list(self.base_elem_pairs)) return initial_fw_rules def _add_all_fw_rules(self): @@ -393,7 +447,7 @@ def _add_all_fw_rules(self): Results are at: self.minimized_rules_set :return: None """ - # create initial fw-rules from ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr + # create initial fw-rules from ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr initial_fw_rules = self._create_all_initial_fw_rules() self.minimized_fw_rules = initial_fw_rules return # Tanya: temp From 4db0e43a90a8c5b77744e28176ed11e9bda09c32 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 31 Mar 2024 18:06:52 +0300 Subject: [PATCH 17/89] Fixing lint errors. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 813c65902..cd2a70916 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -217,11 +217,11 @@ def _compute_partial_ns_grouping(self, ns_set, is_src_ns): if self.peer_props_without_ns_expr & curr_covered_without_ip_block: self.peer_props_without_ns_expr -= curr_covered_without_ip_block self.base_elem_pairs.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns - else (other_dim_peers_without_ip_block, curr_ns_set)) + else (other_dim_peers_without_ip_block, curr_ns_set)) if self.peer_props_without_ns_expr & curr_covered_ip_block: self.peer_props_without_ns_expr -= curr_covered_ip_block self.base_elem_pairs.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns - else (other_dim_peers_ip_block, curr_ns_set)) + else (other_dim_peers_ip_block, curr_ns_set)) def _compute_full_ipblock_grouping(self, is_src_ns): """ @@ -253,7 +253,7 @@ def _compute_full_ipblock_grouping(self, is_src_ns): other_dim_name: other_dim_peers}) self.peer_props_without_ns_expr -= curr_covered self.base_elem_pairs.add((curr_ipblock.get_peer_set(), other_dim_peers) if is_src_ns - else (other_dim_peers, curr_ipblock.get_peer_set())) + else (other_dim_peers, curr_ipblock.get_peer_set())) def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ From 757a684ae65d69bc143c6d59ed99a14ed090b06e Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 10:39:28 +0300 Subject: [PATCH 18/89] Fixing handling txt-no_fw_rules format in the optimized solution Signed-off-by: Tanya --- nca/CoreDS/Peer.py | 13 +++++++++++++ nca/FWRules/ConnectivityGraph.py | 8 +++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 4686f8f75..92cb50607 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -575,6 +575,19 @@ def canonical_form(self): # TODO: after moving to optimized HC implementation PeerSet may be always maintained in the canonical form return PeerSet(self.get_set_without_ip_block()) | self.get_ip_block_canonical_form().get_peer_set() + def split(self): + """ + Splits self's IpBlocks into multiple IpBlock objects, each containing a single range + Return the resulting PeerSet + """ + res = PeerSet() + for peer in self: + if isinstance(peer, IpBlock): + res |= peer.split() + else: + res.add(peer) + return res + def __eq__(self, other): # set comparison if self.get_set_without_ip_block() != other.get_set_without_ip_block(): diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index 37f369539..7c3b66701 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -6,7 +6,7 @@ import itertools from collections import defaultdict import networkx -from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod +from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod, PeerSet from .DotGraph import DotGraph from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo @@ -60,8 +60,10 @@ def add_edges_from_cube_dict(self, conn_cube, peer_container): """ conns, src_peers, dst_peers = \ MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container) - for src_peer in src_peers: - for dst_peer in dst_peers: + split_src_peers = src_peers.split() + split_dst_peers = dst_peers.split() + for src_peer in split_src_peers: + for dst_peer in split_dst_peers: self.connections_to_peers[conns].append((src_peer, dst_peer)) def add_props_to_graph(self, props, peer_container): From 1efde22bd42445e96c25a78d33c93fecbbeecca4 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 10:41:21 +0300 Subject: [PATCH 19/89] Fixing lint error Signed-off-by: Tanya --- nca/FWRules/ConnectivityGraph.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index 7c3b66701..a568d4cad 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -6,7 +6,7 @@ import itertools from collections import defaultdict import networkx -from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod, PeerSet +from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod from .DotGraph import DotGraph from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo From 86af435aa7a39b790a3b0e9de900d94e83be4d48 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 12:41:47 +0300 Subject: [PATCH 20/89] Fix: taking into account connectivity restriction (TCP/non-TCP) in generation of dot output in optimized solution Signed-off-by: Tanya --- nca/FWRules/ConnectivityGraph.py | 22 +++++++++++++++++----- nca/NetworkConfig/NetworkConfigQuery.py | 4 ++-- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index a568d4cad..fe9b5dc3a 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -7,6 +7,7 @@ from collections import defaultdict import networkx from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod +from nca.CoreDS.ProtocolSet import ProtocolSet from .DotGraph import DotGraph from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo @@ -51,29 +52,40 @@ def add_edges(self, connections): """ self.connections_to_peers.update(connections) - def add_edges_from_cube_dict(self, conn_cube, peer_container): + def add_edges_from_cube_dict(self, conn_cube, peer_container, connectivity_restriction=None): """ Add edges to the graph according to the give cube :param ConnectivityCube conn_cube: the given cube whereas all other values should be filtered out in the output - :param PeerContainer peer_container: the peer container + :param PeerContainer peer_container: the peer container + :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP, or not """ + + relevant_protocols = ProtocolSet() + if connectivity_restriction: + if connectivity_restriction == 'TCP': + relevant_protocols.add_protocol('TCP') + else: # connectivity_restriction == 'non-TCP' + relevant_protocols = ProtocolSet.get_non_tcp_protocols() + conns, src_peers, dst_peers = \ - MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container) + MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) split_src_peers = src_peers.split() split_dst_peers = dst_peers.split() for src_peer in split_src_peers: for dst_peer in split_dst_peers: self.connections_to_peers[conns].append((src_peer, dst_peer)) - def add_props_to_graph(self, props, peer_container): + def add_props_to_graph(self, props, peer_container, connectivity_restriction=None): """ Add edges to the graph according to the given connectivity properties :param ConnectivityProperties props: the given connectivity properties :param PeerContainer peer_container: the peer container + :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP, or not + """ for cube in props: - self.add_edges_from_cube_dict(props.get_connectivity_cube(cube), peer_container) + self.add_edges_from_cube_dict(props.get_connectivity_cube(cube), peer_container, connectivity_restriction) def _get_peer_details(self, peer, format_requirement=False): """ diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 48e7d466a..13d95bc09 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1077,7 +1077,7 @@ def dot_format_from_props(self, props, peers, connectivity_restriction=None): :return the connectivity map in dot-format, considering connectivity_restriction if required """ conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) - conn_graph.add_props_to_graph(props, self.config.peer_container) + conn_graph.add_props_to_graph(props, self.config.peer_container, connectivity_restriction) return conn_graph.get_connectivity_dot_format_str(connectivity_restriction) def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restriction=None): @@ -1090,7 +1090,7 @@ def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restricti :return the connectivity map in txt_no_fw_rules format, considering connectivity_restriction if required """ conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) - conn_graph.add_props_to_graph(props, self.config.peer_container) + conn_graph.add_props_to_graph(props, self.config.peer_container, connectivity_restriction) return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction) def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None): From 8bd2944752a59e616c265d9f5d363d3f7c8934ec Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 18:14:13 +0300 Subject: [PATCH 21/89] Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 13d95bc09..6a2896c5a 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1013,7 +1013,7 @@ def get_props_output_split_by_tcp(self, props, all_peers): txt_no_fw_rules_tcp = self.txt_no_fw_rules_format_from_props(props_tcp, peers_to_compare, connectivity_tcp_str) txt_no_fw_rules_non_tcp = self.txt_no_fw_rules_format_from_props(props_non_tcp, peers_to_compare, connectivity_non_tcp_str) - res_str = txt_no_fw_rules_tcp + txt_no_fw_rules_non_tcp + res_str = txt_no_fw_rules_tcp + '\n\n' + txt_no_fw_rules_non_tcp return res_str, None, None # handle formats other than dot and txt_no_fw_rules formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, all_peers, connectivity_tcp_str) @@ -1091,7 +1091,7 @@ def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restricti """ conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) conn_graph.add_props_to_graph(props, self.config.peer_container, connectivity_restriction) - return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction) + return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction + " Connections:") def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None): """ From 0bd08c3c37ec280bff898b17b50816a3d63e5990 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 18:28:33 +0300 Subject: [PATCH 22/89] Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 6a2896c5a..60c4ce3e1 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1091,7 +1091,8 @@ def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restricti """ conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) conn_graph.add_props_to_graph(props, self.config.peer_container, connectivity_restriction) - return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction + " Connections:") + return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction + " Connections:" + if connectivity_restriction else None) def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None): """ From b01e93de7de63f934d15b6d256797be6ef4366c2 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 7 Apr 2024 12:23:26 +0300 Subject: [PATCH 23/89] Added grouping by dns entries to the optimized algorithm. Signed-off-by: Tanya --- nca/CoreDS/Peer.py | 6 +++++ nca/FWRules/MinimizeCsFWRulesOpt.py | 41 ++++++++++++++++++++--------- 2 files changed, 35 insertions(+), 12 deletions(-) diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 92cb50607..40b1efce3 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -680,6 +680,12 @@ def get_set_without_ip_block_or_dns_entry(self): """ return set(elem for elem in self if not isinstance(elem, (IpBlock, DNSEntry))) + def get_dns_entries(self): + """ + :return: a set with all elements from self which are DNSEntries + """ + return set(elem for elem in self if isinstance(elem, DNSEntry)) + def get_ip_block_canonical_form(self): """ :return: IpBlock element in canonical form for all elements from self which are IpBlock diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index cd2a70916..7a0426e63 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -112,9 +112,9 @@ def _compute_basic_namespace_grouping(self): if self.peer_props_without_ns_expr: self._compute_partial_ns_grouping(all_src_ns_set, True) if self.peer_props_without_ns_expr: - self._compute_full_ipblock_grouping(False) + self._compute_full_ipblock_and_dns_grouping(False) if self.peer_props_without_ns_expr: - self._compute_full_ipblock_grouping(True) + self._compute_full_ipblock_and_dns_grouping(True) def _compute_covered_peer_props(self): """ @@ -223,7 +223,7 @@ def _compute_partial_ns_grouping(self, ns_set, is_src_ns): self.base_elem_pairs.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns else (other_dim_peers_ip_block, curr_ns_set)) - def _compute_full_ipblock_grouping(self, is_src_ns): + def _compute_full_ipblock_and_dns_grouping(self, is_src_ns): """ computes and updates self.base_elem_pairs with pairs where one elem (src/dst) can be grouped to an entire IpBlock @@ -237,23 +237,40 @@ def _compute_full_ipblock_grouping(self, is_src_ns): # thus allowing overlapping of fw rules. Also, we start from optimal order between src_peers and dst_peers, # based on whether we search for full src or dst IpBlock props = self.covered_peer_props.reorder_by_switching_src_dst_peers() if is_src_ns else self.covered_peer_props - ipblock_to_peer_set = defaultdict(PeerSet) + ipblock_dnsentry_to_peer_set = defaultdict(PeerSet) for cube in props: conn_cube = props.get_connectivity_cube(cube) dim_peers = conn_cube[dim_name] other_dim_peers = conn_cube[other_dim_name].canonical_form() ipblock = dim_peers.get_ip_block_canonical_form() if self.is_full_ipblock(ipblock): - curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ipblock.get_peer_set(), - other_dim_name: other_dim_peers}) - if curr_covered & self.peer_props_without_ns_expr: - ipblock_to_peer_set[ipblock] |= other_dim_peers - for curr_ipblock, other_dim_peers in ipblock_to_peer_set.items(): - curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ipblock.get_peer_set(), + self._add_to_map_if_covered(dim_name, ipblock.get_peer_set(), other_dim_name, other_dim_peers, + ipblock_dnsentry_to_peer_set) + dns_entries = dim_peers.get_dns_entries() + if dns_entries: + self._add_to_map_if_covered(dim_name, dns_entries, other_dim_name, other_dim_peers, + ipblock_dnsentry_to_peer_set) + for curr_peers, other_dim_peers in ipblock_dnsentry_to_peer_set.items(): + curr_peers = PeerSet(set(curr_peers)) # peel off the frozenset + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_peers, other_dim_name: other_dim_peers}) self.peer_props_without_ns_expr -= curr_covered - self.base_elem_pairs.add((curr_ipblock.get_peer_set(), other_dim_peers) if is_src_ns - else (other_dim_peers, curr_ipblock.get_peer_set())) + self.base_elem_pairs.add((curr_peers, other_dim_peers) if is_src_ns else (other_dim_peers, curr_peers)) + + def _add_to_map_if_covered(self, dim_name, dim_peers, other_dim_name, other_dim_peers, peers_to_peers_map): + """ + An auxiliary method that checks whether the product of dim_peers and other_dim_peers is covered + by self.peer_props_without_ns_expr, and adds the peer sets to peers_to_peers_map if True. + :param str dim_name: the first dimension name + :param PeerSet dim_peers: a set of peers for the first dimension + :param str other_dim_name: the second dimension name + :param PeerSet other_dim_peers: a set of peers for the second dimension + :param dict peer_to_peer_map: the map from first dimention peers to second dimention peers + """ + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: dim_peers, + other_dim_name: other_dim_peers}) + if curr_covered & self.peer_props_without_ns_expr: + peers_to_peers_map[frozenset(dim_peers)] |= other_dim_peers def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ From 316dee18620a0192ac020b3547964b398c655e25 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 9 Apr 2024 12:29:43 +0300 Subject: [PATCH 24/89] Changed expected results of connectivity map query tests according to optimized runs Signed-off-by: Tanya --- ...obal-interferes-local-print-all-pairs.json | 430 +--- ...lobal-interferes-local-print-all-pairs.txt | 74 +- ...obal-interferes-local-print-all-pairs.yaml | 302 +-- ...and-sub-deny-not-equiv-all-peer-pairs.json | 144 +- ...-and-sub-deny-not-equiv-all-peer-pairs.txt | 25 +- ...and-sub-deny-not-equiv-all-peer-pairs.yaml | 101 +- ...stcase15_with_ingress_connectivity_map.txt | 57 +- .../testcase16-scheme_output.txt | 2 +- .../testcase18_connectivity_map.txt | 19 +- ...-connectivity_map_with_labels_to_apply.txt | 4 +- ...tcase19-deny-all-profiles-connectivity.txt | 9 +- ...-1-k8s-calico-istio-2_connectivity_map.txt | 5 +- ...alico-istio-ingress-2_connectivity_map.txt | 4 - ...-calico-istio-ingress_connectivity_map.txt | 4 - ...ig-1-k8s-calico-istio_connectivity_map.txt | 4 - ...g-1-k8s-istio-ingress_connectivity_map.txt | 13 +- .../livesim_test_all_txt.txt | 7 +- ...lico-testcase20-Eran_gnps_query_output.txt | 121 +- ...ico-testcase20-Eran_gnps_query_output.yaml | 1844 +---------------- ...e20-np_2_all_outbound_hep_query_output.txt | 5 +- ...20-np_2_all_outbound_hep_query_output.yaml | 21 - ...-np_3_outbound_hep_to_wep_query_output.txt | 5 +- ...np_3_outbound_hep_to_wep_query_output.yaml | 21 - ...und_all_namespaceSelector_query_output.txt | 5 +- ...nd_all_namespaceSelector_query_output.yaml | 21 - .../cyclonus-simple-example-scheme_output.txt | 2 +- ...cyclonus-simple-example-scheme_output.yaml | 14 +- .../istio-test1-scheme_query1_output.txt | 2 +- .../istio-test1-scheme_query1_output.yaml | 2 +- .../istio-test1-scheme_query2_output.txt | 3 +- .../istio-test1-scheme_query2_output.yaml | 10 - .../expected_output/poc1-scheme_output.csv | 4 +- .../expected_output/poc1-scheme_output.dot | 30 +- .../expected_output/poc1-scheme_output.md | 4 +- .../expected_output/poc1-scheme_output.txt | 4 +- .../expected_output/poc1-scheme_output.yaml | 8 +- .../expected_output/poc2-scheme_output.txt | 4 +- .../expected_output/poc2-scheme_output.yaml | 8 +- .../expected_output/poc3-scheme_output.txt | 4 +- .../expected_output/poc3-scheme_output.yaml | 8 +- ...4_scheme_connectivity_map_query_output.txt | 4 +- ..._scheme_connectivity_map_query_output.yaml | 8 +- ...loyment_fullname_and_global_subset_dot.dot | 8 - ...lobal_subset_endpoints_deployments_dot.dot | 8 - .../subset_deployment_fullname_subset_dot.dot | 1 - ...lname_subset_endpoints_deployments_dot.dot | 1 - .../expected_output/subset_labels2_dot.dot | 1 - ...bset_labels2_endpoints_deployments_dot.dot | 1 - .../expected_output/subset_labels3_dot.dot | 7 - ...bset_labels3_endpoints_deployments_dot.dot | 7 - .../expected_output/subset_labels6_dot.dot | 7 - ...bset_labels6_endpoints_deployments_dot.dot | 7 - .../expected_output/subset_no_subset_dot.dot | 3 - ...et_no_subset_endpoints_deployments_dot.dot | 3 - .../expected_output/test1-scheme_output.txt | 4 +- .../expected_output/test1-scheme_output.yaml | 12 +- .../expected_output/test13-scheme_output.txt | 4 +- .../expected_output/test13-scheme_output.yaml | 4 +- .../expected_output/test14-scheme_output.txt | 4 +- .../expected_output/test14-scheme_output.yaml | 4 +- .../expected_output/test16-scheme_output.txt | 5 +- .../expected_output/test16-scheme_output.yaml | 37 +- .../expected_output/test18-scheme_output.txt | 3 +- .../expected_output/test18-scheme_output.yaml | 9 +- .../expected_output/test2-scheme_output.txt | 4 +- .../expected_output/test2-scheme_output.yaml | 4 +- .../expected_output/test24-scheme_output.txt | 2 +- .../expected_output/test24-scheme_output.yaml | 2 +- ...me_connectivity_map_by_deployments_dot.dot | 2 - ...25-scheme_connectivity_map_by_pods_csv.csv | 3 +- ...25-scheme_connectivity_map_by_pods_dot.dot | 2 - ...25-scheme_connectivity_map_by_pods_txt.txt | 3 +- ...-scheme_connectivity_map_by_pods_yaml.yaml | 12 +- .../online_boutique/connectivity-scheme.yaml | 34 +- ...boutique_multi_layer_from_live_cluster.txt | 2 +- .../sidecars-disable-egress-scheme.yaml | 3 +- ...est-connectivity-map-missing-resources.dot | 53 +- ...-and-k8s-ingress-test-connectivity-map.dot | 54 +- ...est-connectivity-map-missing-resources.dot | 29 +- ...ex-istio-ingress-test-connectivity-map.dot | 29 +- ...est-connectivity-map-missing-resources.dot | 26 +- ...-k8s-ingress-all-test-connectivity-map.dot | 26 +- ..._adding_default_sidecar_after_specific.txt | 2 +- ...nectivity_map_bookinfo_default_sidecar.txt | 6 +- ...ap_bookinfo_multiple_sidecar_overrides.txt | 2 +- ...ific_sidecar_overrides_default_sidecar.txt | 3 +- ...rent_sidecars_override_default_sidecar.txt | 2 +- ...boutique_resources_with_istio_gateways.txt | 1 - ...utique_frontend_sidecar_disable_egress.txt | 1 - ...host_name_contains_service_entry_hosts.txt | 1 - ...ar_host_name_does_not_contain_se_hosts.txt | 1 - ...ly_istio_ingress_test_connectivity_map.txt | 11 +- .../istio_egress_test_connectivity_map.txt | 1 - .../istio_ingress_test_connectivity_map.txt | 3 +- .../new_online_boutique_connectivity_map.txt | 3 +- ...ne_boutique_synth_res_connectivity_map.txt | 4 +- ...ars-and-gateways-test-connectivity-map.txt | 1 - .../ipblocktest-conn-graph-no-fw-rules.txt | 178 +- .../k8s_ingress_test_connectivity_map.txt | 3 +- .../new_online_boutique_connectivity_map.txt | 4 +- ...outique_synthesis_res_connectivity_map.txt | 4 +- ...outique_synthesis_res_connectivity_map.txt | 4 +- 102 files changed, 431 insertions(+), 3600 deletions(-) diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json index 16f265dcd..6918997f7 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json @@ -12,434 +12,14 @@ "description": "Allowed connections from local_np which are extended in global_np", "connections": [ { - "src": "default/cog-agents-d54st", - "dst": "kube-system/calico-node-mgdlr", + "src": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", + "dst": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", "conns_config1": "Protocol: TCP", "conns_config2": "No connections" }, { - "src": "default/cog-agents-d54st", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-gzdfm", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-gzdfm", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-gzdfm", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-gzdfm", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-wczq8", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-wczq8", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-wczq8", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-wczq8", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/kube-fluentd-h6rjg", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/kube-fluentd-h6rjg", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/kube-fluentd-h6rjg", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/kube-fluentd-h6rjg", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/vpn-858f6d9777-2bw5m", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/vpn-858f6d9777-2bw5m", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/vpn-858f6d9777-2bw5m", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/vpn-858f6d9777-2bw5m", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", + "src": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", + "dst": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "conns_config1": "All connections", "conns_config2": "No connections" } @@ -447,4 +27,4 @@ } ] } -] \ No newline at end of file +] diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt index b65db10c0..9fe82f7e6 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt @@ -1,74 +1,4 @@ global_np interferes with local_np Allowed connections from local_np which are extended in global_np: -src: default/cog-agents-d54st, dst: kube-system/calico-node-mgdlr, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/keepalived-watcher-57ghx, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/keepalived-watcher-gzdfm, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/keepalived-watcher-wczq8, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/kube-fluentd-h6rjg, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/vpn-858f6d9777-2bw5m, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/calico-node-mgdlr, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/keepalived-watcher-57ghx, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/keepalived-watcher-gzdfm, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/keepalived-watcher-wczq8, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/kube-fluentd-h6rjg, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/vpn-858f6d9777-2bw5m, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/calico-node-mgdlr, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/keepalived-watcher-57ghx, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/keepalived-watcher-gzdfm, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/keepalived-watcher-wczq8, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/kube-fluentd-h6rjg, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/vpn-858f6d9777-2bw5m, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/calico-node-mgdlr, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/keepalived-watcher-57ghx, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/keepalived-watcher-gzdfm, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/keepalived-watcher-wczq8, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/kube-fluentd-h6rjg, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/vpn-858f6d9777-2bw5m, description: global_np allows communication using protocol TCP while local_np does not. -src: kube-system/calico-node-mgdlr, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/calico-node-mgdlr, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/calico-node-mgdlr, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/calico-node-mgdlr, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-57ghx, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-57ghx, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-57ghx, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-57ghx, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-gzdfm, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-gzdfm, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-gzdfm, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-gzdfm, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-wczq8, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-wczq8, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-wczq8, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-wczq8, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/kube-fluentd-h6rjg, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/kube-fluentd-h6rjg, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/kube-fluentd-h6rjg, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/kube-fluentd-h6rjg, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/tiller-deploy-5c45c9966b-nqwz6, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/tiller-deploy-5c45c9966b-nqwz6, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/tiller-deploy-5c45c9966b-nqwz6, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/tiller-deploy-5c45c9966b-nqwz6, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/vpn-858f6d9777-2bw5m, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/vpn-858f6d9777-2bw5m, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/vpn-858f6d9777-2bw5m, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/vpn-858f6d9777-2bw5m, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. +src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: global_np allows communication using protocol TCP while local_np does not. +src: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], description: global_np allows all connections while local_np does not. diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml index f63f2ebda..7dca5f580 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml @@ -7,291 +7,21 @@ explanation: - description: Allowed connections from local_np which are extended in global_np connections: - - src: default/cog-agents-d54st - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-gzdfm - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-gzdfm - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-gzdfm - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-gzdfm - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-wczq8 - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-wczq8 - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-wczq8 - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-wczq8 - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/kube-fluentd-h6rjg - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/kube-fluentd-h6rjg - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/kube-fluentd-h6rjg - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/kube-fluentd-h6rjg - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/tiller-deploy-5c45c9966b-nqwz6 - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/tiller-deploy-5c45c9966b-nqwz6 - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/tiller-deploy-5c45c9966b-nqwz6 - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/tiller-deploy-5c45c9966b-nqwz6 - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/vpn-858f6d9777-2bw5m - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/vpn-858f6d9777-2bw5m - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/vpn-858f6d9777-2bw5m - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/vpn-858f6d9777-2bw5m - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc + - src: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' + dst: '[''kube-system/calico-node-mgdlr'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', + ''kube-system/keepalived-watcher-57ghx'', ''kube-system/keepalived-watcher-gzdfm'', + ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', + ''kube-system/vpn-858f6d9777-2bw5m'']' + conns_config1: 'Protocol: TCP' + conns_config2: No connections + - src: '[''kube-system/calico-node-mgdlr'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', + ''kube-system/keepalived-watcher-57ghx'', ''kube-system/keepalived-watcher-gzdfm'', + ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', + ''kube-system/vpn-858f6d9777-2bw5m'']' + dst: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' conns_config1: All connections conns_config2: No connections diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json index 6aca12634..5a01ea44b 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json @@ -12,146 +12,8 @@ "description": "Connections allowed in np_SupsetAllowFirst which are different in np_SubsetDenyFirst", "connections": [ { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/vpn-858f6d9777-2bw5m", + "src": "['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd']", + "dst": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", "conns_config1": "Protocol: TCP", "conns_config2": "No connections" } @@ -159,4 +21,4 @@ } ] } -] \ No newline at end of file +] diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt index b6b2f3b2d..ce3a46ba8 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt @@ -1,26 +1,3 @@ np_SupsetAllowFirst and np_SubsetDenyFirst are not semantically equivalent. Connections allowed in np_SupsetAllowFirst which are different in np_SubsetDenyFirst: -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/calico-node-mgdlr, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/keepalived-watcher-57ghx, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/keepalived-watcher-gzdfm, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/keepalived-watcher-wczq8, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/kube-fluentd-h6rjg, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/vpn-858f6d9777-2bw5m, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/calico-node-mgdlr, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/keepalived-watcher-gzdfm, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/keepalived-watcher-wczq8, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/kube-fluentd-h6rjg, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/vpn-858f6d9777-2bw5m, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/calico-node-mgdlr, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/keepalived-watcher-57ghx, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/keepalived-watcher-gzdfm, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/keepalived-watcher-wczq8, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/kube-fluentd-h6rjg, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/vpn-858f6d9777-2bw5m, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. +src: ['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml index 1c1718406..c6f78cb50 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml @@ -9,99 +9,12 @@ - description: Connections allowed in np_SupsetAllowFirst which are different in np_SubsetDenyFirst connections: - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/vpn-858f6d9777-2bw5m + - src: '[''kube-system/file-plugin-7bfb8b69bf-p86gk'', ''kube-system/keepalived-watcher-57ghx'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'']' + dst: '[''kube-system/calico-node-mgdlr'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', + ''kube-system/keepalived-watcher-57ghx'', ''kube-system/keepalived-watcher-gzdfm'', + ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', + ''kube-system/vpn-858f6d9777-2bw5m'']' conns_config1: 'Protocol: TCP' conns_config2: No connections diff --git a/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt index 1cf884728..ef33ae76f 100644 --- a/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt @@ -1,50 +1,14 @@ final fw rules for query: connectivity_map, config: ip: -src: 0.0.0.0/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src: ::/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst: ::/0 conn: All connections +src: 0.0.0.0/0,::/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections +src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [calico-node] conn: TCP {'dst_ports': '210', 'hosts': 'first.bar.com', 'paths': '(/abc(/*)?)-(/abc/def(/*)?)'} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [file-plugin-7bfb8b69bf] conn: TCP {'dst_ports': '80', 'hosts': 'first.bar.com', 'paths': '/abc/def(/*)?'} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 213 src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-fluentd] conn: TCP {'dst_ports': '80', 'hosts': 'second.bar.com', 'paths': '(/xyz(/*)?)-(/xyz)'} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: TCP {'dst_ports': '102', 'hosts': 'second.bar.com', 'paths': '/xyz'} -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [calico-node] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [calico-node] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [calico-node] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [file-plugin-7bfb8b69bf] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [file-plugin-7bfb8b69bf] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [file-plugin-7bfb8b69bf] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [heapster-7df8cb8c66] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [heapster-7df8cb8c66] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [heapster-7df8cb8c66] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-amd64-d66bf76db] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-amd64-d66bf76db] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-amd64-d66bf76db] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-autoscaler-78f5fdbd46] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-autoscaler-78f5fdbd46] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-autoscaler-78f5fdbd46] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [kube-fluentd] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-fluentd] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-fluentd] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [kubernetes-dashboard-5b5f985bcf] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [kubernetes-dashboard-5b5f985bcf] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [kubernetes-dashboard-5b5f985bcf] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [storage-watcher-8494b4b8bb] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [storage-watcher-8494b4b8bb] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [storage-watcher-8494b4b8bb] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [tiller-deploy-5c45c9966b] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [tiller-deploy-5c45c9966b] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [tiller-deploy-5c45c9966b] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [vpn-858f6d9777] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [vpn-858f6d9777] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections +src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst: 0.0.0.0/0,::/0 conn: All connections +src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections final fw rules for query: connectivity_map, config: global-simple: src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [!has(app)] conn: TCP 200-250 @@ -65,15 +29,4 @@ src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube- final fw rules for query: connectivity_map, config: global-not-simple-with-ingress: src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: TCP {'dst_ports': '102', 'hosts': 'second.bar.com', 'paths': '/xyz'} -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [calico-node] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [file-plugin-7bfb8b69bf] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [heapster-7df8cb8c66] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [kube-dns-amd64-d66bf76db] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [kube-dns-autoscaler-78f5fdbd46] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [kube-fluentd] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [kubernetes-dashboard-5b5f985bcf] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [storage-watcher-8494b4b8bb] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [tiller-deploy-5c45c9966b] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 +src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 diff --git a/tests/calico_testcases/expected_output/testcase16-scheme_output.txt b/tests/calico_testcases/expected_output/testcase16-scheme_output.txt index 554889130..d1e1d5d0e 100644 --- a/tests/calico_testcases/expected_output/testcase16-scheme_output.txt +++ b/tests/calico_testcases/expected_output/testcase16-scheme_output.txt @@ -4,4 +4,4 @@ src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connectio src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [!has(tier)] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [!has(tier)] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 64.0.0.0-255.255.255.255 conn: TCP +src_ns: [kube-system] src_pods: [*] dst: 64.0.0.0-255.255.255.255 conn: TCP diff --git a/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt index 379dd8351..fb613ac88 100644 --- a/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt @@ -1,17 +1,12 @@ final fw rules for query: connectivity_map, config: np-pod-based-policies: -src: 0.0.0.0/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src: ::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: ::/0 conn: All connections -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections +src: 0.0.0.0/0,::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections +src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections +src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections +src_ns: [kube-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections final fw rules for query: connectivity_map, config: np-ports-based: -src: 0.0.0.0/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src: ::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst: ::/0 conn: All connections +src: 0.0.0.0/0,::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections +src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: TCP -src_ns: [kube-system] src_pods: [*] dst: ::/0 conn: TCP +src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: TCP src_ns: [kube-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP diff --git a/tests/calico_testcases/expected_output/testcase19-connectivity_map_with_labels_to_apply.txt b/tests/calico_testcases/expected_output/testcase19-connectivity_map_with_labels_to_apply.txt index 94f0bdcb2..1ae6eb841 100644 --- a/tests/calico_testcases/expected_output/testcase19-connectivity_map_with_labels_to_apply.txt +++ b/tests/calico_testcases/expected_output/testcase19-connectivity_map_with_labels_to_apply.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map_with_labels_to_apply, config: np9-cnc-fe-between-namespaces-with-label-to-apply: src: 0.0.0.0/0 dst_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] dst_pods: [*] conn: All connections src_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] src_pods: [*] dst_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] dst_pods: [*] conn: All connections -src_ns: [acc-research,operia-benchmark] src_pods: [*] dst_ns: [cnc-fe] dst_pods: [*] conn: All connections +src_ns: [acc-research,operia-benchmark] src_pods: [*] dst_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-fe,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] dst_pods: [*] conn: All connections +src_ns: [blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,vtngc-data] src_pods: [*] dst_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt b/tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt index c20904b9b..f8bf44069 100644 --- a/tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt +++ b/tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt @@ -1,9 +1,2 @@ final fw rules for query: deny-all-profiles-connectivity, config: deny-all-profiles: -src_ns: [acc-research] src_pods: [*] dst_ns: [acc-research] dst_pods: [*] conn: All connections -src_ns: [blue-umbrella] src_pods: [*] dst_ns: [blue-umbrella] dst_pods: [*] conn: All connections -src_ns: [cap-unauth] src_pods: [*] dst_ns: [cap-unauth] dst_pods: [*] conn: All connections -src_ns: [chaos-testing] src_pods: [*] dst_ns: [chaos-testing] dst_pods: [*] conn: All connections -src_ns: [cnc-pdf-tool] src_pods: [*] dst_ns: [cnc-pdf-tool] dst_pods: [*] conn: All connections -src_ns: [ctighs-va] src_pods: [*] dst_ns: [ctighs-va] dst_pods: [*] conn: All connections -src_ns: [ctighs] src_pods: [*] dst_ns: [ctighs] dst_pods: [*] conn: All connections -src_ns: [operia-benchmark] src_pods: [*] dst_ns: [operia-benchmark] dst_pods: [*] conn: All connections + diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt index 596813bc0..20007690b 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt @@ -1,8 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections + diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt index 0d5a656e5..239f0fbb8 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt @@ -2,10 +2,6 @@ For connections of type TCP, final fw rules for query: connectivity-6, config: t src: 0.0.0.0/0 dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-6, config: testcase26-config-1-k8s-calico-istio-ingress-2: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt index 5fbd16f71..6037c6402 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt @@ -1,9 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt index 19b8e1418..64cdc6ddf 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt @@ -1,9 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt index 6f31cfe4f..56236fbd2 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt @@ -2,23 +2,20 @@ For connections of type TCP, final fw rules for query: connectivity-2, config: t src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app!=productpage] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default,istio-system] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1-b6994bb9] conn: All connections -src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [app=reviews] conn: All connections +src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections +src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app!=ratings] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app=reviews] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: All connections -src_ns: [default] src_pods: [productpage-v1-6b746f74dc] dst_ns: [default] dst_pods: [*] conn: All connections +src_ns: [default] src_pods: [productpage-v1-6b746f74dc] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} src_ns: [istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections +src_ns: [istio-system] src_pods: [*] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-2, config: testcase26-config-1-k8s-istio-ingress: src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (productpage,ratings)] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [app!=ratings] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections src_ns: [istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [default,istio-system] dst_pods: [*] conn: All connections +src_ns: [istio-system] src_pods: [*] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt index f65c0a624..f5fafd8a5 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt +++ b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt @@ -3,13 +3,11 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections -src_ns: [ingress-controller-ns,kube-system] src_pods: [*] dst_ns: [ingress-controller-ns] dst_pods: [*] conn: All connections src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: TCP {'dst_ports': '5678', 'paths': '/foo(/*)?'} -src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [!has(dep)] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections +src_ns: [kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: , config: **: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections @@ -17,7 +15,6 @@ src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections -src_ns: [ingress-controller-ns,istio-system,kube-system] src_pods: [*] dst_ns: [ingress-controller-ns] dst_pods: [*] conn: All connections src_ns: [istio-system,kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [!has(dep)] conn: All connections -src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [istio-system,kube-system] dst_pods: [*] conn: All connections +src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt index 30dbdeb7e..a23a77456 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt @@ -1,124 +1,7 @@ final fw rules for query: Eran_gnps, config: Eran_gnps: -src: 0.0.0.0-5.10.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src: 119.81.136.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 119.81.137.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 119.81.138.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 119.81.140.0-130.198.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 130.198.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 130.198.120.0-158.85.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 158.85.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 158.85.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 158.85.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 158.85.120.0-159.8.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.122.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.122.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.122.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.122.120.0-159.122.135.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.122.136.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.122.137.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.122.138.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.122.140.0-159.253.155.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.253.156.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.253.157.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.253.158.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.253.160.0-161.202.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.8.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.8.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.8.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.8.120.0-159.8.195.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.8.196.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.8.197.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.8.198.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.8.200.0-159.122.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 161.202.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 161.202.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 161.202.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 161.202.120.0-168.1.15.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 168.1.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 168.1.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 168.1.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 168.1.120.0-169.38.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 168.1.16.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 168.1.17.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 168.1.18.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 168.1.20.0-168.1.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.38.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.38.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.38.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.38.120.0-169.45.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.45.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.45.120.0-169.46.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.46.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.46.120.0-169.47.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.47.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.47.120.0-169.48.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.48.118.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.48.119.0-169.51.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.51.118.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.51.119.0-169.54.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.54.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.54.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.54.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.54.120.0-169.55.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.55.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.55.120.0-169.56.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.56.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.56.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.56.118.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.56.119.0-169.57.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.57.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.57.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.57.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.57.120.0-169.57.135.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.57.136.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.57.137.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.57.138.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.57.140.0-169.60.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.60.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.60.120.0-169.61.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.61.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.61.120.0-173.192.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 173.192.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 173.192.120.0-173.193.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 173.193.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 173.193.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 173.193.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 173.193.120.0-174.133.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 174.133.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 174.133.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 174.133.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 174.133.120.0-184.172.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 184.172.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 184.172.120.0-192.255.17.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 192.255.18.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 192.255.19.0-192.255.37.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 192.255.38.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 192.255.39.0-198.23.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 198.23.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 198.23.120.0-208.43.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 208.43.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 208.43.120.0-255.255.255.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 5.10.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 5.10.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 5.10.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 5.10.120.0-50.22.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.22.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.22.120.0-50.22.254.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.22.255.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.23.0.0-50.23.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.23.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.23.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.23.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.23.120.0-50.23.166.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.23.167.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.23.168.0-66.228.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 66.228.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 66.228.120.0-67.228.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 67.228.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 67.228.120.0-75.126.60.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 75.126.61.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 75.126.62.0-119.81.135.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src: 5.10.116.0/24,5.10.118.0/23,50.22.118.0/23,50.22.255.0/24,50.23.116.0/24,50.23.118.0/23,50.23.167.0/24,66.228.118.0/23,67.228.118.0/23,75.126.61.0/24,119.81.136.0/24,119.81.138.0/23,130.198.118.0/23,158.85.116.0/24,158.85.118.0/23,159.8.116.0/24,159.8.118.0/23,159.8.196.0/24,159.8.198.0/23,159.122.116.0/24,159.122.118.0/23,159.122.136.0/24,159.122.138.0/23,159.253.156.0/24,159.253.158.0/23,161.202.116.0/24,161.202.118.0/23,168.1.16.0/24,168.1.18.0/23,168.1.116.0/24,168.1.118.0/23,169.38.116.0/24,169.38.118.0/23,169.45.118.0/23,169.46.118.0/23,169.47.118.0/23,169.48.118.0/24,169.51.118.0/24,169.54.116.0/24,169.54.118.0/23,169.55.118.0/23,169.56.116.0/24,169.56.118.0/24,169.57.116.0/24,169.57.118.0/23,169.57.136.0/24,169.57.138.0/23,169.60.118.0/23,169.61.118.0/23,173.192.118.0/23,173.193.116.0/24,173.193.118.0/23,174.133.116.0/24,174.133.118.0/23,184.172.118.0/23,192.255.18.0/24,192.255.38.0/24,198.23.118.0/23,208.43.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst: 0.0.0.0/0 conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml index 841824d94..dc4306108 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml @@ -5,1829 +5,121 @@ explanation: - rules: - src_ip_block: - - 0.0.0.0/6 - - 4.0.0.0/8 - - 5.0.0.0/13 - - 5.10.0.0/18 - - 5.10.112.0/22 - - 5.10.64.0/19 - - 5.10.96.0/20 - - 5.8.0.0/15 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 119.81.137.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 119.128.0.0/9 - - 119.81.140.0/22 - - 119.81.144.0/20 - - 119.81.160.0/19 - - 119.81.192.0/18 - - 119.82.0.0/15 - - 119.84.0.0/14 - - 119.88.0.0/13 - - 119.96.0.0/11 - - 120.0.0.0/5 - - 128.0.0.0/7 - - 130.0.0.0/9 - - 130.128.0.0/10 - - 130.192.0.0/14 - - 130.196.0.0/15 - - 130.198.0.0/18 - - 130.198.112.0/22 - - 130.198.116.0/23 - - 130.198.64.0/19 - - 130.198.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 130.198.120.0/21 - - 130.198.128.0/17 - - 130.199.0.0/16 - - 130.200.0.0/13 - - 130.208.0.0/12 - - 130.224.0.0/11 - - 131.0.0.0/8 - - 132.0.0.0/6 - - 136.0.0.0/5 - - 144.0.0.0/5 - - 152.0.0.0/6 - - 156.0.0.0/7 - - 158.0.0.0/10 - - 158.64.0.0/12 - - 158.80.0.0/14 - - 158.84.0.0/16 - - 158.85.0.0/18 - - 158.85.112.0/22 - - 158.85.64.0/19 - - 158.85.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 158.85.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 158.128.0.0/9 - - 158.85.120.0/21 - - 158.85.128.0/17 - - 158.86.0.0/15 - - 158.88.0.0/13 - - 158.96.0.0/11 - - 159.0.0.0/13 - - 159.8.0.0/18 - - 159.8.112.0/22 - - 159.8.64.0/19 - - 159.8.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.122.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.122.120.0/21 - - 159.122.128.0/21 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.122.137.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.122.140.0/22 - - 159.122.144.0/20 - - 159.122.160.0/19 - - 159.122.192.0/18 - - 159.123.0.0/16 - - 159.124.0.0/14 - - 159.128.0.0/10 - - 159.192.0.0/11 - - 159.224.0.0/12 - - 159.240.0.0/13 - - 159.248.0.0/14 - - 159.252.0.0/16 - - 159.253.0.0/17 - - 159.253.128.0/20 - - 159.253.144.0/21 - - 159.253.152.0/22 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.253.157.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.253.160.0/19 - - 159.253.192.0/18 - - 159.254.0.0/15 - - 160.0.0.0/8 - - 161.0.0.0/9 - - 161.128.0.0/10 - - 161.192.0.0/13 - - 161.200.0.0/15 - - 161.202.0.0/18 - - 161.202.112.0/22 - - 161.202.64.0/19 - - 161.202.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.8.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.8.120.0/21 - - 159.8.128.0/18 - - 159.8.192.0/22 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.8.197.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.10.0.0/15 - - 159.112.0.0/13 - - 159.12.0.0/14 - - 159.120.0.0/15 - - 159.122.0.0/18 - - 159.122.112.0/22 - - 159.122.64.0/19 - - 159.122.96.0/20 - - 159.16.0.0/12 - - 159.32.0.0/11 - - 159.64.0.0/11 - - 159.8.200.0/21 - - 159.8.208.0/20 - - 159.8.224.0/19 - - 159.9.0.0/16 - - 159.96.0.0/12 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 161.202.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 161.202.120.0/21 - - 161.202.128.0/17 - - 161.203.0.0/16 - - 161.204.0.0/14 - - 161.208.0.0/12 - - 161.224.0.0/11 - - 162.0.0.0/7 - - 164.0.0.0/6 - - 168.0.0.0/16 - - 168.1.0.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 168.1.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 168.1.120.0/21 - - 168.1.128.0/17 - - 168.128.0.0/9 - - 168.16.0.0/12 - - 168.2.0.0/15 - - 168.32.0.0/11 - - 168.4.0.0/14 - - 168.64.0.0/10 - - 168.8.0.0/13 - - 169.0.0.0/11 - - 169.32.0.0/14 - - 169.36.0.0/15 - - 169.38.0.0/18 - - 169.38.112.0/22 - - 169.38.64.0/19 - - 169.38.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 168.1.17.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 168.1.112.0/22 - - 168.1.20.0/22 - - 168.1.24.0/21 - - 168.1.32.0/19 - - 168.1.64.0/19 - - 168.1.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.38.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.38.120.0/21 - - 169.38.128.0/17 - - 169.39.0.0/16 - - 169.40.0.0/14 - - 169.44.0.0/16 - - 169.45.0.0/18 - - 169.45.112.0/22 - - 169.45.116.0/23 - - 169.45.64.0/19 - - 169.45.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.45.120.0/21 - - 169.45.128.0/17 - - 169.46.0.0/18 - - 169.46.112.0/22 - - 169.46.116.0/23 - - 169.46.64.0/19 - - 169.46.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.46.120.0/21 - - 169.46.128.0/17 - - 169.47.0.0/18 - - 169.47.112.0/22 - - 169.47.116.0/23 - - 169.47.64.0/19 - - 169.47.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.47.120.0/21 - - 169.47.128.0/17 - - 169.48.0.0/18 - - 169.48.112.0/22 - - 169.48.116.0/23 - - 169.48.64.0/19 - - 169.48.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.48.119.0/24 - - 169.48.120.0/21 - - 169.48.128.0/17 - - 169.49.0.0/16 - - 169.50.0.0/16 - - 169.51.0.0/18 - - 169.51.112.0/22 - - 169.51.116.0/23 - - 169.51.64.0/19 - - 169.51.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.51.119.0/24 - - 169.51.120.0/21 - - 169.51.128.0/17 - - 169.52.0.0/15 - - 169.54.0.0/18 - - 169.54.112.0/22 - - 169.54.64.0/19 - - 169.54.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.54.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.54.120.0/21 - - 169.54.128.0/17 - - 169.55.0.0/18 - - 169.55.112.0/22 - - 169.55.116.0/23 - - 169.55.64.0/19 - - 169.55.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.55.120.0/21 - - 169.55.128.0/17 - - 169.56.0.0/18 - - 169.56.112.0/22 - - 169.56.64.0/19 - - 169.56.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.56.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.56.119.0/24 - - 169.56.120.0/21 - - 169.56.128.0/17 - - 169.57.0.0/18 - - 169.57.112.0/22 - - 169.57.64.0/19 - - 169.57.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.57.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.57.120.0/21 - - 169.57.128.0/21 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.57.137.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.57.140.0/22 - - 169.57.144.0/20 - - 169.57.160.0/19 - - 169.57.192.0/18 - - 169.58.0.0/15 - - 169.60.0.0/18 - - 169.60.112.0/22 - - 169.60.116.0/23 - - 169.60.64.0/19 - - 169.60.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.60.120.0/21 - - 169.60.128.0/17 - - 169.61.0.0/18 - - 169.61.112.0/22 - - 169.61.116.0/23 - - 169.61.64.0/19 - - 169.61.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.128.0.0/9 - - 169.61.120.0/21 - - 169.61.128.0/17 - - 169.62.0.0/15 - - 169.64.0.0/10 - - 170.0.0.0/7 - - 172.0.0.0/8 - - 173.0.0.0/9 - - 173.128.0.0/10 - - 173.192.0.0/18 - - 173.192.112.0/22 - - 173.192.116.0/23 - - 173.192.64.0/19 - - 173.192.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 173.192.120.0/21 - - 173.192.128.0/17 - - 173.193.0.0/18 - - 173.193.112.0/22 - - 173.193.64.0/19 - - 173.193.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 173.193.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 173.193.120.0/21 - - 173.193.128.0/17 - - 173.194.0.0/15 - - 173.196.0.0/14 - - 173.200.0.0/13 - - 173.208.0.0/12 - - 173.224.0.0/11 - - 174.0.0.0/9 - - 174.128.0.0/14 - - 174.132.0.0/16 - - 174.133.0.0/18 - - 174.133.112.0/22 - - 174.133.64.0/19 - - 174.133.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 174.133.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 174.133.120.0/21 - - 174.133.128.0/17 - - 174.134.0.0/15 - - 174.136.0.0/13 - - 174.144.0.0/12 - - 174.160.0.0/11 - - 174.192.0.0/10 - - 175.0.0.0/8 - - 176.0.0.0/5 - - 184.0.0.0/9 - - 184.128.0.0/11 - - 184.160.0.0/13 - - 184.168.0.0/14 - - 184.172.0.0/18 - - 184.172.112.0/22 - - 184.172.116.0/23 - - 184.172.64.0/19 - - 184.172.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 184.172.120.0/21 - - 184.172.128.0/17 - - 184.173.0.0/16 - - 184.174.0.0/15 - - 184.176.0.0/12 - - 184.192.0.0/10 - - 185.0.0.0/8 - - 186.0.0.0/7 - - 188.0.0.0/6 - - 192.0.0.0/9 - - 192.128.0.0/10 - - 192.192.0.0/11 - - 192.224.0.0/12 - - 192.240.0.0/13 - - 192.248.0.0/14 - - 192.252.0.0/15 - - 192.254.0.0/16 - - 192.255.0.0/20 - - 192.255.16.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 192.255.19.0/24 - - 192.255.20.0/22 - - 192.255.24.0/21 - - 192.255.32.0/22 - - 192.255.36.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 192.255.128.0/17 - - 192.255.39.0/24 - - 192.255.40.0/21 - - 192.255.48.0/20 - - 192.255.64.0/18 - - 193.0.0.0/8 - - 194.0.0.0/7 - - 196.0.0.0/7 - - 198.0.0.0/12 - - 198.16.0.0/14 - - 198.20.0.0/15 - - 198.22.0.0/16 - - 198.23.0.0/18 - - 198.23.112.0/22 - - 198.23.116.0/23 - - 198.23.64.0/19 - - 198.23.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 198.128.0.0/9 - - 198.23.120.0/21 - - 198.23.128.0/17 - - 198.24.0.0/13 - - 198.32.0.0/11 - - 198.64.0.0/10 - - 199.0.0.0/8 - - 200.0.0.0/5 - - 208.0.0.0/11 - - 208.32.0.0/13 - - 208.40.0.0/15 - - 208.42.0.0/16 - - 208.43.0.0/18 - - 208.43.112.0/22 - - 208.43.116.0/23 - - 208.43.64.0/19 - - 208.43.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 208.128.0.0/9 - - 208.43.120.0/21 - - 208.43.128.0/17 - - 208.44.0.0/14 - - 208.48.0.0/12 - - 208.64.0.0/10 - - 209.0.0.0/8 - - 210.0.0.0/7 - - 212.0.0.0/6 - - 216.0.0.0/5 - - 224.0.0.0/3 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 5.10.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 16.0.0.0/4 - - 32.0.0.0/4 - - 48.0.0.0/7 - - 5.10.120.0/21 - - 5.10.128.0/17 - - 5.11.0.0/16 - - 5.12.0.0/14 - - 5.128.0.0/9 - - 5.16.0.0/12 - - 5.32.0.0/11 - - 5.64.0.0/10 - - 50.0.0.0/12 - - 50.16.0.0/14 - - 50.20.0.0/15 - - 50.22.0.0/18 - - 50.22.112.0/22 - - 50.22.116.0/23 - - 50.22.64.0/19 - - 50.22.96.0/20 - - 6.0.0.0/7 - - 8.0.0.0/5 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.22.120.0/21 - - 50.22.128.0/18 - - 50.22.192.0/19 - - 50.22.224.0/20 - - 50.22.240.0/21 - - 50.22.248.0/22 - - 50.22.252.0/23 - - 50.22.254.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.23.0.0/18 - - 50.23.112.0/22 - - 50.23.64.0/19 - - 50.23.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.23.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.23.120.0/21 - - 50.23.128.0/19 - - 50.23.160.0/22 - - 50.23.164.0/23 - - 50.23.166.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.128.0.0/9 - - 50.23.168.0/21 - - 50.23.176.0/20 - - 50.23.192.0/18 - - 50.24.0.0/13 - - 50.32.0.0/11 - - 50.64.0.0/10 - - 51.0.0.0/8 - - 52.0.0.0/6 - - 56.0.0.0/5 - - 64.0.0.0/7 - - 66.0.0.0/9 - - 66.128.0.0/10 - - 66.192.0.0/11 - - 66.224.0.0/14 - - 66.228.0.0/18 - - 66.228.112.0/22 - - 66.228.116.0/23 - - 66.228.64.0/19 - - 66.228.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 66.228.120.0/21 - - 66.228.128.0/17 - - 66.229.0.0/16 - - 66.230.0.0/15 - - 66.232.0.0/13 - - 66.240.0.0/12 - - 67.0.0.0/9 - - 67.128.0.0/10 - - 67.192.0.0/11 - - 67.224.0.0/14 - - 67.228.0.0/18 - - 67.228.112.0/22 - - 67.228.116.0/23 - - 67.228.64.0/19 - - 67.228.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 67.228.120.0/21 - - 67.228.128.0/17 - - 67.229.0.0/16 - - 67.230.0.0/15 - - 67.232.0.0/13 - - 67.240.0.0/12 - - 68.0.0.0/6 - - 72.0.0.0/7 - - 74.0.0.0/8 - - 75.0.0.0/10 - - 75.112.0.0/13 - - 75.120.0.0/14 - - 75.124.0.0/15 - - 75.126.0.0/19 - - 75.126.32.0/20 - - 75.126.48.0/21 - - 75.126.56.0/22 - - 75.126.60.0/24 - - 75.64.0.0/11 - - 75.96.0.0/12 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 112.0.0.0/6 - - 116.0.0.0/7 - - 118.0.0.0/8 - - 119.0.0.0/10 - - 119.64.0.0/12 - - 119.80.0.0/16 - - 119.81.0.0/17 - - 119.81.128.0/21 - - 75.126.128.0/17 - - 75.126.62.0/23 - - 75.126.64.0/18 - - 75.127.0.0/16 - - 75.128.0.0/9 - - 76.0.0.0/6 - - 80.0.0.0/4 - - 96.0.0.0/4 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ns: - - kube-system - src_pods: - - '*' - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All connections - - src_ip_block: - - 119.81.136.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 119.81.138.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 130.198.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 158.85.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 158.85.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.122.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.122.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.122.136.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.122.138.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.253.156.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.253.158.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.8.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.8.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.8.196.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.8.198.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 161.202.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 161.202.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 168.1.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 168.1.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 168.1.16.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 168.1.18.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.38.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.38.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.45.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.46.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.47.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.48.118.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.51.118.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.54.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.54.118.0/23 + - 0.0.0.0/0 dst_ns: - None dst_pods: - vendor.role=worker_public connection: - - All connections - - src_ip_block: - - 169.55.118.0/23 - dst_ns: + - Protocol: ICMP + - Protocol: TCP + Ports: + - 52311 + - Protocol: UDP + Ports: + - 52311 + - Protocol: VRRP + - src_ns: - None - dst_pods: + src_pods: - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.56.116.0/24 dst_ns: - None dst_pods: - vendor.role=worker_public connection: - - All connections - - src_ip_block: - - 169.56.118.0/24 + - Protocol: ICMP + - Protocol: TCP + Ports: + - 52311 + - Protocol: UDP + Ports: + - 52311 + - Protocol: VRRP + - src_ns: + - kube-system + src_pods: + - '*' dst_ns: - None dst_pods: - vendor.role=worker_public connection: - - All connections + - Protocol: ICMP + - Protocol: TCP + Ports: + - 52311 + - Protocol: UDP + Ports: + - 52311 + - Protocol: VRRP - src_ip_block: - - 169.57.116.0/24 + - 0.0.0.0/0 dst_ns: - - None + - kube-system dst_pods: - - vendor.role=worker_public + - '*' connection: - All connections - src_ip_block: + - 119.81.136.0/24 + - 119.81.138.0/23 + - 130.198.118.0/23 + - 158.85.116.0/24 + - 158.85.118.0/23 + - 159.122.116.0/24 + - 159.122.118.0/23 + - 159.122.136.0/24 + - 159.122.138.0/23 + - 159.253.156.0/24 + - 159.253.158.0/23 + - 159.8.116.0/24 + - 159.8.118.0/23 + - 159.8.196.0/24 + - 159.8.198.0/23 + - 161.202.116.0/24 + - 161.202.118.0/23 + - 168.1.116.0/24 + - 168.1.118.0/23 + - 168.1.16.0/24 + - 168.1.18.0/23 + - 169.38.116.0/24 + - 169.38.118.0/23 + - 169.45.118.0/23 + - 169.46.118.0/23 + - 169.47.118.0/23 + - 169.48.118.0/24 + - 169.51.118.0/24 + - 169.54.116.0/24 + - 169.54.118.0/23 + - 169.55.118.0/23 + - 169.56.116.0/24 + - 169.56.118.0/24 + - 169.57.116.0/24 - 169.57.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 169.57.136.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 169.57.138.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 169.60.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 169.61.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 173.192.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 173.193.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 173.193.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 174.133.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 174.133.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 184.172.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 192.255.18.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 192.255.38.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 198.23.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 208.43.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 5.10.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 5.10.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.22.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.22.255.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.23.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.23.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.23.167.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 66.228.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 67.228.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 75.126.61.0/24 dst_ns: - None diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.txt index afb0a5ae6..4fd648692 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.txt @@ -1,10 +1,7 @@ final fw rules for query: np_2_all_outbound_hep, config: np_2_outbound_hep_all_ep: src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.200.0/27 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.113.0/24 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.115.0/29 conn: All connections +src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22,198.51.200.0/27,203.0.113.0/24,203.0.115.0/29 conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.yaml index 77b6cc464..93edbd3c0 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.yaml @@ -26,29 +26,8 @@ - vendor.role=worker_public dst_ip_block: - 198.51.100.0/22 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 198.51.200.0/27 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.113.0/24 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.115.0/29 connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt index 891c3f19a..7a31de5fa 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt @@ -1,10 +1,7 @@ final fw rules for query: np_3_outbound_hep_to_wep, config: np_3_outbound_hep_to_wep: src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.200.0/27 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.113.0/24 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.115.0/29 conn: All connections +src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22,198.51.200.0/27,203.0.113.0/24,203.0.115.0/29 conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml index d3792c4da..50fe35773 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml @@ -26,29 +26,8 @@ - vendor.role=worker_public dst_ip_block: - 198.51.100.0/22 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 198.51.200.0/27 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.113.0/24 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.115.0/29 connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt index cd6f2ebf2..839d7c5f2 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt @@ -1,10 +1,7 @@ final fw rules for query: np_4_outbound_all_namespaceSelector, config: np_4_outbound_all_namespaceSelector: src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.200.0/27 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.113.0/24 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.115.0/29 conn: All connections +src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22,198.51.200.0/27,203.0.113.0/24,203.0.115.0/29 conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml index b2b6372e6..f7674a104 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml @@ -26,29 +26,8 @@ - vendor.role=worker_public dst_ip_block: - 198.51.100.0/22 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 198.51.200.0/27 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.113.0/24 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.115.0/29 connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt index 91e2dcc3c..285f7aae9 100644 --- a/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: cyclonus-simple-example: src: 0.0.0.0/0 dst_ns: [y] dst_pods: [b] conn: All connections src: 0.0.0.0/24 dst_ns: [y] dst_pods: [c] conn: All connections -src_ns: [y] src_pods: [a] dst_ns: [y] dst_pods: [b] conn: All connections src_ns: [y] src_pods: [pod!=c] dst: 0.0.0.0/0 conn: All connections +src_ns: [y] src_pods: [pod!=c] dst_ns: [y] dst_pods: [b] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.yaml index 5a56fce8e..47d5dfc8f 100644 --- a/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.yaml @@ -23,18 +23,18 @@ - src_ns: - y src_pods: - - a - dst_ns: - - y - dst_pods: - - b + - pod!=c + dst_ip_block: + - 0.0.0.0/0 connection: - All connections - src_ns: - y src_pods: - pod!=c - dst_ip_block: - - 0.0.0.0/0 + dst_ns: + - y + dst_pods: + - b connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt index 75198d391..9b3ca6bdf 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: istio-policy1, config: istio-policy1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections -src: 1.2.3.0/24 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 26257 +src: 1.2.3.0/24 dst_ns: [default] dst_pods: [*] conn: TCP 26257 src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml index 0f991aa23..cc5165a1d 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml @@ -9,7 +9,7 @@ dst_ns: - default dst_pods: - - app=skydive + - '*' connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt index 534455a61..be20d1830 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt @@ -1,6 +1,5 @@ For connections of type TCP, final fw rules for query: istio-policy2, config: istio-policy2: -src: 1.2.3.0/24 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 -src: 2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 +src: 1.2.3.0/24,2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 src_ns: [default] src_pods: [app=special_skydive] dst_ns: [default] dst_pods: [*] conn: TCP 30,50 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml index 7494479f1..b07aea12c 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml @@ -6,16 +6,6 @@ - TCP_rules: - src_ip_block: - 1.2.3.0/24 - dst_ns: - - default - dst_pods: - - app=skydive - connection: - - Protocol: TCP - Ports: - - 30 - - 50 - - src_ip_block: - 2.2.2.2/32 dst_ns: - default diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv index 5f038f887..2a79d8ad9 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv @@ -1,8 +1,8 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_csv, config: poc1","","","","","", "","[default]","[app in (checkoutservice,frontend,recommendationservice)]","[default]","[productcatalogservice]","TCP 3550", -"","[default]","[app in (checkoutservice,frontend)]","[default]","[shippingservice]","TCP 50051", -"","[default]","[checkoutservice]","[default]","[paymentservice]","TCP 50051", +"","[default]","[checkoutservice]","[default]","[app in (paymentservice,shippingservice)]","TCP 50051", +"","[default]","[frontend]","[default]","[shippingservice]","TCP 50051", "","[default]","[frontend]","[default]","[checkoutservice]","TCP 5050", "","[default]","[cartservice]","[default]","[redis-cart]","TCP 6379", "","[default]","[app in (checkoutservice,frontend)]","[default]","[currencyservice]","TCP 7000", diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot index 90c2bbabc..18504f73a 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot @@ -6,18 +6,24 @@ digraph { subgraph cluster_map_explanation { dict_box [label=<
Connectivity legend
tcp3550 TCP 3550
tcp50051 TCP 50051
tcp5050 TCP 5050
tcp6379 TCP 6379
tcp7000 TCP 7000
tcp7070 TCP 7070
tcp8080 TCP 8080
tcp9555 TCP 9555
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] - "default/adservice(Deployment)" [label=<
default/adservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/cartservice(Deployment)" [label=<
default/cartservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/checkoutservice(Deployment)" [label=<
default/checkoutservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/currencyservice(Deployment)" [label=<
default/currencyservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/emailservice(Deployment)" [label=<
default/emailservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/frontend(Deployment)" [label=<
default/frontend(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/loadgenerator(Deployment)" [label=<
default/loadgenerator(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/paymentservice(Deployment)" [label=<
default/paymentservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/productcatalogservice(Deployment)" [label=<
default/productcatalogservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/recommendationservice(Deployment)" [label=<
default/recommendationservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/redis-cart(Deployment)" [label=<
default/redis-cart(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/shippingservice(Deployment)" [label=<
default/shippingservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] +subgraph cluster_default_namespace{ + label="default" + fontsize=20 + fontcolor=blue + tooltip="Namespace" + "default/adservice(Deployment)" [label=<
adservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/cartservice(Deployment)" [label=<
cartservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/checkoutservice(Deployment)" [label=<
checkoutservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/currencyservice(Deployment)" [label=<
currencyservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/emailservice(Deployment)" [label=<
emailservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/frontend(Deployment)" [label=<
frontend(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/loadgenerator(Deployment)" [label=<
loadgenerator(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/paymentservice(Deployment)" [label=<
paymentservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/productcatalogservice(Deployment)" [label=<
productcatalogservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/recommendationservice(Deployment)" [label=<
recommendationservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/redis-cart(Deployment)" [label=<
redis-cart(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/shippingservice(Deployment)" [label=<
shippingservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] +} "0.0.0.0/0" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/cartservice(Deployment)" -> "default/redis-cart(Deployment)"[label="tcp6379" labeltooltip="TCP 6379" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/checkoutservice(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="TCP 7070" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md index 0a30780ef..c8df5ef6b 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md @@ -2,8 +2,8 @@ |---|---|---|---|---|---| |connectivity_map_md, config: poc1|||||| ||[default]|[app in (checkoutservice,frontend,recommendationservice)]|[default]|[productcatalogservice]|TCP 3550| -||[default]|[app in (checkoutservice,frontend)]|[default]|[shippingservice]|TCP 50051| -||[default]|[checkoutservice]|[default]|[paymentservice]|TCP 50051| +||[default]|[checkoutservice]|[default]|[app in (paymentservice,shippingservice)]|TCP 50051| +||[default]|[frontend]|[default]|[shippingservice]|TCP 50051| ||[default]|[frontend]|[default]|[checkoutservice]|TCP 5050| ||[default]|[cartservice]|[default]|[redis-cart]|TCP 6379| ||[default]|[app in (checkoutservice,frontend)]|[default]|[currencyservice]|TCP 7000| diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt index ec60d2067..39806a076 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt @@ -2,12 +2,12 @@ final fw rules for query: connectivity_map, config: poc1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml index 1172f890e..0c4af1724 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml @@ -19,11 +19,11 @@ - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - shippingservice + - app in (paymentservice,shippingservice) connection: - Protocol: TCP Ports: @@ -31,11 +31,11 @@ - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - paymentservice + - shippingservice connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt index 8147ff7fc..565a70e26 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt @@ -4,14 +4,14 @@ src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml index bf8ba580b..90c958705 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml @@ -19,11 +19,11 @@ - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - shippingservice + - app in (paymentservice,shippingservice) connection: - Protocol: TCP Ports: @@ -31,11 +31,11 @@ - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - paymentservice + - shippingservice connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt index f4e18a56b..fc3189565 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt @@ -3,13 +3,13 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml index 1ea54f5f0..99327d1ff 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml @@ -19,11 +19,11 @@ - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - shippingservice + - app in (paymentservice,shippingservice) connection: - Protocol: TCP Ports: @@ -31,11 +31,11 @@ - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - paymentservice + - shippingservice connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt index 67f82c94f..c70ca8299 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt @@ -4,14 +4,14 @@ src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 23,8080 src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml index 8577c70ea..8f7438933 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml @@ -32,11 +32,11 @@ - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - shippingservice + - app in (paymentservice,shippingservice) connection: - Protocol: TCP Ports: @@ -44,11 +44,11 @@ - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - paymentservice + - shippingservice connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_dot.dot index 3b0127ed0..e71488c49 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_dot.dot @@ -10,7 +10,6 @@ subgraph cluster_default_namespace{ fontcolor=blue tooltip="Namespace" "default/deployment-E-1" [label=<
deployment-E-1
deployment-E-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] - "default/deployment-Eb-1" [label=<
deployment-Eb-1
deployment-Eb-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } subgraph cluster_ns1_namespace{ label="ns1" @@ -18,13 +17,6 @@ subgraph cluster_ns1_namespace{ fontcolor=blue tooltip="Namespace" "ns1/deployment-A-1" [label=<
deployment-A-1
deployment-A-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] -} -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F-1" [label=<
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } "ns1/deployment-A-1" -> "default/deployment-E-1"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white diff --git a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot index 5e1ba84aa..194240eb6 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot @@ -10,7 +10,6 @@ subgraph cluster_default_namespace{ fontcolor=blue tooltip="Namespace" "default/deployment-E(Deployment)" [label=<
deployment-E(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/deployment-Eb(Deployment)" [label=<
deployment-Eb(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } subgraph cluster_ns1_namespace{ label="ns1" @@ -18,13 +17,6 @@ subgraph cluster_ns1_namespace{ fontcolor=blue tooltip="Namespace" "ns1/deployment-A(Deployment)" [label=<
deployment-A(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] -} -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F(Deployment)" [label=<
deployment-F(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } "ns1/deployment-A(Deployment)" -> "default/deployment-E(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white diff --git a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_dot.dot index bdcf681e7..7accdda89 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_dot.dot @@ -25,7 +25,6 @@ subgraph cluster_ns2_namespace{ fontcolor=blue tooltip="Namespace" "ns2/deployment-C-1" [label=<
deployment-C-1
deployment-C-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] - "ns2/deployment-F-1" [label=<
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } "ns1/deployment-A-1" -> "default/deployment-E-1"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ns1/deployment-B-1" -> "ns1/deployment-A-1"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_dot.dot index 9e8133aef..0c5fbd210 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_dot.dot @@ -25,7 +25,6 @@ subgraph cluster_ns2_namespace{ fontcolor=blue tooltip="Namespace" "ns2/deployment-C(Deployment)" [label=<
deployment-C(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "ns2/deployment-F(Deployment)" [label=<
deployment-F(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } "ns1/deployment-A(Deployment)" -> "default/deployment-E(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ns1/deployment-B(Deployment)" -> "ns1/deployment-A(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels2_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels2_dot.dot index c82720200..c296dd79f 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels2_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels2_dot.dot @@ -10,7 +10,6 @@ subgraph cluster_default_namespace{ fontcolor=blue tooltip="Namespace" "default/Pod4" [label=<
Pod4
> shape=box fontcolor=blue tooltip="Workload"] - "default/Pod5" [label=<
Pod5
> shape=box fontcolor=blue tooltip="Workload"] } subgraph cluster_ns1_namespace{ label="ns1" diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_dot.dot index 0735527f4..279244399 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_dot.dot @@ -10,7 +10,6 @@ subgraph cluster_default_namespace{ fontcolor=blue tooltip="Namespace" "default/Pod4(Pod)" [label=<
Pod4(Pod)
> shape=box fontcolor=blue tooltip="Workload"] - "default/Pod5(Pod)" [label=<
Pod5(Pod)
> shape=box fontcolor=blue tooltip="Workload"] } subgraph cluster_ns1_namespace{ label="ns1" diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels3_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels3_dot.dot index 1dc0b2176..f5fd0c092 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels3_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels3_dot.dot @@ -21,13 +21,6 @@ subgraph cluster_ns1_namespace{ "ns1/deployment-A-1" [label=<
deployment-A-1
deployment-A-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "ns1/deployment-B-1" [label=<
deployment-B-1
deployment-B-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F-1" [label=<
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] -} subgraph cluster_ns3_namespace{ label="ns3" fontsize=20 diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_dot.dot index 0c38d745f..d81da5bec 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_dot.dot @@ -21,13 +21,6 @@ subgraph cluster_ns1_namespace{ "ns1/deployment-A(Deployment)" [label=<
deployment-A(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] "ns1/deployment-B(Deployment)" [label=<
deployment-B(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F(Deployment)" [label=<
deployment-F(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] -} subgraph cluster_ns3_namespace{ label="ns3" fontsize=20 diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot index 0183148ae..aeb594797 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot @@ -4,13 +4,6 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F-1" [label=<
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] -} color=white labelloc = "b" fontsize=15 diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot index dd8065172..d87698526 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot @@ -4,13 +4,6 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F(Deployment)" [label=<
deployment-F(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] -} color=white labelloc = "b" fontsize=15 diff --git a/tests/fw_rules_tests/policies/expected_output/subset_no_subset_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_no_subset_dot.dot index aa5feb87f..f4cde674c 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_no_subset_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_no_subset_dot.dot @@ -4,7 +4,6 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" fontsize=20 @@ -12,7 +11,6 @@ subgraph cluster_default_namespace{ tooltip="Namespace" "default/Pod1" [label=<
Pod1
> shape=box fontcolor=blue tooltip="Workload"] "default/Pod4" [label=<
Pod4
> shape=box fontcolor=blue tooltip="Workload"] - "default/Pod5" [label=<
Pod5
deployment-Eb-1
deployment-Eb-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/deployment-E-1" [label=<
deployment-E-1
deployment-E-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } subgraph cluster_ns1_namespace{ @@ -30,7 +28,6 @@ subgraph cluster_ns2_namespace{ fontcolor=blue tooltip="Namespace" "ns2/Pod3" [label=<
Pod3
> shape=box fontcolor=blue tooltip="Workload"] - "ns2/Pod6" [label=<
Pod6
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "ns2/deployment-C-1" [label=<
deployment-C-1
deployment-C-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "ns2/deployment-D-1" [label=<
deployment-D-1
deployment-D-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } diff --git a/tests/fw_rules_tests/policies/expected_output/subset_no_subset_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_no_subset_endpoints_deployments_dot.dot index 53f31ef93..57c6dd0a7 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_no_subset_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_no_subset_endpoints_deployments_dot.dot @@ -4,7 +4,6 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" fontsize=20 @@ -12,7 +11,6 @@ subgraph cluster_default_namespace{ tooltip="Namespace" "default/Pod1(Pod)" [label=<
Pod1(Pod)
> shape=box fontcolor=blue tooltip="Workload"] "default/Pod4(Pod)" [label=<
Pod4(Pod)
> shape=box fontcolor=blue tooltip="Workload"] - "default/Pod5(Pod)" [label=<
Pod5(Pod)
deployment-Eb(Deployment)
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/deployment-E(Deployment)" [label=<
deployment-E(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } subgraph cluster_ns1_namespace{ @@ -30,7 +28,6 @@ subgraph cluster_ns2_namespace{ fontcolor=blue tooltip="Namespace" "ns2/Pod3(Pod)" [label=<
Pod3(Pod)
> shape=box fontcolor=blue tooltip="Workload"] - "ns2/Pod6(Pod)" [label=<
Pod6(Pod)
deployment-F(Deployment)
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "ns2/deployment-C(Deployment)" [label=<
deployment-C(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] "ns2/deployment-D(Deployment)" [label=<
deployment-D(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } diff --git a/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.txt index 47ab7b0a6..100c7b3f8 100644 --- a/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: np1: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: All connections +src_ns: [default] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.yaml index c53adf7ec..3fb84324e 100644 --- a/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.yaml @@ -27,25 +27,27 @@ - All connections - src_ns: - default - - ibm-system-new - - kube-system-new - - kube-system-new-dummy-to-ignore src_pods: - '*' dst_ns: - default - ibm-system-new + - kube-system-new - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: - All connections - src_ns: - - default + - ibm-system-new + - kube-system-new + - kube-system-new-dummy-to-ignore src_pods: - '*' dst_ns: - - kube-system-new + - default + - ibm-system-new + - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: diff --git a/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.txt index 449596add..3382143a9 100644 --- a/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: np13: src: 0.0.0.0/0 dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections +src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.yaml index 146b92586..40cb83e91 100644 --- a/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.yaml @@ -27,7 +27,6 @@ - All connections - src_ns: - default - - ibm-system-new - kube-system-new - kube-system-new-dummy-to-ignore src_pods: @@ -46,6 +45,9 @@ - '*' dst_ns: - default + - ibm-system-new + - kube-system-new + - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: diff --git a/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.txt index 634477134..06ad08aec 100644 --- a/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: np14: src: 0.0.0.0/0 dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections +src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.yaml index 398327826..70fe2e3ab 100644 --- a/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.yaml @@ -27,7 +27,6 @@ - All connections - src_ns: - default - - ibm-system-new - kube-system-new - kube-system-new-dummy-to-ignore src_pods: @@ -46,6 +45,9 @@ - '*' dst_ns: - default + - ibm-system-new + - kube-system-new + - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: diff --git a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt index e03e6962e..5e80c5363 100644 --- a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt @@ -1,10 +1,7 @@ final fw rules for query: connectivity_map, config: np16: -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system-new] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system-new] dst_pods: [*] conn: UDP 53 src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system-new] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system-new] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system-new] dst_pods: [tier=frontend] conn: UDP 53 src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml index e9da05bbb..a519885ce 100644 --- a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml @@ -6,16 +6,6 @@ - rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system-new - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -23,32 +13,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system-new - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system-new - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -56,10 +26,13 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system-new dst_pods: - - tier=frontend + - '*' connection: - Protocol: UDP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.txt index 1d2359fd9..cbae5155f 100644 --- a/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.txt @@ -2,5 +2,4 @@ final fw rules for query: connectivity_map, config: np18: src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [*] conn: All connections src_ns: [kube-system-new] src_pods: [!has(tier) or tier=not_frontend_for_demo] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system-new] src_pods: [!has(tier) or tier=not_frontend_for_demo] dst_ns: [kube-system-new] dst_pods: [*] conn: All connections -src_ns: [kube-system-new] src_pods: [tier=frontend] dst: 49.50.0.0/32 conn: All connections -src_ns: [kube-system-new] src_pods: [tier=frontend] dst: 49.50.0.2/32 conn: All connections +src_ns: [kube-system-new] src_pods: [*] dst: 49.50.0.0/32,49.50.0.2/32 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.yaml index 793fadf25..1db41f134 100644 --- a/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.yaml @@ -33,16 +33,9 @@ - src_ns: - kube-system-new src_pods: - - tier=frontend + - '*' dst_ip_block: - 49.50.0.0/32 - connection: - - All connections - - src_ns: - - kube-system-new - src_pods: - - tier=frontend - dst_ip_block: - 49.50.0.2/32 connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt index f1a8460bd..cf494a6c4 100644 --- a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt @@ -2,6 +2,6 @@ final fw rules for query: connectivity_map, config: np2: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: All connections +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml index d3583d093..74f3eef95 100644 --- a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml @@ -57,7 +57,6 @@ - All connections - src_ns: - default - - ibm-system-new - kube-system-new - kube-system-new-dummy-to-ignore src_pods: @@ -75,7 +74,10 @@ src_pods: - '*' dst_ns: + - default + - ibm-system-new - kube-system-new + - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt index 3060bd316..557aa0788 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt @@ -1,3 +1,3 @@ final fw rules for query: connectivity_map, config: np24: -src_ns: [default] src_pods: [common=M] dst_ns: [default] dst_pods: [app=skydive] conn: UDP 53 +src_ns: [default] src_pods: [test in (A,B)] dst_ns: [default] dst_pods: [app=skydive] conn: UDP 53 src_ns: [default] src_pods: [test=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml index 2a1c2056f..e56cae2fb 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml @@ -7,7 +7,7 @@ - src_ns: - default src_pods: - - common=M + - test in (A,B) dst_ns: - default dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_dot.dot index 0d1328b7e..8b26b004e 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_dot.dot @@ -4,13 +4,11 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" fontsize=20 fontcolor=blue tooltip="Namespace" - "default/my-test-deployment-A(Deployment)" [label=<
my-test-deployment-A(Deployment)
my-test-deployment-D(Deployment)
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/my-test-deployment-B(Deployment)" [label=<
my-test-deployment-B(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] "default/my-test-deployment-C(Deployment)" [label=<
my-test-deployment-C(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv index b02905cc5..51f11b95c 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv @@ -1,4 +1,3 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_by_pods_csv, config: np25","","","","","", -"","[default]","[my-test-deployment-C-1]","[default]","[app=B]","All connections", -"","[default]","[my-test-deployment-C-2]","[default]","[app=B]","All connections", +"","[default]","[my-test-deployment-C-1, my-test-deployment-C-2]","[default]","[app=B]","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_dot.dot b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_dot.dot index aac2ca22f..bdf0a0988 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_dot.dot @@ -4,13 +4,11 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" fontsize=20 fontcolor=blue tooltip="Namespace" - "default/my-test-deployment-A-1" [label=<
my-test-deployment-A-1
my-test-deployment-A-2
my-test-deployment-D-1
my-test-deployment-D-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/my-test-deployment-B-1" [label=<
my-test-deployment-B-1
my-test-deployment-B-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/my-test-deployment-C-1" [label=<
my-test-deployment-C-1
my-test-deployment-C-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt index 9ccd97c90..22b5c262c 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt @@ -1,3 +1,2 @@ final fw rules for query: connectivity_map_by_pods_txt, config: np25: -src_ns: [default] src_pods: [my-test-deployment-C-1] dst_ns: [default] dst_pods: [app=B] conn: All connections -src_ns: [default] src_pods: [my-test-deployment-C-2] dst_ns: [default] dst_pods: [app=B] conn: All connections +src_ns: [default] src_pods: [my-test-deployment-C-1, my-test-deployment-C-2] dst_ns: [default] dst_pods: [app=B] conn: All connections \ No newline at end of file diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml index 94081ae37..0afa0d81f 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml @@ -7,17 +7,7 @@ - src_ns: - default src_pods: - - my-test-deployment-C-1 - dst_ns: - - default - dst_pods: - - app=B - connection: - - All connections - - src_ns: - - default - src_pods: - - my-test-deployment-C-2 + - my-test-deployment-C-1, my-test-deployment-C-2 dst_ns: - default dst_pods: diff --git a/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml b/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml index dae0fc255..ad6aa3842 100644 --- a/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml +++ b/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml @@ -24,23 +24,23 @@ networkConfigList: expectedWarnings: 0 queries: - - name: new_online_boutique_connectivity_map - connectivityMap: - - new_online_boutique - expected: 0 - #outputConfiguration: - # outputFormat: dot - # outputPath: online_boutique_new_istio_policies.dot - expectedOutput: ../../expected_output/new_online_boutique_connectivity_map.txt - - - name: new_online_boutique_synth_res_connectivity_map - connectivityMap: - - new_online_boutique_synthesis_res - expected: 0 - #outputConfiguration: - # outputFormat: dot - # outputPath: online_boutique_new_istio_policies_synthesis_res.dot - expectedOutput: ../../expected_output/new_online_boutique_synth_res_connectivity_map.txt +# - name: new_online_boutique_connectivity_map +# connectivityMap: +# - new_online_boutique +# expected: 0 +# #outputConfiguration: +# # outputFormat: dot +# # outputPath: online_boutique_new_istio_policies.dot +# expectedOutput: ../../expected_output/new_online_boutique_connectivity_map.txt +# +# - name: new_online_boutique_synth_res_connectivity_map +# connectivityMap: +# - new_online_boutique_synthesis_res +# expected: 0 +# #outputConfiguration: +# # outputFormat: dot +# # outputPath: online_boutique_new_istio_policies_synthesis_res.dot +# expectedOutput: ../../expected_output/new_online_boutique_synth_res_connectivity_map.txt - name: new_online_boutique_synth_res_connectivity_map_wo_fw_rules connectivityMap: diff --git a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt index 33b80f29b..81cff8378 100644 --- a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt +++ b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt @@ -12,7 +12,7 @@ src_ns: [istio-system] src_pods: [istiod] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [istiod] dst: connected-with-mesh.example.com conn: All connections src_ns: [istio-system] src_pods: [istiod] dst_ns: [default,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '8443', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [istio-ingressgateway] conn: All connections +src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} diff --git a/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml b/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml index 4da44d216..ddcd6e3d2 100644 --- a/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml +++ b/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml @@ -1,5 +1,6 @@ resourceList: - - ../../online_boutique/new_online_boutique_manifests_istio/all_deployments.yaml +# - ../../online_boutique/new_online_boutique_manifests_istio/all_deployments.yaml + - ../all_deployments.yaml - ../onlineboutique-services.yaml networkConfigList: diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot index 158efcfe8..45e5db22a 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -64,23 +64,40 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot index d39210c65..77250fbd0 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -51,24 +51,41 @@ All"] "example/deploy-gggg(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 @@ -100,3 +117,4 @@ subgraph cluster_example_namespace{ fontcolor=maroon } } + diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot index 276f6f2e8..b31b60983 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -53,15 +53,24 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot index be13cf727..ccc2023b5 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -48,15 +48,24 @@ All"] "example/deploy-hhhh(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot index 307da6b09..6655f83f7 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -51,14 +51,22 @@ subgraph cluster_ingress_controller_ns_namespace{ "example/deploy-gggg(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'},{'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'},{'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'},{'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'},{'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'},{'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'},{'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'},{'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'},{'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot index 0f24c68a7..1008b214a 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -44,14 +44,22 @@ All"] "example/deploy-ffff(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-gggg(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt index e4ec5ec27..7213be4c8 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-map-bookinfo-adding-default-sidecar-after-specific, config: adding-default-sidecar-after-specific: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app in (productpage,ratings)] dst_ns: [default] dst_pods: [details-v1] conn: All connections +src_ns: [default] src_pods: [app!=reviews] dst_ns: [default] dst_pods: [details-v1] conn: All connections src_ns: [default] src_pods: [app=reviews] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-bookinfo-adding-default-sidecar-after-specific, config: adding-default-sidecar-after-specific: diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_default_sidecar.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_default_sidecar.txt index df45348ae..206e49d4f 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_default_sidecar.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_default_sidecar.txt @@ -1,11 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-map-default-sidecar-1, config: bookinfo-default-sidecar-1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [details-v1] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [reviews-v1] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [reviews-v2] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [reviews-v3] conn: All connections +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [details-v1, ratings-v1, reviews-v1, reviews-v2, reviews-v3] conn: All connections src_ns: [default] src_pods: [productpage-v1] dst_ns: [default] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-default-sidecar-1, config: bookinfo-default-sidecar-1: diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_multiple_sidecar_overrides.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_multiple_sidecar_overrides.txt index e2d27ed59..ca9d06836 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_multiple_sidecar_overrides.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_multiple_sidecar_overrides.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-map-bookinfo-multiple-sidecar-overrides, config: multiple-sidecar-overrides: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app in (ratings,reviews)] dst_ns: [default] dst_pods: [details-v1] conn: All connections +src_ns: [default] src_pods: [app!=productpage] dst_ns: [default] dst_pods: [details-v1] conn: All connections src_ns: [default] src_pods: [productpage-v1] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-bookinfo-multiple-sidecar-overrides, config: multiple-sidecar-overrides: diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt index d5331012a..64d3c6beb 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt @@ -2,9 +2,8 @@ For connections of type TCP, final fw rules for query: connectivity-map-bookinfo src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections -src_ns: [default] src_pods: [app in (details,ratings)] dst_ns: [default] dst_pods: [app=reviews] conn: All connections +src_ns: [default] src_pods: [app in (details,ratings)] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections src_ns: [default] src_pods: [productpage-v1] dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [ratings-v1] dst_ns: [default] dst_pods: [details-v1] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-bookinfo-specific-sidecar-overrides-default-sidecar, config: sidecar-with-workload-selector-overrides-default-sidecar: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt index b6600f2a4..29b13fe9a 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt @@ -1,8 +1,8 @@ For connections of type TCP, final fw rules for query: connectivity-map-bookinfo-two-different-sidecars-override-default-sidecar, config: two-different-sidecars-override-default-sidecar: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections +src_ns: [default] src_pods: [app in (details,ratings)] dst_ns: [default] dst_pods: [details-v1] conn: All connections src_ns: [default] src_pods: [app in (productpage,reviews)] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections -src_ns: [default] src_pods: [ratings-v1] dst_ns: [default] dst_pods: [details-v1] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-bookinfo-two-different-sidecars-override-default-sidecar, config: two-different-sidecars-override-default-sidecar: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt index e1397dca2..eeab7d57a 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt @@ -1,6 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-map-of-onlineboutique-with-istio-gateways, config: onlineboutique-resources-with-istio-gateways: src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [onlineboutique] src_pods: [*] dst: connected-with-mesh.example.com conn: All connections src_ns: [onlineboutique] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} diff --git a/tests/istio_testcases/expected_output/connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt b/tests/istio_testcases/expected_output/connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt index e02208b4f..de0cb05d6 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt @@ -2,7 +2,6 @@ For connections of type TCP, final fw rules for query: frontend_w_no_egress_conn src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress] src_pods: [*] dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: All connections src_ns: [default] src_pods: [app!=frontend] dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: frontend_w_no_egress_connectivity_map, config: sidecar_disable_egress: diff --git a/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_contains_service_entry_hosts.txt b/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_contains_service_entry_hosts.txt index 74c397b35..4bef80652 100644 --- a/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_contains_service_entry_hosts.txt +++ b/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_contains_service_entry_hosts.txt @@ -2,7 +2,6 @@ For connections of type TCP, final fw rules for query: connectivity-sidecar-host src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [*] dst: api.facebook.com conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.newrelic.com conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.slack.com conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.wikipedia.org conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_does_not_contain_se_hosts.txt b/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_does_not_contain_se_hosts.txt index 51989b343..796918365 100644 --- a/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_does_not_contain_se_hosts.txt +++ b/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_does_not_contain_se_hosts.txt @@ -1,7 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-sidecar-host-name-does-not-contain-service-entry-hosts, config: sidecar-w-specific-host-name: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.newrelic.com conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.slack.com conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.wikipedia.org conn: All connections diff --git a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt index 2f80a3316..8ad32ce46 100644 --- a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt @@ -1,12 +1,9 @@ For connections of type TCP, final fw rules for query: connectivity, config: fly-istio-ingress-test: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api] conn: TCP {'dst_ports': '8761', 'paths': '/flights(/*)?'} -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api] conn: TCP {'dst_ports': '8762', 'paths': '/horas(/*)?'} -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [istio-ingressgateway] conn: All connections -src_ns: [default] src_pods: [fly-api] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [fly-api] dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [hora-api] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [hora-api] dst_ns: [default] dst_pods: [*] conn: All connections +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api, istio-ingressgateway] conn: TCP {'dst_ports': '8761', 'paths': '/flights(/*)?'} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api, istio-ingressgateway] conn: TCP {'dst_ports': '8762', 'paths': '/horas(/*)?'} +src_ns: [default] src_pods: [fly-api, hora-api] dst: 0.0.0.0/0 conn: All connections +src_ns: [default] src_pods: [fly-api, hora-api] dst_ns: [default] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity, config: fly-istio-ingress-test: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt index 4c6d64d82..2dd1584c9 100644 --- a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt @@ -5,7 +5,6 @@ src_ns: [default,prod,qa] src_pods: [*] dst: connected_with_mesh.example.com con src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity, config: istio-egress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt index 001bbf712..b4b269ee0 100644 --- a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt @@ -1,8 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity, config: istio-ingress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections -src_ns: [default,istio-system,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections +src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [details-v1-5f449bdbb9] conn: TCP {'dst_ports': '5555', 'hosts': 'mongosvr.prod.svc.cluster.local'} src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [ratings-v1-857bb87c57] conn: TCP {'dst_ports': '9080', 'hosts': 'eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local', 'paths': '/reviews(/*)?'} src_ns: [istio-system] src_pods: [*] dst_ns: [qa] dst_pods: [*] conn: TCP {'dst_ports': '7777', 'hosts': 'eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local'} diff --git a/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt b/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt index 1d2ef9ac8..668db7aef 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt @@ -2,10 +2,9 @@ For connections of type TCP, final fw rules for query: new_online_boutique_conne src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections +src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections -src_ns: [asm-ingress] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} -src_ns: [default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP {'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt index 815c1c10b..69807048e 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt @@ -4,13 +4,13 @@ src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 For connections of type non-TCP, final fw rules for query: new_online_boutique_synth_res_connectivity_map, config: new_online_boutique_synthesis_res: diff --git a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt index 38eb83acb..ca07f5d08 100644 --- a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt +++ b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt @@ -11,7 +11,6 @@ src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [app not in ( src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: All connections src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: All connections src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: onlineboutique-sidecars-connectivity, config: onlineboutique-sidecars-and-gateways: src: 0.0.0.0/0 dst_ns: [asm-ingress,default,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt b/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt index e8e1482ff..4d86cece0 100644 --- a/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt +++ b/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt @@ -131,13 +131,7 @@ 172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections default/cognetive-agents-agent[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections @@ -152,13 +146,7 @@ default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node[DaemonSet] default/cognetive-agents-agent[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections @@ -173,13 +161,7 @@ default/cognetive-agents-analyzer[DaemonSet] => kube-system/calico-node[DaemonSe default/cognetive-agents-analyzer[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +default/cognetive-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections default/cognetive-agents[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections default/cognetive-agents[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections default/cognetive-agents[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections @@ -194,13 +176,7 @@ default/cognetive-agents[DaemonSet] => kube-system/calico-node[DaemonSet] : All default/cognetive-agents[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections default/cognetive-agents[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections default/cognetive-agents[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -215,13 +191,7 @@ default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/calico-no default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -236,13 +206,7 @@ ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-sys ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -257,13 +221,7 @@ ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-sy ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -278,13 +236,7 @@ kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ku kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -299,13 +251,7 @@ kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -320,13 +266,7 @@ kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-s kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -341,13 +281,7 @@ kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube- kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -362,13 +296,7 @@ kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -384,13 +312,7 @@ kube-system/calico-node-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : kube-system/calico-node-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/calico-node[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/calico-node[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/calico-node[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/calico-node[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -405,13 +327,7 @@ kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b8 kube-system/calico-node[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/calico-node[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/calico-node[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -426,13 +342,7 @@ kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/publi kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -448,13 +358,7 @@ kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/calico-node[Da kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -469,13 +373,7 @@ kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-i kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -491,13 +389,7 @@ kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/calico-node[DaemonS kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -513,13 +405,7 @@ kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/calico-node[Dae kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -534,13 +420,7 @@ kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/public-cr kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -556,13 +436,7 @@ kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/calico-nod kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -578,13 +452,7 @@ kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/calico-node[Daem kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -599,4 +467,4 @@ kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/public-cre kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections \ No newline at end of file +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections diff --git a/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt b/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt index 52562f12e..ac683a3d7 100644 --- a/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt @@ -1,6 +1,5 @@ final fw rules for query: connectivity, config: test-ingress: src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [default,ingress-nginx,istio-system] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections src_ns: [default,istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,istio-system] src_pods: [*] dst_ns: [default,istio-system] dst_pods: [*] conn: All connections +src_ns: [default,istio-system] src_pods: [*] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'hosts': 'demo.localdev.me', 'paths': '/details(/*)?'} diff --git a/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt b/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt index 50f5ce659..04d20d5e0 100644 --- a/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt @@ -4,11 +4,11 @@ src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt b/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt index 085de9d95..a7094a55a 100644 --- a/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt @@ -2,14 +2,14 @@ final fw rules for query: new_online_boutique_synthesis_res_connectivity_map, co src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt b/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt index 99ffe09a8..36bffcc45 100644 --- a/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt @@ -4,14 +4,14 @@ src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst: *.googleapis.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections From e5eb7016a83d5387232cfec7c9581fb50ab40e19 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 9 Apr 2024 16:35:57 +0300 Subject: [PATCH 25/89] Changed optimized semantic diff query implementation according to the optimized fw-rules minimization algorithm. Fixed get_connection_set_and_peers_from_cube. Changed some of the expected results of semantic diff tests. Signed-off-by: Tanya --- nca/FWRules/MinimizeBasic.py | 3 +- nca/NetworkConfig/NetworkConfigQuery.py | 201 +++++-- ..._diff_a_to_b_with_ipBlock_query_output.csv | 11 +- ...c_diff_a_to_b_with_ipBlock_query_output.md | 11 +- ..._diff_a_to_b_with_ipBlock_query_output.txt | 11 +- ...diff_a_to_b_with_ipBlock_query_output.yaml | 51 +- ...ic_diff_ipblocks__np1_np4_query_output.csv | 20 +- ...tic_diff_ipblocks__np1_np4_query_output.md | 20 +- ...ic_diff_ipblocks__np1_np4_query_output.txt | 20 +- ...c_diff_ipblocks__np1_np4_query_output.yaml | 146 +----- ...diff_ipblocks_equivalence_query_output.csv | 21 +- ..._diff_ipblocks_equivalence_query_output.md | 21 +- ...diff_ipblocks_equivalence_query_output.txt | 20 +- ...iff_ipblocks_equivalence_query_output.yaml | 140 +---- ...tic_diff_ipblocks_np1_np2_query_output.csv | 10 +- ...ntic_diff_ipblocks_np1_np2_query_output.md | 10 +- ...tic_diff_ipblocks_np1_np2_query_output.txt | 10 +- ...ic_diff_ipblocks_np1_np2_query_output.yaml | 70 +-- ...ports_np1_and_np2_by_pods_query_output.txt | 6 +- .../semantic_diff_np1_np2_query_output.csv | 10 +- .../semantic_diff_np1_np2_query_output.md | 10 +- .../semantic_diff_np1_np2_query_output.txt | 10 +- .../semantic_diff_np1_np2_query_output.yaml | 70 +-- .../semantic_diff_poc-scheme_output.csv | 8 +- .../semantic_diff_poc-scheme_output.md | 8 +- .../semantic_diff_poc-scheme_output.txt | 6 +- .../semantic_diff_poc-scheme_output.yaml | 31 +- ...diff_with_different_topologies-scheme.yaml | 494 +++++++++--------- 28 files changed, 519 insertions(+), 930 deletions(-) diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 9fe042af7..72de6a6d0 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -125,8 +125,7 @@ def get_connection_set_and_peers_from_cube(the_cube, peer_container, conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) else: if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): - conns.add_connections(protocol, - ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container)) + conns.add_connections(protocol, ConnectivityProperties.make_all_props()) else: conns.add_connections(protocol, True) return conns, src_peers, dst_peers diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 60c4ce3e1..8046f37db 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -8,6 +8,7 @@ from abc import abstractmethod from collections import defaultdict from enum import Enum +from dataclasses import dataclass from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.Peer import PeerSet, IpBlock, Pod, Peer, DNSEntry, BasePeerSet @@ -27,6 +28,7 @@ PoliciesWithCommonPods, PeersAndConnections, ComputedExplanation from .NetworkLayer import NetworkLayerName from nca.Utils.ExplTracker import ExplTracker +from nca.NetworkConfig import PeerContainer class QueryType(Enum): @@ -1394,6 +1396,14 @@ class SemanticDiffQuery(TwoNetworkConfigsQuery): Produces a report of changed connections (also for the case of two configurations of different network topologies) """ + @dataclass + class PropsAndExplanationData: + props: ConnectivityProperties + cluster_info: ClusterInfo + output_config: OutputConfiguration + peer_container: PeerContainer + + @staticmethod def get_query_type(): return QueryType.PairComparisonQuery @@ -1496,18 +1506,93 @@ def get_results_for_computed_fw_rules(self, keys_list, conn_graph_removed_per_ke return res, explanation + def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_connectivity_result): + """ + computes the explanation for given key and conn_graph with description and fw-rules results + prepares the description and explanation + description text is written for txt, yaml and json formats + other formats description already included in the conn_graph data + :param str key: the key describing the changes + :param bool is_added: a bool flag indicating if connections are added or removed + :param PropsAndExplanationData props_data: a ConnectivityProperties with added/removed connections + :param bool is_first_connectivity_result: flag indicating if this is the first connectivity fw-rules computation + for the current semantic-diff query + :return the computedExplanation of the current key and conn_graph considering the outputFormat, + and fw_rules from which the explanation was computed + :rtype: ComputedExplanation, Union[None, MinimizeFWRules] + """ + updated_key = self._get_updated_key(key, is_added) + topology_config_name = self.name2 if is_added else self.name1 + connectivity_changes_header = f'{updated_key} (based on topology from config: {topology_config_name}) :' + fw_rules = None + if self.output_config.outputFormat == 'txt_no_fw_rules': + conn_graph = ConnectivityGraph(props_data.cluster_info.all_peers, props_data.cluster_info.allowed_labels, + props_data.output_config) + conn_graph.add_props_to_graph(props_data.props, props_data.peer_container) + conn_graph_explanation = conn_graph.get_connections_without_fw_rules_txt_format( + connectivity_changes_header, exclude_self_loop_conns=False) + '\n' + else: + fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props_data.props, props_data.cluster_info, + props_data.output_config, + props_data.peer_container, None) + self.compare_fw_rules_to_conn_props(fw_rules, props_data.props, props_data.peer_container) # Tanya: debug + conn_graph_explanation = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) + + if self.output_config.outputFormat in ['json', 'yaml']: + explanation_dict = {'description': updated_key} + explanation_dict.update(conn_graph_explanation) + key_explanation = ComputedExplanation(dict_explanation=explanation_dict) + else: + str_explanation = f'\n{connectivity_changes_header}\n' if self.output_config.outputFormat == 'txt' else '' + str_explanation += conn_graph_explanation + key_explanation = ComputedExplanation(str_explanation=str_explanation) + + return key_explanation, fw_rules + + def get_results_for_computed_fw_rules_opt(self, keys_list, removed_props_per_key, added_props_per_key): + """ + Compute accumulated explanation and res for all keys of changed connections categories + :param keys_list: the list of keys + :param removed_props_per_key: map from key to PropsAndExplanationData of removed connections + :param added_props_per_key: map from key to PropsAndExplanationData of added connections + :return: + res (int): number of categories with diffs + explanation (list): list of ComputedExplanation, the diffs' explanations, one for each category + :rtype: int, list[ComputedExplanation] + """ + explanation = [] + add_explanation = self.output_config.outputFormat in SemanticDiffQuery.get_supported_output_formats() + res = 0 + for key in keys_list: + added_props = added_props_per_key[key] + removed_props = removed_props_per_key[key] + is_added = added_props is not None and added_props.props + is_removed = removed_props is not None and removed_props.props + if is_added: + if add_explanation: + key_explanation, _ = self.compute_explanation_for_key_opt(key, True, added_props, res == 0) + explanation.append(key_explanation) + res += 1 + + if is_removed: + if add_explanation: + key_explanation, _ = self.compute_explanation_for_key_opt(key, False, removed_props, res == 0) + explanation.append(key_explanation) + res += 1 + + return res, explanation + def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key, - opt_conn_graph_removed_per_key, - opt_conn_graph_added_per_key): + removed_props_per_key, added_props_per_key): """ Compute accumulated explanation and res for all keys of changed connections categories. Also, compare original and optimized results. :param keys_list: the list of keys :param orig_conn_graph_removed_per_key: map from key to ConnectivityGraph of original removed connections :param orig_conn_graph_added_per_key: map from key to ConnectivityGraph of original added connections - :param opt_conn_graph_removed_per_key: map from key to ConnectivityGraph of optimized removed connections - :param opt_conn_graph_added_per_key: map from key to ConnectivityGraph of optimized added connections + :param removed_props_per_key: map from key to PropsAndExplanationData of optimized removed connections + :param added_props_per_key: map from key to PropsAndExplanationData of optimized added connections :return: res (int): number of categories with diffs explanation (list): list of ComputedExplanation, the diffs' explanations, one for each category @@ -1527,9 +1612,11 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o key, True, orig_conn_graph_added_conns, res == 0) if not orig_fw_rules: orig_fw_rules = orig_conn_graph_added_conns.get_minimized_firewall_rules() - opt_conn_graph_added_conns = opt_conn_graph_added_per_key[key] - assert opt_conn_graph_added_conns and opt_conn_graph_added_conns.conn_graph_has_fw_rules() - opt_fw_rules = opt_conn_graph_added_conns.get_minimized_firewall_rules() + added_props_data = added_props_per_key[key] + assert added_props_per_key + opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( + added_props_data.props, added_props_data.cluster_info, added_props_data.output_config, + added_props_data.peer_container, None) self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, self._get_updated_key(key, True) + f'between {self.config1.name} and {self.config2.name}') @@ -1542,9 +1629,11 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o key, False, orig_conn_graph_removed_conns, res == 0) if not orig_fw_rules: orig_fw_rules = orig_conn_graph_removed_conns.get_minimized_firewall_rules() - opt_conn_graph_removed_conns = opt_conn_graph_removed_per_key[key] - assert opt_conn_graph_removed_conns and opt_conn_graph_removed_conns.conn_graph_has_fw_rules() - opt_fw_rules = opt_conn_graph_removed_conns.get_minimized_firewall_rules() + removed_props_data = removed_props_per_key[key] + assert removed_props_data + opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( + removed_props_data.props, removed_props_data.cluster_info, removed_props_data.output_config, + removed_props_data.peer_container, None) self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, self._get_updated_key(key, False) + f'between {self.config1.name} and {self.config2.name}') @@ -1745,7 +1834,31 @@ def compute_diff_original(self): # noqa: C901 return keys_list, conn_graph_removed_per_key, conn_graph_added_per_key - # TODO - rewrite this function using new optimized fw-rules creation + def get_changed_props_expl_data(self, key, ip_blocks, is_added, props, peer_container): + """ + create a ConnectivityGraph for changed (added/removed) connections per given key + :param key: the key (category) of changed connections + :param ip_blocks: a PeerSet of ip-blocks to be added for the topology peers + :param is_added: a bool flag indicating if connections are added or removed + :param ConnectivityProperties props: the explanation + :param PeerContainer peer_container: a relevant peer container + :return: a PropsAndExplanationData object + """ + old_peers = self.config1.peer_container.get_all_peers_group(include_dns_entries=True) + new_peers = self.config2.peer_container.get_all_peers_group(include_dns_entries=True) + allowed_labels = (self.config1.get_allowed_labels()).union(self.config2.get_allowed_labels()) + topology_peers = new_peers | ip_blocks if is_added else old_peers | ip_blocks + # following query_name update is for adding query line descriptions for csv and md formats + updated_key = self._get_updated_key(key, is_added) + if self.output_config.queryName: + query_name = f'semantic_diff, config1: {self.config1.name}, config2: {self.config2.name}, key: {updated_key}' + else: + # omit the query name prefix if self.output_config.queryName is empty (single query from command line) + query_name = updated_key + output_config = OutputConfiguration(self.output_config, query_name) + return SemanticDiffQuery.PropsAndExplanationData(props, ClusterInfo(topology_peers, allowed_labels), + output_config, peer_container) + def compute_diff_optimized(self): # noqa: C901 """ Compute changed connections (by optimized implementation) as following: @@ -1788,8 +1901,8 @@ def compute_diff_optimized(self): # noqa: C901 IpBlock.get_all_ips_block_peer_set(exclude_ipv6), exclude_ipv6) - conn_graph_removed_per_key = dict() - conn_graph_added_per_key = dict() + removed_props_per_key = dict() + added_props_per_key = dict() keys_list = [] res_conns_filter = PolicyConnectionsFilter.only_all_allowed_connections() old_conns = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter) @@ -1800,44 +1913,42 @@ def compute_diff_optimized(self): # noqa: C901 # 1.1. lost connections between removed peers key = 'Lost connections between removed peers' keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = None props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": removed_peers, "dst_peers": removed_peers}) props &= old_props props = props.props_without_auto_conns() - conn_graph_removed_per_key[key].add_props_to_graph(props, self.config1.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, props, + self.config1.peer_container) + added_props_per_key[key] = None # 1.2. lost connections between removed peers and ipBlocks key = 'Lost connections between removed peers and ipBlocks' keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, old_ip_blocks, False) - conn_graph_added_per_key[key] = None props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": removed_peers, "dst_peers": old_ip_blocks}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": old_ip_blocks, "dst_peers": removed_peers}) props &= old_props - conn_graph_removed_per_key[key].add_props_to_graph(props, self.config1.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, old_ip_blocks, False, props, + self.config1.peer_container) + added_props_per_key[key] = None # 2.1. lost connections between removed peers and intersected peers key = 'Lost connections between removed peers and persistent peers' keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = None props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": removed_peers, "dst_peers": intersected_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": intersected_peers, "dst_peers": removed_peers}) props &= old_props props = props.props_without_auto_conns() - conn_graph_removed_per_key[key].add_props_to_graph(props, self.config1.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, props, + self.config1.peer_container) + added_props_per_key[key] = None # 3.1. lost/new connections between intersected peers due to changes in policies and labels of pods/namespaces key = 'Changed connections between persistent peers' keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": captured_pods, "dst_peers": intersected_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": intersected_peers, @@ -1846,61 +1957,63 @@ def compute_diff_optimized(self): # noqa: C901 props1 = props1.props_without_auto_conns() props2 = new_props & props props2 = props2.props_without_auto_conns() - conn_graph_removed_per_key[key].add_props_to_graph(props1 - props2, self.config1.peer_container) - conn_graph_added_per_key[key].add_props_to_graph(props2 - props1, self.config2.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, props1 - props2, + self.config1.peer_container) + added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, props2 - props1, + self.config2.peer_container) # 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels key = 'Changed connections between persistent peers and ipBlocks' disjoint_ip_blocks = IpBlock.disjoint_ip_blocks(old_ip_blocks, new_ip_blocks, exclude_ipv6) keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, disjoint_ip_blocks, False) - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, disjoint_ip_blocks, True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": captured_pods, "dst_peers": disjoint_ip_blocks}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": disjoint_ip_blocks, "dst_peers": captured_pods}) props1 = old_props & props props2 = new_props & props - conn_graph_removed_per_key[key].add_props_to_graph(props1 - props2, self.config1.peer_container) - conn_graph_added_per_key[key].add_props_to_graph(props2 - props1, self.config2.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, disjoint_ip_blocks, False, props1 - props2, + self.config1.peer_container) + added_props_per_key[key] = self.get_changed_props_expl_data(key, disjoint_ip_blocks, True, props2 - props1, + self.config2.peer_container) # 4.1. new connections between intersected peers and added peers key = 'New connections between persistent peers and added peers' keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": intersected_peers, "dst_peers": added_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": added_peers, "dst_peers": intersected_peers}) props &= new_props props = props.props_without_auto_conns() - conn_graph_added_per_key[key].add_props_to_graph(props, self.config2.peer_container) + removed_props_per_key[key] = None + added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, props, + self.config2.peer_container) # 5.1. new connections between added peers key = 'New connections between added peers' keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": added_peers, "dst_peers": added_peers}) props &= new_props props = props.props_without_auto_conns() - conn_graph_added_per_key[key].add_props_to_graph(props, self.config2.peer_container) + removed_props_per_key[key] = None + added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, props, + self.config2.peer_container) # 5.2. new connections between added peers and ipBlocks key = 'New connections between added peers and ipBlocks' keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, new_ip_blocks, True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": added_peers, "dst_peers": new_ip_blocks}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": new_ip_blocks, "dst_peers": added_peers}) props &= new_props - conn_graph_added_per_key[key].add_props_to_graph(props, self.config2.peer_container) + removed_props_per_key[key] = None + added_props_per_key[key] = self.get_changed_props_expl_data(key, new_ip_blocks, True, props, + self.config2.peer_container) - return keys_list, conn_graph_removed_per_key, conn_graph_added_per_key + return keys_list, removed_props_per_key, added_props_per_key def exec(self, cmd_line_flag): self.output_config.fullExplanation = True # assign true for this query - it is always ok to compare its results @@ -1917,14 +2030,14 @@ def exec(self, cmd_line_flag): res, explanation = self.get_results_for_computed_fw_rules(keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key) if self.config1.optimized_run != 'false': - keys_list, opt_conn_graph_removed_per_key, opt_conn_graph_added_per_key = self.compute_diff_optimized() + keys_list, removed_props_per_key, added_props_per_key = self.compute_diff_optimized() if self.config1.optimized_run == 'true': - res, explanation = self.get_results_for_computed_fw_rules(keys_list, opt_conn_graph_removed_per_key, - opt_conn_graph_added_per_key) + res, explanation = self.get_results_for_computed_fw_rules_opt(keys_list, removed_props_per_key, + added_props_per_key) else: res, explanation = self.get_results_for_computed_fw_rules_and_compare_orig_to_opt( keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key, - opt_conn_graph_removed_per_key, opt_conn_graph_added_per_key) + removed_props_per_key, added_props_per_key) if res > 0: return QueryAnswer(bool_result=False, diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv index 250c7d81b..94aeeff6f 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv @@ -13,15 +13,10 @@ "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers","","","","","", "","[default]","[app=app-0]","[default]","[app=app-2]","All connections", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[default]","[app=app-1]","All connections", -"","","10.10.0.0/16","[default]","[app=app-1]","All connections", -"","","11.0.0.0-255.255.255.255","[default]","[app=app-1]","All connections", +"","","0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255","[default]","[app=app-1]","All connections", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","10.0.0.0-10.10.255.255","[default]","[app=app-2]","All but UDP 53", -"","","10.12.0.0-10.255.255.255","[default]","[app=app-2]","All but UDP 53", -"","","0.0.0.0-9.255.255.255","[default]","[app=app-2]","All connections", -"","","10.11.0.0/16","[default]","[app=app-2]","All connections", -"","","11.0.0.0-255.255.255.255","[default]","[app=app-2]","All connections", +"","","0.0.0.0/0","[default]","[app=app-2]","All but UDP 53", +"","","0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255","[default]","[app=app-2]","All connections", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: New connections between persistent peers and added peers","","","","","", "","[default]","[app in (app-5,app-6)]","[default]","[app in (app-0,app-1)]","All connections", "","[default]","[app not in (app-5,app-6)]","[default]","[app in (app-5,app-6)]","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md index 01a30e28a..79aed5d87 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md @@ -14,15 +14,10 @@ |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers|||||| ||[default]|[app=app-0]|[default]|[app=app-2]|All connections| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[default]|[app=app-1]|All connections| -|||10.10.0.0/16|[default]|[app=app-1]|All connections| -|||11.0.0.0-255.255.255.255|[default]|[app=app-1]|All connections| +|||0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255|[default]|[app=app-1]|All connections| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers and ipBlocks|||||| -|||10.0.0.0-10.10.255.255|[default]|[app=app-2]|All but UDP 53| -|||10.12.0.0-10.255.255.255|[default]|[app=app-2]|All but UDP 53| -|||0.0.0.0-9.255.255.255|[default]|[app=app-2]|All connections| -|||10.11.0.0/16|[default]|[app=app-2]|All connections| -|||11.0.0.0-255.255.255.255|[default]|[app=app-2]|All connections| +|||0.0.0.0/0|[default]|[app=app-2]|All but UDP 53| +|||0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255|[default]|[app=app-2]|All connections| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: New connections between persistent peers and added peers|||||| ||[default]|[app in (app-5,app-6)]|[default]|[app in (app-0,app-1)]|All connections| ||[default]|[app not in (app-5,app-6)]|[default]|[app in (app-5,app-6)]|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt index 6cef15323..1176223ce 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt @@ -19,16 +19,11 @@ Removed connections between persistent peers (based on topology from config: con src_ns: [default] src_pods: [app=app-0] dst_ns: [default] dst_pods: [app=app-2] conn: All connections Added connections between persistent peers and ipBlocks (based on topology from config: config_b_with_ipBlock) : -src: 0.0.0.0-9.255.255.255 dst_ns: [default] dst_pods: [app=app-1] conn: All connections -src: 10.10.0.0/16 dst_ns: [default] dst_pods: [app=app-1] conn: All connections -src: 11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-1] conn: All connections +src: 0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-1] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: config_a_with_ipBlock) : -src: 0.0.0.0-9.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All connections -src: 10.0.0.0-10.10.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All but UDP 53 -src: 10.11.0.0/16 dst_ns: [default] dst_pods: [app=app-2] conn: All connections -src: 10.12.0.0-10.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All but UDP 53 -src: 11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All connections +src: 0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All connections +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=app-2] conn: All but UDP 53 New connections between persistent peers and added peers (based on topology from config: config_b_with_ipBlock) : src_ns: [default] src_pods: [app in (app-5,app-6)] dst_ns: [default] dst_pods: [app in (app-0,app-1)] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml index 3099cc8ff..262c06561 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml @@ -96,28 +96,14 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - default - dst_pods: - - app=app-1 - connection: - - All connections - - src_ip_block: - 10.10.0.0/16 - dst_ns: - - default - dst_pods: - - app=app-1 - connection: - - All connections - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/1 - 16.0.0.0/4 - 32.0.0.0/3 - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - default dst_pods: @@ -127,24 +113,7 @@ - description: Removed connections between persistent peers and ipBlocks rules: - src_ip_block: - - 10.0.0.0/13 - - 10.10.0.0/16 - - 10.8.0.0/15 - dst_ns: - - default - dst_pods: - - app=app-2 - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 10.12.0.0/14 - - 10.128.0.0/9 - - 10.16.0.0/12 - - 10.32.0.0/11 - - 10.64.0.0/10 + - 0.0.0.0/0 dst_ns: - default dst_pods: @@ -156,28 +125,14 @@ - 53 - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - default - dst_pods: - - app=app-2 - connection: - - All connections - - src_ip_block: - 10.11.0.0/16 - dst_ns: - - default - dst_pods: - - app=app-2 - connection: - - All connections - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/1 - 16.0.0.0/4 - 32.0.0.0/3 - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - default dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv index b2ec85845..8ce3bc054 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv @@ -6,21 +6,7 @@ "","[kube-system]","[tier=frontend]","[default,kube-system-dummy-to-ignore,vendor-system]","[*]","All connections", "","[kube-system]","[tier=frontend]","[kube-system]","[!has(tier) or tier=not_frontend_for_demo]","All connections", "semantic_diff, config1: np1, config2: np4, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","All but UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","All but UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","All but UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","All but UDP 53", -"","","10.0.0.0/8","[kube-system]","[tier=frontend]","All connections", -"","","172.21.0.0/16","[kube-system]","[tier=frontend]","All connections", -"","","172.30.0.0/16","[kube-system]","[tier=frontend]","All connections", +"","","0.0.0.0/0","[kube-system]","[tier=frontend]","All but UDP 53", +"","","10.0.0.0/8,172.21.0.0/16,172.30.0.0/16","[kube-system]","[tier=frontend]","All connections", "semantic_diff, config1: np1, config2: np4, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","[kube-system]","[tier=frontend]","","0.0.0.0-49.49.255.255","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.1/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.11/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.13/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.15/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.17-255.255.255.255","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.3/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.5/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.7/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.9/32","All connections", +"","[kube-system]","[tier=frontend]","","0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md index dc33b6245..2931c20de 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md @@ -7,21 +7,7 @@ ||[kube-system]|[tier=frontend]|[default,kube-system-dummy-to-ignore,vendor-system]|[*]|All connections| ||[kube-system]|[tier=frontend]|[kube-system]|[!has(tier) or tier=not_frontend_for_demo]|All connections| |semantic_diff, config1: np1, config2: np4, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|All but UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|All but UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|All but UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|All but UDP 53| -|||10.0.0.0/8|[kube-system]|[tier=frontend]|All connections| -|||172.21.0.0/16|[kube-system]|[tier=frontend]|All connections| -|||172.30.0.0/16|[kube-system]|[tier=frontend]|All connections| +|||0.0.0.0/0|[kube-system]|[tier=frontend]|All but UDP 53| +|||10.0.0.0/8,172.21.0.0/16,172.30.0.0/16|[kube-system]|[tier=frontend]|All connections| |semantic_diff, config1: np1, config2: np4, key: Removed connections between persistent peers and ipBlocks|||||| -||[kube-system]|[tier=frontend]||0.0.0.0-49.49.255.255|All connections| -||[kube-system]|[tier=frontend]||49.50.0.1/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.11/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.13/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.15/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.17-255.255.255.255|All connections| -||[kube-system]|[tier=frontend]||49.50.0.3/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.5/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.7/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.9/32|All connections| +||[kube-system]|[tier=frontend]||0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt index 8ac650461..efd603fbc 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt @@ -9,22 +9,8 @@ src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [default,kube-system-dum src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections Added connections between persistent peers and ipBlocks (based on topology from config: np4) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 -src: 10.0.0.0/8 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 -src: 172.21.0.0/16 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 -src: 172.30.0.0/16 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 +src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 +src: 10.0.0.0/8,172.21.0.0/16,172.30.0.0/16 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src_ns: [kube-system] src_pods: [tier=frontend] dst: 0.0.0.0-49.49.255.255 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.1/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.11/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.13/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.15/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.17-255.255.255.255 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.3/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.5/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.7/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.9/32 conn: All connections +src_ns: [kube-system] src_pods: [tier=frontend] dst: 0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml index 1dfd1dea7..9626fbdad 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml @@ -56,60 +56,7 @@ - description: Added connections between persistent peers and ipBlocks rules: - src_ip_block: - - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 11.0.0.0/8 - - 12.0.0.0/6 - - 128.0.0.0/3 - - 16.0.0.0/4 - - 160.0.0.0/5 - - 168.0.0.0/6 - - 172.0.0.0/12 - - 172.16.0.0/14 - - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.22.0.0/15 - - 172.24.0.0/14 - - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - - 172.31.0.0/16 - - 172.32.0.0/11 - - 172.64.0.0/10 - - 173.0.0.0/8 - - 174.0.0.0/7 - - 176.0.0.0/4 - - 192.0.0.0/2 + - 0.0.0.0/0 dst_ns: - kube-system dst_pods: @@ -121,21 +68,7 @@ - 53 - src_ip_block: - 10.0.0.0/8 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All connections - - src_ip_block: - 172.21.0.0/16 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All connections - - src_ip_block: - 172.30.0.0/16 dst_ns: - kube-system @@ -151,59 +84,28 @@ - tier=frontend dst_ip_block: - 0.0.0.0/3 + - 128.0.0.0/1 - 32.0.0.0/4 - 48.0.0.0/8 - 49.0.0.0/11 + - 49.128.0.0/9 - 49.32.0.0/12 - 49.48.0.0/15 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - 49.50.0.1/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - 49.50.0.11/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: + - 49.50.0.128/25 - 49.50.0.13/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - 49.50.0.15/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 128.0.0.0/1 - - 49.128.0.0/9 - - 49.50.0.128/25 - 49.50.0.17/32 - 49.50.0.18/31 - 49.50.0.20/30 - 49.50.0.24/29 + - 49.50.0.3/32 - 49.50.0.32/27 + - 49.50.0.5/32 - 49.50.0.64/26 + - 49.50.0.7/32 + - 49.50.0.9/32 - 49.50.1.0/24 - 49.50.128.0/17 - 49.50.16.0/20 @@ -222,35 +124,3 @@ - 64.0.0.0/2 connection: - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 49.50.0.3/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 49.50.0.5/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 49.50.0.7/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 49.50.0.9/32 - connection: - - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv index 37d31db23..84331132b 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv @@ -1,24 +1,11 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np3, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", "semantic_diff, config1: np1, config2: np3, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", - +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md index a25b9f4a4..63545d5f7 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md @@ -1,26 +1,13 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np3, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| |semantic_diff, config1: np1, config2: np3, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| - +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt index 55edf8420..04a3da137 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt @@ -1,29 +1,17 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 np1 and np3 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np3) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 np2 and np3 have the same network topology and the same set of policies. diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml index e9a858463..3b83e224d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml @@ -9,16 +9,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -26,32 +16,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -59,6 +29,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -71,16 +44,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -88,32 +51,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -121,6 +64,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -140,16 +86,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -157,32 +93,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -190,6 +106,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -202,16 +121,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -219,32 +128,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -252,6 +141,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv index 632e48049..9f4722825 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv @@ -1,11 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md index 80b630383..c1815eaac 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md @@ -1,12 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt index 9c8f53500..30b4d61b6 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt @@ -1,13 +1,7 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml index d0422e206..2b637846a 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml @@ -9,16 +9,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -26,32 +16,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -59,6 +29,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -71,16 +44,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -88,32 +51,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -121,6 +64,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt index 401c47f35..0c47b208d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt @@ -1,9 +1,7 @@ np1_named_ports and np2_named_ports are not semantically equivalent. Added connections between persistent peers (based on topology from config: np2_named_ports) : -src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486] conn: TCP 10054 -src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 +src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 Added connections between persistent peers and ipBlocks (based on topology from config: np2_named_ports) : -src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486] conn: TCP 10054 -src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 +src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.csv index 632e48049..9f4722825 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.csv @@ -1,11 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.md index 80b630383..c1815eaac 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.md @@ -1,12 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.txt index 9c8f53500..30b4d61b6 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.txt @@ -1,13 +1,7 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.yaml index af72b3b5e..f0c2053dd 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.yaml @@ -9,16 +9,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -26,32 +16,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -59,6 +29,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -71,16 +44,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -88,32 +51,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -121,6 +64,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv index 3d2f0a68e..0ba4d2d49 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv @@ -1,6 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers","","","","","", -"","[default]","[*]","[kube-system]","[*]","All but UDP 53", "","[default]","[*]","[default]","[productcatalogservice]","All but TCP 3550", "","[default]","[recommendationservice]","[default]","[*]","All but TCP 3550", "","[default]","[*]","[default]","[app in (paymentservice,shippingservice)]","All but TCP 50051", @@ -8,11 +7,12 @@ "","[default]","[cartservice]","[default]","[*]","All but TCP 6379", "","[default]","[*]","[default]","[currencyservice]","All but TCP 7000", "","[default]","[*]","[default]","[cartservice]","All but TCP 7070", -"","[default]","[*]","[default]","[app in (emailservice,recommendationservice)]","All but TCP 8080", +"","[default]","[*]","[default]","[app in (emailservice,frontend,loadgenerator,recommendationservice)]","All but TCP 8080", "","[default]","[loadgenerator]","[default]","[*]","All but TCP 8080", "","[kube-system]","[*]","[default]","[*]","All but TCP 8080", "","[default]","[*]","[default]","[adservice]","All but TCP 9555", -"","[default]","[*]","[default]","[loadgenerator]","All connections", +"","[default]","[*]","[kube-system]","[*]","All but UDP 53", +"","[default,kube-system]","[*]","[default]","[loadgenerator]","All connections", "","[default]","[*]","[kube-system]","[etcd-operator]","All connections", "","[default]","[app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)]","[default,kube-system]","[*]","All connections", "","[default]","[cartservice]","[default]","[app not in (cartservice,loadgenerator,redis-cart)]","All connections", @@ -20,7 +20,7 @@ "","[default]","[frontend]","[default]","[app in (emailservice,paymentservice,redis-cart)]","All connections", "","[default]","[loadgenerator]","[default]","[app not in (frontend,loadgenerator)]","All connections", "","[default]","[recommendationservice]","[default]","[app not in (loadgenerator,productcatalogservice,recommendationservice)]","All connections", -"","[kube-system]","[*]","[default]","[app!=frontend]","All connections", +"","[kube-system]","[*]","[default]","[app not in (frontend,loadgenerator)]","All connections", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks","","","","","", "","","0.0.0.0/0","[default]","[*]","All but TCP 8080", "","","0.0.0.0/0","[default]","[app!=frontend]","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md index d846bea80..68266e251 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md @@ -1,7 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers|||||| -||[default]|[*]|[kube-system]|[*]|All but UDP 53| ||[default]|[*]|[default]|[productcatalogservice]|All but TCP 3550| ||[default]|[recommendationservice]|[default]|[*]|All but TCP 3550| ||[default]|[*]|[default]|[app in (paymentservice,shippingservice)]|All but TCP 50051| @@ -9,11 +8,12 @@ ||[default]|[cartservice]|[default]|[*]|All but TCP 6379| ||[default]|[*]|[default]|[currencyservice]|All but TCP 7000| ||[default]|[*]|[default]|[cartservice]|All but TCP 7070| -||[default]|[*]|[default]|[app in (emailservice,recommendationservice)]|All but TCP 8080| +||[default]|[*]|[default]|[app in (emailservice,frontend,loadgenerator,recommendationservice)]|All but TCP 8080| ||[default]|[loadgenerator]|[default]|[*]|All but TCP 8080| ||[kube-system]|[*]|[default]|[*]|All but TCP 8080| ||[default]|[*]|[default]|[adservice]|All but TCP 9555| -||[default]|[*]|[default]|[loadgenerator]|All connections| +||[default]|[*]|[kube-system]|[*]|All but UDP 53| +||[default,kube-system]|[*]|[default]|[loadgenerator]|All connections| ||[default]|[*]|[kube-system]|[etcd-operator]|All connections| ||[default]|[app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)]|[default,kube-system]|[*]|All connections| ||[default]|[cartservice]|[default]|[app not in (cartservice,loadgenerator,redis-cart)]|All connections| @@ -21,7 +21,7 @@ ||[default]|[frontend]|[default]|[app in (emailservice,paymentservice,redis-cart)]|All connections| ||[default]|[loadgenerator]|[default]|[app not in (frontend,loadgenerator)]|All connections| ||[default]|[recommendationservice]|[default]|[app not in (loadgenerator,productcatalogservice,recommendationservice)]|All connections| -||[kube-system]|[*]|[default]|[app!=frontend]|All connections| +||[kube-system]|[*]|[default]|[app not in (frontend,loadgenerator)]|All connections| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks|||||| |||0.0.0.0/0|[default]|[*]|All but TCP 8080| |||0.0.0.0/0|[default]|[app!=frontend]|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt index 1852687c7..820c26aeb 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt @@ -1,13 +1,13 @@ allow_all and poc3 are not semantically equivalent. Removed connections between persistent peers (based on topology from config: allow_all) : +src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [adservice] conn: All but TCP 9555 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (emailservice,recommendationservice)] conn: All but TCP 8080 +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (emailservice,frontend,loadgenerator,recommendationservice)] conn: All but TCP 8080 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: All but TCP 50051 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [cartservice] conn: All but TCP 7070 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [checkoutservice] conn: All but TCP 5050 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [currencyservice] conn: All but TCP 7000 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productcatalogservice] conn: All but TCP 3550 src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but UDP 53 src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [etcd-operator] conn: All connections @@ -21,7 +21,7 @@ src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [app not src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [*] conn: All but TCP 3550 src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [app not in (loadgenerator,productcatalogservice,recommendationservice)] conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app!=frontend] conn: All connections +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app not in (frontend,loadgenerator)] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: allow_all) : src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml index dec69f9f9..2f74607e9 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml @@ -7,19 +7,6 @@ explanation: - description: Removed connections between persistent peers rules: - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - src_ns: - default src_pods: @@ -118,7 +105,7 @@ dst_ns: - default dst_pods: - - app in (emailservice,recommendationservice) + - app in (emailservice,frontend,loadgenerator,recommendationservice) connection: - All but: - Protocol: TCP @@ -168,6 +155,20 @@ src_pods: - '*' dst_ns: + - kube-system + dst_pods: + - '*' + connection: + - All but: + - Protocol: UDP + Ports: + - 53 + - src_ns: + - default + - kube-system + src_pods: + - '*' + dst_ns: - default dst_pods: - loadgenerator @@ -251,7 +252,7 @@ dst_ns: - default dst_pods: - - app!=frontend + - app not in (frontend,loadgenerator) connection: - All connections - description: Removed connections between persistent peers and ipBlocks diff --git a/tests/fw_rules_tests/policies/semantic_diff_with_different_topologies-scheme.yaml b/tests/fw_rules_tests/policies/semantic_diff_with_different_topologies-scheme.yaml index 40117f432..79531bd14 100644 --- a/tests/fw_rules_tests/policies/semantic_diff_with_different_topologies-scheme.yaml +++ b/tests/fw_rules_tests/policies/semantic_diff_with_different_topologies-scheme.yaml @@ -48,253 +48,253 @@ networkConfigList: - policy_b_ipBlock.yaml expectedWarnings: 0 queries: -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_identical_query_output.txt -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_identical_query_output.yaml -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_identical_query_output.md -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: dot - outputPath: null - expectedNotExecuted: 1 # dot is not supported for semanticDiff - expectedOutput: expected_output/semantic_diff_identical_query_output.dot -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_identical_query_output.csv - -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.txt -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.yaml -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.md -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: dot - outputPath: null - expectedNotExecuted: 1 # dot is not supported for semanticDiff - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.dot -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.csv - -- name: semantic_diff_b_to_a - semanticDiff: - - config_b - - config_a - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_b_to_a_query_output.txt -- name: semantic_diff_b_to_a - semanticDiff: - - config_b - - config_a - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_b_to_a_query_output.yaml -- name: semantic_diff_b_to_a - semanticDiff: - - config_b - - config_a - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_b_to_a_query_output.md -- name: semantic_diff_b_to_a - semanticDiff: - - config_b - - config_a - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_b_to_a_query_output.csv - -- name: semantic_diff_disjoint_old1_config_a - semanticDiff: - - old1 - - config_a - expected: 4 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.txt -- name: semantic_diff_disjoint_old1_config_a - semanticDiff: - - old1 - - config_a - expected: 4 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.yaml -- name: semantic_diff_disjoint_old1_config_a - semanticDiff: - - old1 - - config_a - expected: 4 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.md -- name: semantic_diff_disjoint_old1_config_a - semanticDiff: - - old1 - - config_a - expected: 4 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.csv - -- name: semantic_diff_np1_np2 - semanticDiff: - - np1 - - np2 - expected: 2 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_np1_np2_query_output.txt -- name: semantic_diff_np1_np2 - semanticDiff: - - np1 - - np2 - expected: 2 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_np1_np2_query_output.yaml -- name: semantic_diff_np1_np2 - semanticDiff: - - np1 - - np2 - expected: 2 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_np1_np2_query_output.md -- name: semantic_diff_np1_np2 - semanticDiff: - - np1 - - np2 - expected: 2 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_np1_np2_query_output.csv +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_identical_query_output.txt +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_identical_query_output.yaml +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_identical_query_output.md +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: dot +# outputPath: null +# expectedNotExecuted: 1 # dot is not supported for semanticDiff +# expectedOutput: expected_output/semantic_diff_identical_query_output.dot +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_identical_query_output.csv +# +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.txt +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.yaml +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.md +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: dot +# outputPath: null +# expectedNotExecuted: 1 # dot is not supported for semanticDiff +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.dot +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.csv +# +#- name: semantic_diff_b_to_a +# semanticDiff: +# - config_b +# - config_a +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_b_to_a_query_output.txt +#- name: semantic_diff_b_to_a +# semanticDiff: +# - config_b +# - config_a +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_b_to_a_query_output.yaml +#- name: semantic_diff_b_to_a +# semanticDiff: +# - config_b +# - config_a +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_b_to_a_query_output.md +#- name: semantic_diff_b_to_a +# semanticDiff: +# - config_b +# - config_a +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_b_to_a_query_output.csv +# +#- name: semantic_diff_disjoint_old1_config_a +# semanticDiff: +# - old1 +# - config_a +# expected: 4 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.txt +#- name: semantic_diff_disjoint_old1_config_a +# semanticDiff: +# - old1 +# - config_a +# expected: 4 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.yaml +#- name: semantic_diff_disjoint_old1_config_a +# semanticDiff: +# - old1 +# - config_a +# expected: 4 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.md +#- name: semantic_diff_disjoint_old1_config_a +# semanticDiff: +# - old1 +# - config_a +# expected: 4 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.csv +# +#- name: semantic_diff_np1_np2 +# semanticDiff: +# - np1 +# - np2 +# expected: 2 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_np1_np2_query_output.txt +#- name: semantic_diff_np1_np2 +# semanticDiff: +# - np1 +# - np2 +# expected: 2 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_np1_np2_query_output.yaml +#- name: semantic_diff_np1_np2 +# semanticDiff: +# - np1 +# - np2 +# expected: 2 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_np1_np2_query_output.md +#- name: semantic_diff_np1_np2 +# semanticDiff: +# - np1 +# - np2 +# expected: 2 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_np1_np2_query_output.csv - name: semantic_diff_a_to_b_with_ipBlock semanticDiff: From 5c0cc0ccb58adc2f0d676cb8bb07a9c764aa40fc Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 9 Apr 2024 17:22:25 +0300 Subject: [PATCH 26/89] Keeping every dns entry separate in minimization of fw rules. Updated more semantic diff expected results. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 4 ++-- ...-semanticDiff-config-1-calico-ingress-config-allow-all.txt | 2 +- .../semantic_diff_online_boutique_new_vs_synthesized_new.txt | 1 - 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 7a0426e63..678965400 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -247,8 +247,8 @@ def _compute_full_ipblock_and_dns_grouping(self, is_src_ns): self._add_to_map_if_covered(dim_name, ipblock.get_peer_set(), other_dim_name, other_dim_peers, ipblock_dnsentry_to_peer_set) dns_entries = dim_peers.get_dns_entries() - if dns_entries: - self._add_to_map_if_covered(dim_name, dns_entries, other_dim_name, other_dim_peers, + for dns_entry in dns_entries: + self._add_to_map_if_covered(dim_name, PeerSet({dns_entry}), other_dim_name, other_dim_peers, ipblock_dnsentry_to_peer_set) for curr_peers, other_dim_peers in ipblock_dnsentry_to_peer_set.items(): curr_peers = PeerSet(set(curr_peers)) # peel off the frozenset diff --git a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt index da7d0e380..e2906fca9 100644 --- a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt +++ b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt @@ -4,9 +4,9 @@ Added connections between persistent peers (based on topology from config: allow src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All but TCP,UDP src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections -src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [app in (ratings,reviews)] conn: All connections +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections Added connections between persistent peers and ipBlocks (based on topology from config: allow-all-config) : src: 0.0.0.0/0 dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections diff --git a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt index 227846fc8..ed9f13cf3 100644 --- a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt +++ b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt @@ -13,4 +13,3 @@ src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,reco New connections between added peers and ipBlocks (based on topology from config: new_online_synthesis_res) : src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections From f8f1d67440b32ab8c1fb5f74241f10266b02e2f6 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 12:37:04 +0300 Subject: [PATCH 27/89] Updated containment, permits, forbids expected results. Signed-off-by: Tanya --- ...uiv_configs_w_sidecars_different_hosts.txt | 2 +- ...nfigs_w_sidecars_different_hosts_types.txt | 6 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- ...-empty-impl-default-spec-all-examples.json | 59 +--- ...s-empty-impl-default-spec-all-examples.txt | 13 +- ...-empty-impl-default-spec-all-examples.yaml | 39 +-- ...no-strong-equivalence-all-peers-pairs.json | 310 +----------------- .../no-strong-equivalence-all-peers-pairs.txt | 53 +-- ...no-strong-equivalence-all-peers-pairs.yaml | 215 +----------- ...ult-impl-default-spec-print-all-pairs.json | 48 +-- ...ault-impl-default-spec-print-all-pairs.txt | 12 +- ...ult-impl-default-spec-print-all-pairs.yaml | 33 +- 14 files changed, 35 insertions(+), 761 deletions(-) diff --git a/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt b/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt index b118b0a9a..2460f5ac4 100644 --- a/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt +++ b/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt @@ -1,3 +1,3 @@ sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts are not semantically equivalent. Connections allowed in sidecar-with-local-hosts-only which are different in sidecar-with-local-and-dns-hosts: -src: default/ratings-v1-1, dst: www.slack.com, description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. \ No newline at end of file +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. diff --git a/tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt index e6831d062..0eead1938 100644 --- a/tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt @@ -1,7 +1,3 @@ sidecar-with-local-and-dns-hosts does not forbid connections specified in sidecar-with-local-hosts-only Both sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts allow the following connection(s): -src: default/ratings-v1-1, dst: 0.0.0.0-255.255.255.255, conn: All connections -src: default/ratings-v1-1, dst: default/details-v1-1, conn: All connections -src: default/ratings-v1-1, dst: default/reviews-v1-1, conn: All connections -src: default/ratings-v1-1, dst: default/reviews-v2-1, conn: All connections -src: default/ratings-v1-1, dst: default/reviews-v3-1, conn: All connections +src: ['default/ratings-v1-1'], dst: ['0.0.0.0-255.255.255.255', 'default/details-v1-1', 'default/reviews-v1-1', 'default/reviews-v2-1', 'default/reviews-v3-1'], conn: All connections diff --git a/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt index a0fd05db2..37146a98f 100644 --- a/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt @@ -1,3 +1,3 @@ sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: -src: default/ratings-v1-1, dst: www.slack.com, description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. diff --git a/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt index 65196a97a..b8949af59 100644 --- a/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt @@ -1,5 +1,5 @@ sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: -src: default/ratings-v1-1, dst: www.slack.com, description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. sidecar-with-local-hosts-only does not interfere with sidecar-with-local-and-dns-hosts diff --git a/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt index 952dc4d24..c1a3f3b8b 100644 --- a/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt @@ -1,3 +1,3 @@ Network configuration sidecar-with-local-hosts-only is a proper subset of sidecar-with-local-and-dns-hosts but sidecar-with-local-and-dns-hosts is not contained in sidecar-with-local-hosts-only Connections allowed in sidecar-with-local-and-dns-hosts which are not a subset of those in sidecar-with-local-hosts-only: -src: default/ratings-v1-1, dst: www.slack.com, conn: Protocol: TCP +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], conn: Protocol: TCP diff --git a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.json b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.json index 070b4be76..9a808aa41 100644 --- a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.json +++ b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.json @@ -12,63 +12,8 @@ "description": "Both np-within-default and np-empty allow the following connection(s)", "connections": [ { - "src": "default/cog-agents-d54st", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "default/cog-agents-qr8gp", - "conn": "All connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-agents-qr8gp", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-qr8gp", + "src": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", + "dst": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "conn": "All connections" } ] diff --git a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt index 7a1eb6259..5fee0d60e 100644 --- a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt +++ b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt @@ -1,14 +1,3 @@ np-empty does not forbid connections specified in np-within-default Both np-within-default and np-empty allow the following connection(s): -src: default/cog-agents-d54st, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-agents-d54st, dst: default/cog-agents-qr8gp, conn: All connections -src: default/cog-agents-d54st, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-agents-qr8gp, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-qr8gp, conn: All connections +src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], conn: All connections diff --git a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.yaml b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.yaml index a81fd7a5a..4d9cb712b 100644 --- a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.yaml +++ b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.yaml @@ -7,39 +7,8 @@ explanation: - description: Both np-within-default and np-empty allow the following connection(s) connections: - - src: default/cog-agents-d54st - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-agents-d54st - dst: default/cog-agents-qr8gp - conn: All connections - - src: default/cog-agents-d54st - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-agents-qr8gp - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-qr8gp + - src: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' + dst: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' conn: All connections diff --git a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.json b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.json index 59b868d37..5b22fd4e7 100644 --- a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.json +++ b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.json @@ -12,314 +12,8 @@ "description": "Connections allowed in nt_notin/kube-system/allow-ingress-app-notin-predefined which are different in nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined", "connections": [ { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/calico-node-ns8kw", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/calico-node-ptdgj", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/heapster-7df8cb8c66-zxkk2", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/kube-fluentd-2qw2g", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/kube-fluentd-qmp4w", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/calico-node-ptdgj", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/heapster-7df8cb8c66-zxkk2", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/kube-fluentd-2qw2g", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/kube-fluentd-qmp4w", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/calico-node-ns8kw", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/heapster-7df8cb8c66-zxkk2", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/kube-fluentd-2qw2g", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/kube-fluentd-qmp4w", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/calico-node-ns8kw", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/calico-node-ptdgj", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/kube-fluentd-2qw2g", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/kube-fluentd-qmp4w", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/vpn-858f6d9777-2bw5m", + "src": "['kube-system/calico-node-mgdlr', 'kube-system/calico-node-ns8kw', 'kube-system/calico-node-ptdgj', 'kube-system/heapster-7df8cb8c66-zxkk2']", + "dst": "['kube-system/calico-node-mgdlr', 'kube-system/calico-node-ns8kw', 'kube-system/calico-node-ptdgj', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/heapster-7df8cb8c66-zxkk2', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-2qw2g', 'kube-system/kube-fluentd-h6rjg', 'kube-system/kube-fluentd-qmp4w', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", "conns_config1": "All connections", "conns_config2": "No connections" } diff --git a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.txt b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.txt index fa4b6650d..a1849b0d1 100644 --- a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.txt +++ b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.txt @@ -1,54 +1,3 @@ NetworkPolicy kube-system/allow-ingress-app-notin-predefined is not equivalent in nt_notin and in nt_notinwithexists Connections allowed in nt_notin/kube-system/allow-ingress-app-notin-predefined which are different in nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined: -src: kube-system/calico-node-mgdlr, dst: kube-system/calico-node-ns8kw, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/calico-node-ptdgj, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/heapster-7df8cb8c66-zxkk2, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/keepalived-watcher-57ghx, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/keepalived-watcher-gzdfm, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/keepalived-watcher-wczq8, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/kube-fluentd-2qw2g, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/kube-fluentd-h6rjg, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/kube-fluentd-qmp4w, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/vpn-858f6d9777-2bw5m, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/calico-node-mgdlr, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/calico-node-ptdgj, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/heapster-7df8cb8c66-zxkk2, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/keepalived-watcher-57ghx, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/keepalived-watcher-gzdfm, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/keepalived-watcher-wczq8, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/kube-fluentd-2qw2g, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/kube-fluentd-h6rjg, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/kube-fluentd-qmp4w, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/vpn-858f6d9777-2bw5m, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/calico-node-mgdlr, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/calico-node-ns8kw, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/heapster-7df8cb8c66-zxkk2, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/keepalived-watcher-57ghx, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/keepalived-watcher-gzdfm, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/keepalived-watcher-wczq8, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/kube-fluentd-2qw2g, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/kube-fluentd-h6rjg, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/kube-fluentd-qmp4w, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/vpn-858f6d9777-2bw5m, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/calico-node-mgdlr, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/calico-node-ns8kw, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/calico-node-ptdgj, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/keepalived-watcher-57ghx, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/keepalived-watcher-gzdfm, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/keepalived-watcher-wczq8, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/kube-fluentd-2qw2g, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/kube-fluentd-h6rjg, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/kube-fluentd-qmp4w, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/vpn-858f6d9777-2bw5m, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. +src: ['kube-system/calico-node-mgdlr', 'kube-system/calico-node-ns8kw', 'kube-system/calico-node-ptdgj', 'kube-system/heapster-7df8cb8c66-zxkk2'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/calico-node-ns8kw', 'kube-system/calico-node-ptdgj', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/heapster-7df8cb8c66-zxkk2', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-2qw2g', 'kube-system/kube-fluentd-h6rjg', 'kube-system/kube-fluentd-qmp4w', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. diff --git a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.yaml b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.yaml index 345bb5e81..b09d540f1 100644 --- a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.yaml +++ b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.yaml @@ -9,211 +9,14 @@ - description: Connections allowed in nt_notin/kube-system/allow-ingress-app-notin-predefined which are different in nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined connections: - - src: kube-system/calico-node-mgdlr - dst: kube-system/calico-node-ns8kw - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/calico-node-ptdgj - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/heapster-7df8cb8c66-zxkk2 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/keepalived-watcher-57ghx - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/kube-fluentd-2qw2g - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/kube-fluentd-h6rjg - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/kube-fluentd-qmp4w - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/calico-node-mgdlr - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/calico-node-ptdgj - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/heapster-7df8cb8c66-zxkk2 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/keepalived-watcher-57ghx - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/kube-fluentd-2qw2g - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/kube-fluentd-h6rjg - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/kube-fluentd-qmp4w - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/calico-node-mgdlr - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/calico-node-ns8kw - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/heapster-7df8cb8c66-zxkk2 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/keepalived-watcher-57ghx - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/kube-fluentd-2qw2g - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/kube-fluentd-h6rjg - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/kube-fluentd-qmp4w - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/calico-node-mgdlr - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/calico-node-ns8kw - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/calico-node-ptdgj - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/keepalived-watcher-57ghx - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/kube-fluentd-2qw2g - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/kube-fluentd-h6rjg - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/kube-fluentd-qmp4w - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/vpn-858f6d9777-2bw5m + - src: '[''kube-system/calico-node-mgdlr'', ''kube-system/calico-node-ns8kw'', + ''kube-system/calico-node-ptdgj'', ''kube-system/heapster-7df8cb8c66-zxkk2'']' + dst: '[''kube-system/calico-node-mgdlr'', ''kube-system/calico-node-ns8kw'', + ''kube-system/calico-node-ptdgj'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', + ''kube-system/heapster-7df8cb8c66-zxkk2'', ''kube-system/keepalived-watcher-57ghx'', + ''kube-system/keepalived-watcher-gzdfm'', ''kube-system/keepalived-watcher-wczq8'', + ''kube-system/kube-fluentd-2qw2g'', ''kube-system/kube-fluentd-h6rjg'', ''kube-system/kube-fluentd-qmp4w'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', + ''kube-system/vpn-858f6d9777-2bw5m'']' conns_config1: All connections conns_config2: No connections diff --git a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.json b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.json index 9037773b6..b986b4129 100644 --- a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.json +++ b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.json @@ -12,53 +12,13 @@ "description": "Connections allowed in np-within-default which are not a subset of those in np-partly-within-default", "connections": [ { - "src": "default/cog-agents-d54st", - "dst": "default/cog-agents-qr8gp", + "src": "['default/cog-agents-d54st', 'default/cog-agents-js4qc']", + "dst": "['default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "conn": "All connections" }, { - "src": "default/cog-agents-d54st", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-agents-qr8gp", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-qr8gp", + "src": "['default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", + "dst": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "conn": "All connections" } ] diff --git a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.txt b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.txt index 51ff4b6fb..94c102db9 100644 --- a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.txt +++ b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.txt @@ -1,12 +1,4 @@ np-partly-within-default does not permit connections specified in np-within-default Connections allowed in np-within-default which are not a subset of those in np-partly-within-default: -src: default/cog-agents-d54st, dst: default/cog-agents-qr8gp, conn: All connections -src: default/cog-agents-d54st, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-agents-qr8gp, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-qr8gp, conn: All connections +src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc'], dst: ['default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], conn: All connections +src: ['default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], conn: All connections diff --git a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.yaml b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.yaml index 2f617131a..d3ea3b0eb 100644 --- a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.yaml +++ b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.yaml @@ -9,33 +9,10 @@ - description: Connections allowed in np-within-default which are not a subset of those in np-partly-within-default connections: - - src: default/cog-agents-d54st - dst: default/cog-agents-qr8gp + - src: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'']' + dst: '[''default/cog-agents-qr8gp'', ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' conn: All connections - - src: default/cog-agents-d54st - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-agents-qr8gp - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-qr8gp + - src: '[''default/cog-agents-qr8gp'', ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' + dst: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' conn: All connections From eaf561d666db962aa368b56b292733b68305fdcb Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 13:15:55 +0300 Subject: [PATCH 28/89] Cleaning up unused code and refactoring accordingly. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 191 ++-------------------------- 1 file changed, 10 insertions(+), 181 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 7a0426e63..2a2ca09d8 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -80,12 +80,14 @@ def _create_fw_rules(self): :return: None """ # partition peer_props to ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr - self._compute_basic_namespace_grouping() + self._compute_basic_grouping() - # add all fw-rules: - self._add_all_fw_rules() + # Creating fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) + self.minimized_fw_rules.extend(self._create_fw_rules_from_base_elements_list(self.ns_set_pairs)) + self.minimized_fw_rules.extend(self._create_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) + self.minimized_fw_rules.extend(self._create_fw_rules_from_base_elements_list(self.base_elem_pairs)) - def _compute_basic_namespace_grouping(self): + def _compute_basic_grouping(self): """ computation of peer sets with possible grouping by namespaces. Results are at: ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr @@ -265,7 +267,7 @@ def _add_to_map_if_covered(self, dim_name, dim_peers, other_dim_name, other_dim_ :param PeerSet dim_peers: a set of peers for the first dimension :param str other_dim_name: the second dimension name :param PeerSet other_dim_peers: a set of peers for the second dimension - :param dict peer_to_peer_map: the map from first dimention peers to second dimention peers + :param dict peers_to_peers_map: the map from first dimention peers to second dimension peers """ curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: dim_peers, other_dim_name: other_dim_peers}) @@ -349,7 +351,7 @@ def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_se res.append(fw_rule) return res - def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): + def _create_fw_rules_from_base_elements_list(self, base_elems_pairs): """ creating initial fw-rules from base elements :param base_elems_pairs: a set of pairs (src,dst) , each of type: Pod/K8sNamespace/IpBlock @@ -362,7 +364,7 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): self.output_config)) return res - def _create_initial_fw_rules_from_peer_props(self, peer_props): + def _create_fw_rules_from_peer_props(self, peer_props): res = [] # first, try to group peers paired with src/dst ipblocks ipblock = IpBlock.get_all_ips_block_peer_set() @@ -444,186 +446,13 @@ def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_ # unknown base-elem type return None - def _create_all_initial_fw_rules(self): - """ - Creating initial fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) - :return: a list of initial fw-rules of type FWRule - :rtype list[FWRule] - """ - - initial_fw_rules = [] - initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_set_pairs)) - initial_fw_rules.extend(self._create_initial_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) - initial_fw_rules.extend( - self._create_initial_fw_rules_from_base_elements_list(self.base_elem_pairs)) - return initial_fw_rules - - def _add_all_fw_rules(self): - """ - Computation of fw-rules, following the ns-grouping of peer_pairs. - Results are at: self.minimized_rules_set - :return: None - """ - # create initial fw-rules from ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr - initial_fw_rules = self._create_all_initial_fw_rules() - self.minimized_fw_rules = initial_fw_rules - return # Tanya: temp - # TODO - remove the code below after checking and updating all expected results - - # option1 - start computation when src is fixed at first iteration, and merge applies to dst - option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) - # option2 - start computation when dst is fixed at first iteration, and merge applies to src - option2, convergence_iteration_2 = self._create_merged_rules_set(False, initial_fw_rules) - - # self.post_processing_fw_rules(option1) - # self.post_processing_fw_rules(option2) - - if self.output_config.fwRulesRunInTestMode: - # add info for documentation about computation results - self.results_info_per_option['option1_len'] = len(option1) - self.results_info_per_option['option2_len'] = len(option2) - self.results_info_per_option['convergence_iteration_1'] = convergence_iteration_1 - self.results_info_per_option['convergence_iteration_2'] = convergence_iteration_2 - - if self.output_config.fwRulesDebug: - print('option 1 rules:') - self._print_firewall_rules(option1) - print('option 2 rules: ') - self._print_firewall_rules(option2) - - # choose the option with less fw-rules - if len(option1) < len(option2): - self.minimized_fw_rules = option1 - return - self.minimized_fw_rules = option2 - - def _get_grouping_result(self, fixed_elem, set_for_grouping_elems, src_first): - """ - Apply grouping for a set of elements to create grouped fw-rules - :param fixed_elem: the fixed elements from the original fw-rules - :param set_for_grouping_elems: the set of elements to be grouped - :param src_first: a bool flag to indicate if fixed_elem is src or dst - :return: A list of fw-rules after possible grouping operations - """ - res = [] - # partition set_for_grouping_elems into: (1) ns_elems, (2) pod_and_pod_labels_elems, (3) ip_block_elems - peer_set_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, PeerSetElement)) - pod_and_pod_labels_elems = set(elem for elem in set_for_grouping_elems if - isinstance(elem, (PodElement, PodLabelsElement))) - ip_block_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, IPBlockElement)) - dns_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, DNSElement)) - ns_elems = set_for_grouping_elems - (peer_set_elems | pod_and_pod_labels_elems | ip_block_elems | dns_elems) - - if ns_elems: - # grouping of ns elements is straight-forward - ns_set = set.union(*(f.ns_info for f in ns_elems)) - res.extend(self.get_ns_fw_rules_grouped_by_common_elem(src_first, ns_set, fixed_elem)) - - for peer_set_elem in peer_set_elems: - res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, peer_set_elem.get_pods_set(), - fixed_elem, set(), True)) - - # fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) if src_first else \ - # FWRule(peer_set_elem, fixed_elem, self.connections) - # res.append(fw_rule) - - if pod_and_pod_labels_elems: - # grouping of pod and pod-labels elements - # TODO: currently adding this due to example in test24: a single pod-labels elem is replaced by another grouping - if len(pod_and_pod_labels_elems) == 1 and isinstance(list(pod_and_pod_labels_elems)[0], PodLabelsElement): - elem = list(pod_and_pod_labels_elems)[0] - fw_rule = FWRule(fixed_elem, elem, self.connections) if src_first else FWRule(elem, fixed_elem, - self.connections) - res.append(fw_rule) - else: - # set_for_grouping_pods is the set of all pods originated in pods and pod-labels elements, to be grouped - set_for_grouping_pods = set() - for e in pod_and_pod_labels_elems: - set_for_grouping_pods |= e.get_pods_set() - - # allow borrowing pods for labels-grouping from covered_peer_props - fixed_elem_pods = fixed_elem.get_pods_set() - # extra_pods_list is a list of pods sets that are paired with pods in fixed_elem_pods within - # covered_peer_props - extra_pods_list = [] - for p in fixed_elem_pods: - pods_to_add = self._get_peers_paired_with_given_peer(p, src_first) - extra_pods_list.append(pods_to_add) - # extra_pods_list_common is a set of pods that are paired with all pods in fixed_elem_pods within - # covered_peer_props - extra_pods_list_common = set() - if extra_pods_list: - extra_pods_list_common = set.intersection(*extra_pods_list) - - res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, set_for_grouping_pods, - fixed_elem, extra_pods_list_common)) - - if ip_block_elems: - # currently no grouping for ip blocks - for elem in ip_block_elems: - if src_first: - res.append(FWRule(fixed_elem, elem, self.connections)) - else: - res.append(FWRule(elem, fixed_elem, self.connections)) - - if dns_elems: - for elem in dns_elems: - if src_first: # do we need both if else? , dns_elem may be a dst always - res.append(FWRule(fixed_elem, elem, self.connections)) - else: - res.append(FWRule(elem, fixed_elem, self.connections)) - - return res - def _get_peers_paired_with_given_peer(self, peer, is_src_peer): this_dim = "src_peers" if is_src_peer else "dst_peers" other_dim = "dst_peers" if is_src_peer else "src_peers" props = self.covered_peer_props & ConnectivityProperties.make_conn_props_from_dict({this_dim: PeerSet({peer})}) return props.project_on_one_dimension(other_dim) - def _create_merged_rules_set(self, is_src_first, fw_rules): - """ - Computing a minimized set of fw-rules by merging src/dst elements iteratively - :param is_src_first: a bool flag to indicate if merge process starts with src or dest - :param fw_rules: a list of initial fw-rules - :return: a list of minimized fw-rules after merge process - """ - initial_fw_rules = fw_rules.copy() - if not initial_fw_rules: - return [], 0 - count_fw_rules = dict() # map number of fw-rules per iteration number - max_iter = self.output_config.fwRulesMaxIter - convergence_iteration = max_iter - for i in range(0, max_iter): - fw_rules_after_merge = [] - count_fw_rules[i] = len(initial_fw_rules) - if i > 1 and count_fw_rules[i] == count_fw_rules[i - 1]: - convergence_iteration = i - break - if i > 1 and self.output_config.fwRulesRunInTestMode: - assert count_fw_rules[i - 1] > count_fw_rules[i], "Expecting fewer fw_rules after each merge iteration." - # change the grouping target (src/dst) on each iteration - src_first = (i % 2 == 0) if is_src_first else (i % 2 == 1) - first_elem_set = set(f.src for f in initial_fw_rules) if src_first else set(f.dst for f in initial_fw_rules) - for elem in first_elem_set: - if src_first: - # TODO: equals or contained in? - # set_for_grouping_elems = set(f.dst for f in initial_fw_rules if elem <= f.src) - set_for_grouping_elems = set(f.dst for f in initial_fw_rules if elem == f.src) - else: - # set_for_grouping_elems = set(f.src for f in initial_fw_rules if elem <= f.dst) - set_for_grouping_elems = set(f.src for f in initial_fw_rules if elem == f.dst) - res = self._get_grouping_result(elem, set_for_grouping_elems, src_first) - fw_rules_after_merge.extend(res) - # prepare for next iteration - initial_fw_rules = fw_rules_after_merge - if self.output_config.fwRulesDebug: - print('fw rules after iteration: ' + str(i)) - self._print_firewall_rules(initial_fw_rules) - - return initial_fw_rules, convergence_iteration - - # --------------------------------------------------------------------------------------------------------- + # --------------------------------------------------------------------------------------------------------- # below functions are for debugging : def _print_results_info(self): From 100df6ad45ac580c7fa7bb473958084db0abfcdf Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 13:19:35 +0300 Subject: [PATCH 29/89] Fixed lint error. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 2a2ca09d8..9f96733a2 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -452,7 +452,7 @@ def _get_peers_paired_with_given_peer(self, peer, is_src_peer): props = self.covered_peer_props & ConnectivityProperties.make_conn_props_from_dict({this_dim: PeerSet({peer})}) return props.project_on_one_dimension(other_dim) - # --------------------------------------------------------------------------------------------------------- + # --------------------------------------------------------------------------------------------------------- # below functions are for debugging : def _print_results_info(self): From b578147d3cfc14c6c4e7fe64cd62dbaf425aec84 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 14:26:28 +0300 Subject: [PATCH 30/89] Changed default to be the optimized run. Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 27 +++++++++---------------- nca/SchemeRunner.py | 2 +- nca/nca_cli.py | 4 ++-- tests/run_all_tests.py | 2 +- 4 files changed, 14 insertions(+), 21 deletions(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 8046f37db..b4264b34e 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -895,6 +895,11 @@ def exec(self): self.compute_connectivity_output_optimized() opt_end = time.time() print(f'Opt time: {(opt_end - opt_start):6.2f} seconds') + # the same result for opt == 'true'/'debug' + if self.output_config.outputFormat in ['json', 'yaml']: + res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] + else: + res.output_explanation = [ComputedExplanation(str_explanation=output_res)] if self.config.optimized_run == 'debug': if fw_rules and opt_fw_rules: self.compare_fw_rules(fw_rules, opt_fw_rules, self.config.peer_container, @@ -905,11 +910,6 @@ def exec(self): if fw_rules_non_tcp and opt_fw_rules_non_tcp: self.compare_fw_rules(fw_rules_non_tcp, opt_fw_rules_non_tcp, self.config.peer_container, f"connectivity - non-tcp only of {self.config.name}") - else: # self.config.optimized_run == 'true': - if self.output_config.outputFormat in ['json', 'yaml']: - res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] - else: - res.output_explanation = [ComputedExplanation(str_explanation=output_res)] return res def get_connectivity_output_full(self, connections, peers, peers_to_compare): @@ -1277,18 +1277,11 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, self.config1.peer_container) conns1 = conns if props_based_on_config1 else no_conns conns2 = no_conns if props_based_on_config1 else conns - if self.output_config.fullExplanation: - if self.config1.optimized_run == 'true': - src_peers_str_sorted = str(sorted([str(peer) for peer in src_peers])) - dst_peers_str_sorted = str(sorted([str(peer) for peer in dst_peers])) - different_conns_list.append(PeersAndConnections(src_peers_str_sorted, dst_peers_str_sorted, - conns1, conns2)) - else: # 'debug': produce the same output format as in the original implementation (per peer pairs) - for src_peer in src_peers: - for dst_peer in dst_peers: - if src_peer != dst_peer: - different_conns_list.append(PeersAndConnections(str(src_peer), str(dst_peer), - conns1, conns2)) + if self.output_config.fullExplanation: # the same result for opt == 'true'/'debug' + src_peers_str_sorted = str(sorted([str(peer) for peer in src_peers])) + dst_peers_str_sorted = str(sorted([str(peer) for peer in dst_peers])) + different_conns_list.append(PeersAndConnections(src_peers_str_sorted, dst_peers_str_sorted, + conns1, conns2)) else: different_conns_list.append(PeersAndConnections(src_peers.rep(), dst_peers.rep(), conns1, conns2)) return diff --git a/nca/SchemeRunner.py b/nca/SchemeRunner.py index 37fc1d27c..f936345d1 100644 --- a/nca/SchemeRunner.py +++ b/nca/SchemeRunner.py @@ -22,7 +22,7 @@ class SchemeRunner(GenericYamlParser): 'containment', 'twoWayContainment', 'permits', 'interferes', 'pairwiseInterferes', 'forbids', 'emptiness', 'disjointness', 'allCaptured', 'sanity', 'semanticDiff'} - def __init__(self, scheme_file_name, output_format=None, output_path=None, optimized_run='false'): + def __init__(self, scheme_file_name, output_format=None, output_path=None, optimized_run='true'): GenericYamlParser.__init__(self, scheme_file_name) self.network_configs = {} self.global_res = 0 diff --git a/nca/nca_cli.py b/nca/nca_cli.py index e8476b1a8..53cc558f4 100644 --- a/nca/nca_cli.py +++ b/nca/nca_cli.py @@ -343,8 +343,8 @@ def nca_main(argv=None): parser.add_argument('--output_endpoints', choices=['pods', 'deployments'], help='Choose endpoints type in output (pods/deployments)', default='deployments') parser.add_argument('--optimized_run', '-opt', type=str, - help='Whether to run optimized run (-opt=true), original run (-opt=false) - the default ' - 'or the comparison of the both (debug)', default='false') + help='Whether to run optimized run (-opt=true) - the default, original run (-opt=false) ' + 'or the comparison of the both (debug)', default='true') parser.add_argument('--print_ipv6', action='store_true', help='Display IPv6 addresses connections too. ' 'If the policy reference IPv6 addresses, ' 'their connections will be printed anyway') diff --git a/tests/run_all_tests.py b/tests/run_all_tests.py index f1aab3eb5..1cf34efca 100644 --- a/tests/run_all_tests.py +++ b/tests/run_all_tests.py @@ -416,7 +416,7 @@ def main(argv=None): default='general') parser.add_argument('--hc_opt', choices=['false', 'true', 'debug'], help='Choose non-optimized/optimized/comparison run', - default='false') + default='true') parser.add_argument('--category', choices=['k8s', 'calico', 'istio'], help='Choose category of tests', default='') parser.add_argument('--create_expected_output_files', action='store_true', help='Add missing expected output files') From 3d35da6efcd5847559e8629dfd2482f77a443302 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 16:21:33 +0300 Subject: [PATCH 31/89] In opt='debug' the result explanation should ne according to the optimized run. Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 33 ++++++++++++++----------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index b4264b34e..9447cc675 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1396,7 +1396,6 @@ class PropsAndExplanationData: output_config: OutputConfiguration peer_container: PeerContainer - @staticmethod def get_query_type(): return QueryType.PairComparisonQuery @@ -1605,15 +1604,18 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o key, True, orig_conn_graph_added_conns, res == 0) if not orig_fw_rules: orig_fw_rules = orig_conn_graph_added_conns.get_minimized_firewall_rules() - added_props_data = added_props_per_key[key] - assert added_props_per_key - opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( - added_props_data.props, added_props_data.cluster_info, added_props_data.output_config, - added_props_data.peer_container, None) + added_props = added_props_per_key[key] + assert added_props + opt_key_explanation, opt_fw_rules = self.compute_explanation_for_key_opt( + key, True, added_props, res == 0) + if not opt_fw_rules: + opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( + added_props.props, added_props.cluster_info, added_props.output_config, + added_props.peer_container, None) self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, self._get_updated_key(key, True) + f'between {self.config1.name} and {self.config2.name}') - explanation.append(key_explanation) + explanation.append(opt_key_explanation) res += 1 if is_removed: @@ -1622,15 +1624,18 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o key, False, orig_conn_graph_removed_conns, res == 0) if not orig_fw_rules: orig_fw_rules = orig_conn_graph_removed_conns.get_minimized_firewall_rules() - removed_props_data = removed_props_per_key[key] - assert removed_props_data - opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( - removed_props_data.props, removed_props_data.cluster_info, removed_props_data.output_config, - removed_props_data.peer_container, None) + removed_props = removed_props_per_key[key] + assert removed_props + opt_key_explanation, opt_fw_rules = self.compute_explanation_for_key_opt( + key, False, removed_props, res == 0) + if not opt_fw_rules: + opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( + removed_props.props, removed_props.cluster_info, removed_props.output_config, + removed_props.peer_container, None) self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, self._get_updated_key(key, False) + f'between {self.config1.name} and {self.config2.name}') - explanation.append(key_explanation) + explanation.append(opt_key_explanation) res += 1 return res, explanation @@ -2026,7 +2031,7 @@ def exec(self, cmd_line_flag): keys_list, removed_props_per_key, added_props_per_key = self.compute_diff_optimized() if self.config1.optimized_run == 'true': res, explanation = self.get_results_for_computed_fw_rules_opt(keys_list, removed_props_per_key, - added_props_per_key) + added_props_per_key) else: res, explanation = self.get_results_for_computed_fw_rules_and_compare_orig_to_opt( keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key, From 4a70d30ff07ebd60f3f00e29c0204706f919f0ca Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 16:30:16 +0300 Subject: [PATCH 32/89] Restoring resource in scheme, changed by mistake. Signed-off-by: Tanya --- .../sidecars-disable-egress-scheme.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml b/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml index ddcd6e3d2..4da44d216 100644 --- a/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml +++ b/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml @@ -1,6 +1,5 @@ resourceList: -# - ../../online_boutique/new_online_boutique_manifests_istio/all_deployments.yaml - - ../all_deployments.yaml + - ../../online_boutique/new_online_boutique_manifests_istio/all_deployments.yaml - ../onlineboutique-services.yaml networkConfigList: From f382c5e8d610fa6894670846be9e4ea8de4f1313 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 16:50:58 +0300 Subject: [PATCH 33/89] Updating more expected results. Signed-off-by: Tanya --- .../expected_cmdline_output_files/helm_test_multi_chart.txt | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/expected_cmdline_output_files/helm_test_multi_chart.txt b/tests/expected_cmdline_output_files/helm_test_multi_chart.txt index 69ec3f281..bff16a3e8 100644 --- a/tests/expected_cmdline_output_files/helm_test_multi_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_multi_chart.txt @@ -1,12 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: TCP 3000 src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] conn: TCP 3000 src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: UDP 53 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: UDP 53 src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [!has(app.kubernetes.io/instance) and !has(app.kubernetes.io/name)] conn: All connections src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: TCP 3000 src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 -src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=grafana}] dst_ns: [default] dst_pods: [nca-extract-kube-state-metrics] conn: All connections +src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: All connections From d4956a0f1aac600dd71c4ad5ef004ba0f8fb3e09 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 16 Apr 2024 13:03:43 +0300 Subject: [PATCH 34/89] Small optimizations. Signed-off-by: Tanya --- nca/CoreDS/CanonicalHyperCubeSet.py | 18 +++++++++++------ nca/CoreDS/ConnectivityCube.py | 27 ++++++++++--------------- nca/CoreDS/ConnectivityProperties.py | 13 ++++++------ nca/FWRules/MinimizeBasic.py | 18 +++++++++++------ nca/FWRules/MinimizeCsFWRulesOpt.py | 21 ++++++++++--------- nca/NetworkConfig/NetworkConfigQuery.py | 22 +++++++++++--------- 6 files changed, 66 insertions(+), 53 deletions(-) diff --git a/nca/CoreDS/CanonicalHyperCubeSet.py b/nca/CoreDS/CanonicalHyperCubeSet.py index a64c8b812..5f9ba1330 100644 --- a/nca/CoreDS/CanonicalHyperCubeSet.py +++ b/nca/CoreDS/CanonicalHyperCubeSet.py @@ -41,7 +41,6 @@ class CanonicalHyperCubeSet: def __init__(self, dimensions, allow_all=False): self.layers = dict() # layers are w.r.t active dimensions self.all_dimensions_list = dimensions # ordered list of all dimensions - self.all_dim_types = [DimensionsManager().get_dimension_type_by_name(dim_name) for dim_name in dimensions] # init ordered list of active dimensions: if allow_all: self.active_dimensions = [] # names (for non-active dimensions everything is allowed) @@ -172,8 +171,9 @@ def _get_entire_space_cube(self, dimensions_list_restriction=None): dimensions_list_restriction = self.all_dimensions_list dimensions_list_ordered = self._get_dimensions_subset_by_order(dimensions_list_restriction) cube_res = [] + dimensions_manager = DimensionsManager() for dim_name in dimensions_list_ordered: - cube_res.append(DimensionsManager().get_dimension_domain_by_name(dim_name, True)) + cube_res.append(dimensions_manager.get_dimension_domain_by_name(dim_name, True)) return cube_res def __len__(self): @@ -228,7 +228,10 @@ def __contains__(self, item): """ if len(item) < len(self.all_dimensions_list): raise Exception("input item len mismatch") - for index, dim_type in enumerate(self.all_dim_types): + dimensions_manager = DimensionsManager() + all_dim_types = [dimensions_manager.get_dimension_type_by_name(dim_name) + for dim_name in self.all_dimensions_list] + for index, dim_type in enumerate(all_dim_types): if dim_type == DimensionsManager.DimensionType.DFA: assert (isinstance(item[index], str)) else: @@ -604,9 +607,10 @@ def get_cube_str(self, cube): :return: str representation for cube's values """ res = "" + dimensions_manager = DimensionsManager() for dim_index, dim_values in enumerate(cube): dim_name = self.active_dimensions[dim_index] - res += DimensionsManager().get_dim_values_str(dim_values, dim_name) + ", " + res += dimensions_manager.get_dim_values_str(dim_values, dim_name) + ", " return f"({res})" def _is_last_dimension(self): @@ -666,11 +670,12 @@ def _get_aligned_cube_by_new_active_dimensions(cube, current_active_dimensions, for index, dim_name in enumerate(current_active_dimensions): current_active_dimensions_dict[dim_name] = index aligned_cube_values = [] + dimensions_manager = DimensionsManager() for active_dim_name in new_active_dimensions: if active_dim_name in current_active_dimensions_dict: aligned_cube_values.append(cube[current_active_dimensions_dict[active_dim_name]]) else: - aligned_cube_values.append(DimensionsManager().get_dimension_domain_by_name(active_dim_name, True)) + aligned_cube_values.append(dimensions_manager.get_dimension_domain_by_name(active_dim_name, True)) return aligned_cube_values def _set_active_dimensions(self, dim_names_set): @@ -828,8 +833,9 @@ def reduce_active_dimensions(self): # reduce by searching for active dimensions on which entire domain is allowed for all the cubes dimensions_to_reduce = [] values_per_dimension = self._get_values_sets_per_active_dimension() + dimensions_manager = DimensionsManager() for dim_name, values_set in values_per_dimension.items(): - dim_domain = DimensionsManager().get_dimension_domain_by_name(dim_name) + dim_domain = dimensions_manager.get_dimension_domain_by_name(dim_name) if {dim_domain} == values_set: dimensions_to_reduce.append(dim_name) dimensions_to_reduce = self._get_dimensions_subset_by_order(dimensions_to_reduce) diff --git a/nca/CoreDS/ConnectivityCube.py b/nca/CoreDS/ConnectivityCube.py index 4279ffdc1..c44892f63 100644 --- a/nca/CoreDS/ConnectivityCube.py +++ b/nca/CoreDS/ConnectivityCube.py @@ -29,8 +29,9 @@ def __init__(self, dimensions_list=None): self.dimensions_list = dimensions_list if dimensions_list else self.all_dimensions_list self.named_ports = set() # used only in the original solution self.excluded_named_ports = set() # used only in the original solution + dimensions_manager = DimensionsManager() for dim in self.dimensions_list: - dim_value = DimensionsManager().get_dimension_domain_by_name(dim, True) + dim_value = dimensions_manager.get_dimension_domain_by_name(dim, True) self.set_dim_directly(dim, dim_value) def copy(self): @@ -46,17 +47,6 @@ def copy(self): res.set_dim_directly(dim_name, dim_value.copy()) return res - def is_empty_dim(self, dim_name): - """ - Returns True iff a given dimension is empty - :param str dim_name: the given dimension name - """ - if self.get_dim_directly(dim_name) != DimensionsManager().get_empty_dimension_by_name(dim_name): - return False - - # for "dst_ports" can have named ports in original solution - return not self.named_ports and not self.excluded_named_ports if dim_name == "dst_ports" else True - def is_full_dim(self, dim_name): """ Returns True iff a given dimension is full @@ -171,8 +161,9 @@ def has_active_dim(self): """ Returns True iff the cube has at least one active dimension. Otherwise, returns False. """ + dimensions_manager = DimensionsManager() for dim in self.dimensions_list: - if self.get_dim_directly(dim) != DimensionsManager().get_dimension_domain_by_name(dim): + if self.get_dim_directly(dim) != dimensions_manager.get_dimension_domain_by_name(dim): return True return False @@ -180,9 +171,12 @@ def is_empty(self): """ Returns True iff the cube has at least one empty dimension. Otherwise, returns False. """ + dimensions_manger = DimensionsManager() for dim in self.dimensions_list: - if self.is_empty_dim(dim): - return True + if self.get_dim_directly(dim) == dimensions_manger.get_empty_dimension_by_name(dim): + # for "dst_ports" can have named ports in original solution + if dim != "dst_ports" or (not self.named_ports and not self.excluded_named_ports): + return True return False def get_ordered_cube_and_active_dims(self): @@ -192,10 +186,11 @@ def get_ordered_cube_and_active_dims(self): """ cube = [] active_dims = [] + dimensions_manager = DimensionsManager() # add values to cube by required order of dimensions for dim in self.dimensions_list: dim_value = self.get_dim_directly(dim) - if dim_value != DimensionsManager().get_dimension_domain_by_name(dim): + if dim_value != dimensions_manager.get_dimension_domain_by_name(dim): if isinstance(dim_value, MinDFA): cube.append(dim_value) else: diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index b0e9d36dd..330a042b2 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -149,10 +149,11 @@ def get_cube_dict(self, cube, is_txt=False): :rtype: dict """ cube_dict = {} + dimensions_manager = DimensionsManager() for i, dim in enumerate(self.active_dimensions): dim_values = cube[i] - dim_type = DimensionsManager().get_dimension_type_by_name(dim) - dim_domain = DimensionsManager().get_dimension_domain_by_name(dim) + dim_type = dimensions_manager.get_dimension_type_by_name(dim) + dim_domain = dimensions_manager.get_dimension_domain_by_name(dim) if dim_domain == dim_values: continue # skip dimensions with all values allowed in a cube if dim in ['protocols', 'methods']: @@ -167,7 +168,7 @@ def get_cube_dict(self, cube, is_txt=False): values_list = ','.join(str(interval) for interval in values_list) else: # TODO: should be a list of words for a finite len DFA? - values_list = DimensionsManager().get_dim_values_str(dim_values, dim) + values_list = dimensions_manager.get_dim_values_str(dim_values, dim) cube_dict[dim] = values_list return cube_dict @@ -452,9 +453,9 @@ def get_all_conns_props_per_domain_peers(): This is a compact way to represent all peers connections, but it is an over-approximation also containing IpBlock->IpBlock connections. Those redundant connections will be eventually filtered out. """ - src_peers = BasePeerSet().get_peer_set_by_indices(DimensionsManager().get_dimension_domain_by_name("src_peers")) - dst_peers = BasePeerSet().get_peer_set_by_indices(DimensionsManager().get_dimension_domain_by_name("dst_peers")) - return ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, "dst_peers": dst_peers}) + # optimization: src_peers and dst_peers have the same domain + peers = BasePeerSet().get_peer_set_by_indices(DimensionsManager().get_dimension_domain_by_name("src_peers")) + return ConnectivityProperties.make_conn_props_from_dict({"src_peers": peers, "dst_peers": peers}) @staticmethod def make_empty_props(): diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 72de6a6d0..81362ee24 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -108,24 +108,30 @@ def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): @staticmethod def get_connection_set_and_peers_from_cube(the_cube, peer_container, relevant_protocols=ProtocolSet(True)): + all_peers = peer_container.get_all_peers_group(True) conn_cube = the_cube.copy() - src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True) + src_peers = conn_cube["src_peers"] or all_peers conn_cube.unset_dim("src_peers") - dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True) + dst_peers = conn_cube["dst_peers"] or all_peers conn_cube.unset_dim("dst_peers") protocols = conn_cube["protocols"] conn_cube.unset_dim("protocols") - if not conn_cube.has_active_dim() and (protocols.is_whole_range() or protocols == relevant_protocols): + has_active_dim = conn_cube.has_active_dim() + if not has_active_dim and (protocols == relevant_protocols or protocols.is_whole_range()): conns = ConnectionSet(True) else: conns = ConnectionSet() protocol_names = ProtocolSet.get_protocol_names_from_interval_set(protocols) + if has_active_dim: + props = ConnectivityProperties.make_conn_props(conn_cube) + else: + props = ConnectivityProperties.make_all_props() for protocol in protocol_names: - if conn_cube.has_active_dim(): - conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) + if has_active_dim: + conns.add_connections(protocol, props) else: if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): - conns.add_connections(protocol, ConnectivityProperties.make_all_props()) + conns.add_connections(protocol, props) else: conns.add_connections(protocol, True) return conns, src_peers, dst_peers diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 5865cb20b..6b7d488bf 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -193,14 +193,13 @@ def _compute_partial_ns_grouping(self, ns_set, is_src_ns): dim_peers = conn_cube[dim_name] other_dim_peers = conn_cube[other_dim_name].canonical_form() curr_ns_set = set() - curr_ns_peers = PeerSet() for ns in ns_set: ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) - curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ns_peers, - other_dim_name: other_dim_peers}) - if ns_peers.issubset(dim_peers) and (curr_covered & self.peer_props_without_ns_expr): - curr_ns_set.add(ns) - curr_ns_peers |= ns_peers + if ns_peers.issubset(dim_peers): + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ns_peers, + other_dim_name: other_dim_peers}) + if curr_covered & self.peer_props_without_ns_expr: + curr_ns_set.add(ns) if curr_ns_set: ns_set_to_peer_set[frozenset(curr_ns_set)] |= other_dim_peers for curr_ns_set, other_dim_peers in ns_set_to_peer_set.items(): @@ -216,12 +215,14 @@ def _compute_partial_ns_grouping(self, ns_set, is_src_ns): # ensure that the found pairs (with and without IpBlocks) are at least partially included # in the current connections' properties (rather than being wholly contained # in containing connections' properties) - if self.peer_props_without_ns_expr & curr_covered_without_ip_block: - self.peer_props_without_ns_expr -= curr_covered_without_ip_block + peer_props_without_ns_expr_updated = self.peer_props_without_ns_expr - curr_covered_without_ip_block + if self.peer_props_without_ns_expr != peer_props_without_ns_expr_updated: + self.peer_props_without_ns_expr = peer_props_without_ns_expr_updated self.base_elem_pairs.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns else (other_dim_peers_without_ip_block, curr_ns_set)) - if self.peer_props_without_ns_expr & curr_covered_ip_block: - self.peer_props_without_ns_expr -= curr_covered_ip_block + peer_props_without_ns_expr_updated = self.peer_props_without_ns_expr - curr_covered_ip_block + if self.peer_props_without_ns_expr != peer_props_without_ns_expr_updated: + self.peer_props_without_ns_expr = peer_props_without_ns_expr_updated self.base_elem_pairs.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns else (other_dim_peers_ip_block, curr_ns_set)) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 9447cc675..2aae664e1 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1129,8 +1129,9 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props, cluster_info, self.output_config, self.config.peer_container, connectivity_restriction) - self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, - connectivity_restriction=connectivity_restriction) # Tanya: debug + if self.config.optimized_run == 'debug': + self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, + connectivity_restriction=connectivity_restriction) formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) return formatted_rules, fw_rules @@ -1527,7 +1528,8 @@ def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_co fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props_data.props, props_data.cluster_info, props_data.output_config, props_data.peer_container, None) - self.compare_fw_rules_to_conn_props(fw_rules, props_data.props, props_data.peer_container) # Tanya: debug + if self.config1.optimized_run == 'debug': + self.compare_fw_rules_to_conn_props(fw_rules, props_data.props, props_data.peer_container) conn_graph_explanation = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) if self.output_config.outputFormat in ['json', 'yaml']: @@ -1612,9 +1614,10 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( added_props.props, added_props.cluster_info, added_props.output_config, added_props.peer_container, None) - self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, - self._get_updated_key(key, True) + - f'between {self.config1.name} and {self.config2.name}') + if self.config1.optimized_run == 'debug': + self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, + self._get_updated_key(key, True) + + f'between {self.config1.name} and {self.config2.name}') explanation.append(opt_key_explanation) res += 1 @@ -1632,9 +1635,10 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( removed_props.props, removed_props.cluster_info, removed_props.output_config, removed_props.peer_container, None) - self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, - self._get_updated_key(key, False) + - f'between {self.config1.name} and {self.config2.name}') + if self.config1.optimized_run == 'debug': + self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, + self._get_updated_key(key, False) + + f'between {self.config1.name} and {self.config2.name}') explanation.append(opt_key_explanation) res += 1 From c0b2ed11c55892ef66cd4c7f98b09a5aab683f4c Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 25 Feb 2024 19:06:07 +0200 Subject: [PATCH 35/89] Initial implementation of building and minimizing fw-rules directly from connectivity properties. Signed-off-by: Tanya --- nca/CoreDS/ConnectionSet.py | 123 ------- nca/CoreDS/ConnectivityCube.py | 14 +- nca/CoreDS/ConnectivityProperties.py | 82 ++++- nca/CoreDS/Peer.py | 6 + nca/FWRules/ConnectivityGraph.py | 56 +-- nca/FWRules/FWRule.py | 77 ++-- nca/FWRules/MinimizeBasic.py | 155 ++++++++ nca/FWRules/MinimizeCsFWRulesOpt.py | 446 ++++++++++++++++++++++++ nca/FWRules/MinimizeFWRules.py | 254 ++++++++------ nca/NetworkConfig/NetworkConfigQuery.py | 37 +- 10 files changed, 910 insertions(+), 340 deletions(-) create mode 100644 nca/FWRules/MinimizeBasic.py create mode 100644 nca/FWRules/MinimizeCsFWRulesOpt.py diff --git a/nca/CoreDS/ConnectionSet.py b/nca/CoreDS/ConnectionSet.py index f93142444..1e0626163 100644 --- a/nca/CoreDS/ConnectionSet.py +++ b/nca/CoreDS/ConnectionSet.py @@ -3,13 +3,10 @@ # SPDX-License-Identifier: Apache2.0 # -from collections import defaultdict from .CanonicalIntervalSet import CanonicalIntervalSet from .ConnectivityProperties import ConnectivityProperties from .ProtocolNameResolver import ProtocolNameResolver from .ProtocolSet import ProtocolSet -from .Peer import PeerSet, IpBlock -from nca.FWRules import FWRule class ConnectionSet: @@ -580,123 +577,3 @@ def get_non_tcp_connections(): res.add_all_connections([ProtocolNameResolver.get_protocol_number('TCP')]) return res # return ConnectionSet(True) - ConnectionSet.get_all_TCP_connections() - - # TODO - after moving to the optimized HC set implementation, - # get rid of ConnectionSet and move the code below to ConnectivityProperties.py - - @staticmethod - def get_connection_set_and_peers_from_cube(the_cube, peer_container, - relevant_protocols=ProtocolSet(True)): - conn_cube = the_cube.copy() - src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True) - conn_cube.unset_dim("src_peers") - dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True) - conn_cube.unset_dim("dst_peers") - protocols = conn_cube["protocols"] - conn_cube.unset_dim("protocols") - if not conn_cube.has_active_dim() and (protocols.is_whole_range() or protocols == relevant_protocols): - conns = ConnectionSet(True) - else: - conns = ConnectionSet() - protocol_names = ProtocolSet.get_protocol_names_from_interval_set(protocols) - for protocol in protocol_names: - if conn_cube.has_active_dim(): - conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) - else: - if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): - conns.add_connections(protocol, - ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container)) - else: - conns.add_connections(protocol, True) - return conns, src_peers, dst_peers - - @staticmethod - def conn_props_to_fw_rules(conn_props, cluster_info, peer_container, - connectivity_restriction): - """ - Build FWRules from the given ConnectivityProperties - :param ConnectivityProperties conn_props: properties describing allowed connections - :param ClusterInfo cluster_info: the cluster info - :param PeerContainer peer_container: the peer container - whereas all other values should be filtered out in the output - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to - TCP / non-TCP , or not - :return: FWRules map - """ - relevant_protocols = ProtocolSet() - if connectivity_restriction: - if connectivity_restriction == 'TCP': - relevant_protocols.add_protocol('TCP') - else: # connectivity_restriction == 'non-TCP' - relevant_protocols = ProtocolSet.get_non_tcp_protocols() - - fw_rules_map = defaultdict(list) - for cube in conn_props: - conn_cube = conn_props.get_connectivity_cube(cube) - conns, src_peers, dst_peers = \ - ConnectionSet.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) - # create FWRules for src_peers and dst_peers - fw_rules_map[conns] += ConnectionSet.create_fw_rules_list_from_conns(conns, src_peers, dst_peers, - cluster_info) - return fw_rules_map - - @staticmethod - def create_fw_rules_list_from_conns(conns, src_peers, dst_peers, cluster_info): - src_fw_elements = ConnectionSet.split_peer_set_to_fw_rule_elements(src_peers, cluster_info) - dst_fw_elements = ConnectionSet.split_peer_set_to_fw_rule_elements(dst_peers, cluster_info) - fw_rules_list = [] - for src_elem in src_fw_elements: - for dst_elem in dst_fw_elements: - fw_rules_list.append(FWRule.FWRule(src_elem, dst_elem, conns)) - return fw_rules_list - - @staticmethod - def split_peer_set_to_fw_rule_elements(peer_set, cluster_info): - res = [] - peer_set_copy = peer_set.copy() - ns_set = set() - # first, split by namespaces - while peer_set_copy: - peer = list(peer_set_copy)[0] - if isinstance(peer, IpBlock): - res.append(FWRule.IPBlockElement(peer)) - peer_set_copy.remove(peer) - continue - elif isinstance(peer, FWRule.DNSEntry): - res.append(FWRule.DNSElement(peer)) - peer_set_copy.remove(peer) - continue - ns_peers = PeerSet(cluster_info.ns_dict[peer.namespace]) - if ns_peers.issubset(peer_set_copy): - ns_set.add(peer.namespace) - else: - # TODO try to split the element below by labels - res.append(FWRule.PeerSetElement(ns_peers & peer_set_copy)) - peer_set_copy -= ns_peers - if ns_set: - res.append(FWRule.FWRuleElement(ns_set)) - - return res - - @staticmethod - def fw_rules_to_conn_props(fw_rules, peer_container): - """ - Converting FWRules to ConnectivityProperties format. - This function is used for comparing FWRules output between original and optimized solutions, - when optimized_run == 'debug' - :param MinimizeFWRules fw_rules: the given FWRules. - :param PeerContainer peer_container: the peer container - :return: the resulting ConnectivityProperties. - """ - res = ConnectivityProperties.make_empty_props() - if fw_rules.fw_rules_map is None: - return res - for fw_rules_list in fw_rules.fw_rules_map.values(): - for fw_rule in fw_rules_list: - conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container) - src_peers = PeerSet(fw_rule.src.get_peer_set(fw_rules.cluster_info)) - dst_peers = PeerSet(fw_rule.dst.get_peer_set(fw_rules.cluster_info)) - rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, - "dst_peers": dst_peers}) & conn_props - res |= rule_props - return res diff --git a/nca/CoreDS/ConnectivityCube.py b/nca/CoreDS/ConnectivityCube.py index 44c9b54c7..4279ffdc1 100644 --- a/nca/CoreDS/ConnectivityCube.py +++ b/nca/CoreDS/ConnectivityCube.py @@ -17,15 +17,16 @@ class ConnectivityCube(dict): It is used as an input interface for ConnectivityProperties methods. """ - dimensions_list = ["src_peers", "dst_peers", "protocols", "src_ports", "dst_ports", "methods", "hosts", "paths", - "icmp_type", "icmp_code"] + all_dimensions_list = ["src_peers", "dst_peers", "protocols", "src_ports", "dst_ports", "methods", "hosts", "paths", + "icmp_type", "icmp_code"] - def __init__(self): + def __init__(self, dimensions_list=None): """ By default, each dimension in the cube is initialized with entire domain value, which represents "don't care" or inactive dimension (i.e., the dimension has no impact). """ super().__init__() + self.dimensions_list = dimensions_list if dimensions_list else self.all_dimensions_list self.named_ports = set() # used only in the original solution self.excluded_named_ports = set() # used only in the original solution for dim in self.dimensions_list: @@ -37,7 +38,7 @@ def copy(self): Returns a copy of the given ConnectivityCube object :rtype: ConnectivityCube """ - res = ConnectivityCube() + res = ConnectivityCube(self.dimensions_list) for dim_name, dim_value in self.items(): if isinstance(dim_value, MinDFA): res.set_dim_directly(dim_name, dim_value) @@ -129,6 +130,11 @@ def unset_dim(self, dim_name): dim_value = DimensionsManager().get_dimension_domain_by_name(dim_name, True) self.set_dim_directly(dim_name, dim_value) + def unset_all_but_peers(self): + for dim_name in self.dimensions_list: + if dim_name not in ["src_peers", "dst_peers"]: + self.unset_dim(dim_name) + def __getitem__(self, dim_name): """ Returns a given dimension value after converting it from internal to external format. diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 84d4db0c4..7917fdd84 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -64,12 +64,12 @@ class ConnectivityProperties(CanonicalHyperCubeSet): (2) calico: +ve and -ve named ports, no src named ports, and no use of operators between these objects. """ - def __init__(self, create_all=False): + def __init__(self, dimensions_list=None, create_all=False): """ This will create empty or full connectivity properties, depending on create_all flag. :param create_all: whether to create full connectivity properties. """ - super().__init__(ConnectivityCube.dimensions_list) + super().__init__(dimensions_list if dimensions_list else ConnectivityCube.all_dimensions_list) self.named_ports = {} # a mapping from dst named port (String) to src ports interval set self.excluded_named_ports = {} # a mapping from dst named port (String) to src ports interval set if create_all: @@ -132,7 +132,7 @@ def get_connectivity_cube(self, cube): :return: the cube in ConnectivityCube format :rtype: ConnectivityCube """ - res = ConnectivityCube() + res = ConnectivityCube(self.all_dimensions_list) for i, dim in enumerate(self.active_dimensions): if isinstance(cube[i], MinDFA): res.set_dim_directly(dim, cube[i]) @@ -291,7 +291,7 @@ def copy(self): """ :rtype: ConnectivityProperties """ - res = ConnectivityProperties() + res = ConnectivityProperties(self.all_dimensions_list) for layer in self.layers: res.layers[self._copy_layer_elem(layer)] = self.layers[layer].copy() res.active_dimensions = self.active_dimensions.copy() @@ -470,7 +470,7 @@ def make_all_props(): Returns all connectivity properties, representing logical True :return: ConnectivityProperties """ - return ConnectivityProperties(True) + return ConnectivityProperties(create_all=True) def are_auto_conns(self): """ @@ -496,9 +496,79 @@ def props_without_auto_conns(self): """ Return the properties after removing all connections from peer to itself """ + return self - self.get_auto_conns_from_peers() + + def get_auto_conns_from_peers(self): + """ + Build properties containing all connections from peer to itself, for all peers in the current properties + :return: the resulting auto connections properties + """ peers = self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers") auto_conns = ConnectivityProperties() for peer in peers: auto_conns |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({peer}), "dst_peers": PeerSet({peer})}) - return self - auto_conns + return auto_conns + + def minimize(self): + """ + Try to minimize the current properties by changing the order between "src_peers" and "dst_peers" dimensions + """ + new_all_dims_map = [i for i in range(len(self.all_dimensions_list))] + src_peers_index = self.all_dimensions_list.index("src_peers") + dst_peers_index = self.all_dimensions_list.index("dst_peers") + # switch between "src_peers" and "dst_peers" dimensions + new_all_dims_map[src_peers_index] = dst_peers_index + new_all_dims_map[dst_peers_index] = src_peers_index + new_props = self._reorder_by_dim_list(new_all_dims_map) + return self if len(self) <= len(new_props) else new_props + + def push_back_peers_dimensions(self): + """ + Reorder the current properties by making "src_peers" and "dst_peers" the last two dimensions. + """ + new_all_dims_map = [i for i in range(len(self.all_dimensions_list))] + last_index = len(self.all_dimensions_list) - 1 + src_peers_index = self.all_dimensions_list.index("src_peers") + dst_peers_index = self.all_dimensions_list.index("dst_peers") + # switch between "src_peers", "dst_peers" and last two dimensions + new_all_dims_map[src_peers_index] = last_index - 1 + new_all_dims_map[last_index - 1] = src_peers_index + new_all_dims_map[dst_peers_index] = last_index + new_all_dims_map[last_index] = dst_peers_index + return self._reorder_by_dim_list(new_all_dims_map) + + def _reorder_by_dim_list(self, new_all_dims_map): + """ + Reorder the current properties by the given dimensions order + :param list[int] new_all_dims_map: the given dimensions order + :return: the reordered connectivity properties + """ + # Build reordered all dimensions list + new_all_dimensions_list = self._reorder_list_by_map(self.all_dimensions_list, new_all_dims_map) + new_active_dimensions = [] + new_active_dims_map = [i for i in range(len(self.active_dimensions))] + # Build reordered active dimensions list + for dim in new_all_dimensions_list: + if dim in self.active_dimensions: + new_active_dims_map[len(new_active_dimensions)] = self.active_dimensions.index(dim) + new_active_dimensions.append(dim) + # Build reordered properties by cubes + res = ConnectivityProperties(new_all_dimensions_list) + for cube in self: + new_cube = self._reorder_list_by_map(cube, new_active_dims_map) + res.add_cube(new_cube, new_active_dimensions) + return res + + @staticmethod + def _reorder_list_by_map(orig_list, new_to_old_map): + """ + Reorder a given list by map from new to old indices. + :param list orig_list: the original list + :param list[int] new_to_old_map: the list mapping new to old indices + :return: the resulting list + """ + res = [] + for i in range(len(orig_list)): + res.append(orig_list[new_to_old_map[i]]) + return res diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 02829449f..178c0281a 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -652,6 +652,12 @@ def get_set_without_ip_block(self): """ return set(elem for elem in self if not isinstance(elem, IpBlock)) + def get_set_without_ip_block_or_dns_entry(self): + """ + :return: a set with all elements from self which are not IpBlock or DNSEntry + """ + return set(elem for elem in self if not isinstance(elem, (IpBlock, DNSEntry))) + def get_ip_block_canonical_form(self): """ :return: IpBlock element in canonical form for all elements from self which are IpBlock diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index 02ee57595..536301ce6 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -9,7 +9,7 @@ from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod from nca.CoreDS.ConnectionSet import ConnectionSet from .DotGraph import DotGraph -from .MinimizeFWRules import MinimizeCsFwRules, MinimizeFWRules +from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo @@ -60,7 +60,7 @@ def add_edges_from_cube_dict(self, conn_cube, peer_container): :param PeerContainer peer_container: the peer container """ conns, src_peers, dst_peers = \ - ConnectionSet.get_connection_set_and_peers_from_cube(conn_cube, peer_container) + MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container) for src_peer in src_peers: for dst_peer in dst_peers: self.connections_to_peers[conns].append((src_peer, dst_peer)) @@ -428,57 +428,7 @@ def get_minimized_firewall_rules(self): print(line) print('======================================================') # compute the minimized firewall rules - return self._minimize_firewall_rules(connections_sorted_by_size) - - def _minimize_firewall_rules(self, connections_sorted_by_size): - """ - Creates the set of minimized fw rules and prints to output - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules - """ - cs_containment_map = self._build_connections_containment_map(connections_sorted_by_size) - fw_rules_map = defaultdict(list) - results_map = dict() - minimize_cs = MinimizeCsFwRules(self.cluster_info, self.allowed_labels, self.output_config) - # build fw_rules_map: per connection - a set of its minimized fw rules - for connections, peer_pairs in connections_sorted_by_size: - # currently skip "no connections" - if not connections: - continue - # TODO: figure out why we have pairs with (ip,ip) ? - peer_pairs_filtered = self._get_peer_pairs_filtered(peer_pairs) - peer_pairs_in_containing_connections = cs_containment_map[connections] - fw_rules, results_per_info = minimize_cs.compute_minimized_fw_rules_per_connection( - connections, peer_pairs_filtered, peer_pairs_in_containing_connections) - fw_rules_map[connections] = fw_rules - results_map[connections] = results_per_info - - minimize_fw_rules = MinimizeFWRules(fw_rules_map, self.cluster_info, self.output_config, - results_map) - return minimize_fw_rules - - @staticmethod - def _get_peer_pairs_filtered(peer_pairs): - """ - Filters out peer pairs where both src and dst are IpBlock - :param list peer_pairs: the peer pairs to filter - :return: a filtered set of peer pairs - """ - return set((src, dst) for (src, dst) in peer_pairs if not (isinstance(src, IpBlock) and isinstance(dst, IpBlock))) - - def _build_connections_containment_map(self, connections_sorted_by_size): - """ - Build a map from a connection to a set of peer_pairs from connections it is contained in - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: a map from connection to a set of peer pairs from containing connections - """ - cs_containment_map = defaultdict(set) - for (conn, _) in connections_sorted_by_size: - for (other_conn, peer_pairs) in connections_sorted_by_size: - if other_conn != conn and conn.contained_in(other_conn): - peer_pairs_filtered = self._get_peer_pairs_filtered(peer_pairs) - cs_containment_map[conn] |= peer_pairs_filtered - return cs_containment_map + return MinimizeFWRules.minimize_firewall_rules(self.cluster_info, self.output_config, connections_sorted_by_size) @staticmethod def _merge_ip_blocks(connections_sorted_by_size): diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 3aff93b23..6b8597d4b 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -138,12 +138,14 @@ class FWRuleElement: Every fw-rule element (src,dst) has a ns-level info """ - def __init__(self, ns_info): + def __init__(self, ns_info, cluster_info=None): """ Create a FWRuleElement object :param ns_info: set of namespaces, of type: set[K8sNamespace] + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info """ self.ns_info = ns_info + self.cluster_info = cluster_info def get_elem_list_obj(self): """ @@ -187,34 +189,36 @@ def __hash__(self): def __eq__(self, other): return self.ns_info == other.ns_info + def __le__(self, other): + return self.get_peer_set().issubset(other.get_peer_set()) + def is_system_ns(self): """ :return: True if this element has one namespace and it ends with "system" """ return len(self.ns_info) == 1 and str(list(self.ns_info)[0]).endswith("-system") - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ res = set() for ns in self.ns_info: - res |= cluster_info.ns_dict[ns] + res |= self.cluster_info.ns_dict[ns] return res - def get_peer_set(self, cluster_info): + def get_peer_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a PeerSet (pods and/or IpBlocks) represented by this element """ - return PeerSet(self.get_pods_set(cluster_info)) + return PeerSet(self.get_pods_set()) @staticmethod - def create_fw_elements_from_base_element(base_elem): + def create_fw_elements_from_base_element(base_elem, cluster_info): """ create a list of fw-rule-elements from base-element :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] """ if isinstance(base_elem, ClusterEP): @@ -222,9 +226,22 @@ def create_fw_elements_from_base_element(base_elem): elif isinstance(base_elem, IpBlock): return [IPBlockElement(ip) for ip in base_elem.split()] elif isinstance(base_elem, K8sNamespace): - return [FWRuleElement({base_elem})] + return [FWRuleElement({base_elem}, cluster_info)] elif isinstance(base_elem, DNSEntry): return [DNSElement(base_elem)] + elif isinstance(base_elem, PeerSet): + pods = PeerSet(base_elem.get_set_without_ip_block_or_dns_entry()) + ipblocks_and_dns = base_elem - pods + res = [] + while pods: + ns = list(pods)[0].namespace + ns_pods = pods & PeerSet(cluster_info.ns_dict[ns]) + res.append(PeerSetElement(ns_pods)) + pods -= ns_pods + if ipblocks_and_dns: + for peer in base_elem: + res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info)) + return res # unknown base-elem type return None @@ -287,9 +304,8 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, PodElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ return {self.element} @@ -301,13 +317,14 @@ class PodLabelsElement(FWRuleElement): """ # TODO: is it possible to have such element with len(ns_info)>1? if not, should add support for such merge? - def __init__(self, element, ns_info): + def __init__(self, element, ns_info, cluster_info): """ Create an object of type PodLabelsElement :param element: an element of type LabelExpr :param ns_info: namespace set of type set[K8sNamespace] + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info """ - super().__init__(ns_info) + super().__init__(ns_info, cluster_info) self.element = element def get_elem_list_obj(self): @@ -344,17 +361,16 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, PodLabelsElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ res = set() - ns_pods = super().get_pods_set(cluster_info) + ns_pods = super().get_pods_set() key = self.element.key values = self.element.values for v in values: - pods_with_label_val_in_ns = cluster_info.pods_labels_map[(key, v)] & ns_pods + pods_with_label_val_in_ns = self.cluster_info.pods_labels_map[(key, v)] & ns_pods res |= pods_with_label_val_in_ns return res @@ -420,19 +436,17 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, PeerSetElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ return self.element - def get_peer_set(self, cluster_info): + def get_peer_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a PeerSet (pods and/or IpBlocks) represented by this element """ - return self.get_pods_set(cluster_info) + return self.get_pods_set() # TODO: should it be a sub-type of FWRuleElement? @@ -485,17 +499,15 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, IPBlockElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ # an ip block element does not represent any pods return set() - def get_peer_set(self, cluster_info): + def get_peer_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a PeerSet (pods and/or IpBlocks) represented by this element """ return PeerSet({self.element}) @@ -551,17 +563,15 @@ def __hash__(self): def __eq__(self, other): return isinstance(other, DNSElement) and self.element == other.element and super().__eq__(other) - def get_pods_set(self, cluster_info): + def get_pods_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a set of pods in the cluster represented by this element """ # an dns-entry element does not represent any pods return set() - def get_peer_set(self, cluster_info): + def get_peer_set(self): """ - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: a PeerSet (pods and/or IpBlocks) represented by this element """ return PeerSet({self.element}) @@ -711,17 +721,18 @@ def get_rule_in_req_format(self, req_format): return None @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections): + def create_fw_rules_from_base_elements(src, dst, connections, cluster_info): """ create fw-rules from single pair of base elements (src,dst) and a given connection set :param ConnectionSet connections: the allowed connections from src to dst :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :return: list with created fw-rules :rtype list[FWRule] """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst) + src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info) + dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info) if src_elem is None or dst_elem is None: return [] return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py new file mode 100644 index 000000000..61244e7ad --- /dev/null +++ b/nca/FWRules/MinimizeBasic.py @@ -0,0 +1,155 @@ +# +# Copyright 2020- IBM Inc. All rights reserved +# SPDX-License-Identifier: Apache2.0 +# + +from nca.CoreDS.ConnectionSet import ConnectionSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties +from nca.CoreDS.Peer import PeerSet +from nca.CoreDS.ProtocolSet import ProtocolSet + + +class MinimizeBasic: + """ + This is a base class for minimizing fw-rules/peer sets + """ + def __init__(self, cluster_info, output_config): + self.cluster_info = cluster_info + self.output_config = output_config + + def _get_pods_grouping_by_labels_main(self, pods_set, extra_pods_set): + """ + The main function to implement pods grouping by labels. + This function splits the pods into namespaces, and per ns calls get_pods_grouping_by_labels(). + :param pods_set: the pods for grouping + :param extra_pods_set: additional pods that can be used for grouping + :return: + res_chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. + res_remaining_pods: set of pods from pods_set that are not included in the grouping result (could not be grouped). + """ + ns_context_options = set(pod.namespace for pod in pods_set) + res_chosen_rep = [] + res_remaining_pods = set() + # grouping by pod-labels per each namespace separately + for ns in ns_context_options: + pods_set_per_ns = pods_set & PeerSet(self.cluster_info.ns_dict[ns]) + extra_pods_set_per_ns = extra_pods_set & self.cluster_info.ns_dict[ns] + chosen_rep, remaining_pods = self._get_pods_grouping_by_labels(pods_set_per_ns, ns, extra_pods_set_per_ns) + res_chosen_rep.extend(chosen_rep) + res_remaining_pods |= remaining_pods + return res_chosen_rep, res_remaining_pods + + def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): + """ + Implements pods grouping by labels in a single namespace. + :param pods_set: the set of pods for grouping. + :param ns: the namespace + :param extra_pods_set: additional pods that can be used for completing the grouping + (originated in containing connections). + :return: + chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. + remaining_pods: set of pods from pods_list that are not included in the grouping result + """ + if self.output_config.fwRulesDebug: + print('get_pods_grouping_by_labels:') + print('pods_list: ' + ','.join([str(pod) for pod in pods_set])) + print('extra_pods_list: ' + ','.join([str(pod) for pod in extra_pods_set])) + all_pods_set = pods_set | extra_pods_set + allowed_labels = self.cluster_info.allowed_labels + pods_per_ns = self.cluster_info.ns_dict[ns] + # labels_rep_options is a list of tuples (key, (values, pods-set)), where each tuple in this list is a valid + # grouping of pods-set by "key in values" + labels_rep_options = [] + for key in allowed_labels: + values_for_key = self.cluster_info.get_all_values_set_for_key_per_namespace(key, {ns}) + fully_covered_label_values = set() + pods_with_fully_covered_label_values = set() + for v in values_for_key: + all_pods_per_label_val = self.cluster_info.pods_labels_map[(key, v)] & pods_per_ns + if not all_pods_per_label_val: + continue + pods_with_label_val_from_pods_list = all_pods_per_label_val & all_pods_set + pods_with_label_val_from_original_pods_list = all_pods_per_label_val & pods_set + # allow to "borrow" from extra_pods_set only if at least one pod is also in original pods_set + if all_pods_per_label_val == pods_with_label_val_from_pods_list and \ + pods_with_label_val_from_original_pods_list: + fully_covered_label_values |= {v} + pods_with_fully_covered_label_values |= pods_with_label_val_from_pods_list + # TODO: is it OK to ignore label-grouping if only one pod is involved? + if self.output_config.fwRulesGroupByLabelSinglePod: + if fully_covered_label_values and len( + pods_with_fully_covered_label_values) >= 1: # don't ignore label-grouping if only one pod is involved + labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) + else: + if fully_covered_label_values and len( + pods_with_fully_covered_label_values) > 1: # ignore label-grouping if only one pod is involved + labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) + + chosen_rep = [] + remaining_pods = pods_set.copy() + # sort labels_rep_options by length of pods_with_fully_covered_label_values, to prefer label-grouping that + # covers more pods + sorted_rep_options = sorted(labels_rep_options, key=lambda x: len(x[1][1]), reverse=True) + if self.output_config.fwRulesDebug: + print('sorted rep options:') + for (key, (label_vals, pods)) in sorted_rep_options: + print(key, label_vals, len(pods)) + ns_info = {ns} + for (k, (vals, pods)) in sorted_rep_options: + if (pods & pods_set).issubset(remaining_pods): + chosen_rep.append((k, vals, ns_info)) + remaining_pods -= PeerSet(pods) + if not remaining_pods: + break + return chosen_rep, remaining_pods + + # TODO - after moving to the optimized HC set implementation, + # get rid of ConnectionSet and move the code below to ConnectivityProperties.py + @staticmethod + def get_connection_set_and_peers_from_cube(the_cube, peer_container, + relevant_protocols=ProtocolSet(True)): + conn_cube = the_cube.copy() + src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True) + conn_cube.unset_dim("src_peers") + dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True) + conn_cube.unset_dim("dst_peers") + protocols = conn_cube["protocols"] + conn_cube.unset_dim("protocols") + if not conn_cube.has_active_dim() and (protocols.is_whole_range() or protocols == relevant_protocols): + conns = ConnectionSet(True) + else: + conns = ConnectionSet() + protocol_names = ProtocolSet.get_protocol_names_from_interval_set(protocols) + for protocol in protocol_names: + if conn_cube.has_active_dim(): + conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) + else: + if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): + conns.add_connections(protocol, + ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container)) + else: + conns.add_connections(protocol, True) + return conns, src_peers, dst_peers + + @staticmethod + def fw_rules_to_conn_props(fw_rules, peer_container): + """ + Converting FWRules to ConnectivityProperties format. + This function is used for comparing FWRules output between original and optimized solutions, + when optimized_run == 'debug' + :param MinimizeFWRules fw_rules: the given FWRules. + :param PeerContainer peer_container: the peer container + :return: the resulting ConnectivityProperties. + """ + res = ConnectivityProperties.make_empty_props() + if fw_rules.fw_rules_map is None: + return res + for fw_rules_list in fw_rules.fw_rules_map.values(): + for fw_rule in fw_rules_list: + conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container) + src_peers = fw_rule.src.get_peer_set() + dst_peers = fw_rule.dst.get_peer_set() + rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, + "dst_peers": dst_peers}) & conn_props + res |= rule_props + return res diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py new file mode 100644 index 000000000..7e8680ccb --- /dev/null +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -0,0 +1,446 @@ +# +# Copyright 2020- IBM Inc. All rights reserved +# SPDX-License-Identifier: Apache2.0 +# + +from nca.CoreDS.ConnectionSet import ConnectionSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties +from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet +from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ + DNSElement +from .MinimizeBasic import MinimizeBasic + + +class MinimizeCsFwRulesOpt(MinimizeBasic): + """ + This is a class for minimizing fw-rules within a specific connection-set + """ + + def __init__(self, cluster_info, output_config): + """ + create an object of MinimizeCsFwRules + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param output_config: an OutputConfiguration object + + """ + super().__init__(cluster_info, output_config) + self.peer_props = ConnectivityProperties() + self.connections = ConnectionSet() + self.peer_props_in_containing_connections = ConnectivityProperties() + self.ns_pairs = set() + self.ns_ns_props = ConnectivityProperties() + self.peer_pairs_with_partial_ns_expr = set() + self.peer_props_without_ns_expr = ConnectivityProperties() + self.covered_peer_props = ConnectivityProperties() + self.results_info_per_option = dict() + self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules + + def compute_minimized_fw_rules_per_connection(self, connections, peer_props, + peer_props_in_containing_connections): + """ + The main function for creating the minimized set of fw-rules for a given connection set + + :param connections: the allowed connections for the given peer pairs, of type ConnectionSet + :param ConnectivityProperties peer_props: peers (src,dst) for which communication is allowed over the given connections + :param ConnectivityProperties peer_props_in_containing_connections: peers in connections that contain the current + connection set + + class members used in computation of fw-rules: + self.ns_pairs : pairs of namespaces, grouped from peer_pairs and peer_pairs_in_containing_connections + self.peer_pairs_with_partial_ns_expr: pairs of (peer,ns) or (ns,peer), with ns-grouping for one dimension + self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping + self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current + connection-set (but not necessarily only limited to current connection set) + + :return: + minimized_fw_rules: a list of fw-rules (of type list[FWRule]) + (results_info_per_option: for debugging, dict with some info about the computation) + """ + self.peer_props = peer_props + self.connections = connections + self.peer_props_in_containing_connections = peer_props_in_containing_connections + self.ns_pairs = set() + self.ns_ns_props = ConnectivityProperties() + self.peer_pairs_with_partial_ns_expr = set() + self.peer_props_without_ns_expr = ConnectivityProperties() + self.covered_peer_props = ConnectivityProperties() + self.results_info_per_option = dict() + self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules + + self._create_fw_rules() + if self.output_config.fwRulesRunInTestMode: + self._print_firewall_rules(self.minimized_fw_rules) + self._print_results_info() + + return self.minimized_fw_rules, self.results_info_per_option + + def _create_fw_rules(self): + """ + The main function for creating the minimized set of fw-rules for a given connection set + :return: None + """ + # partition peer_pairs to ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + self._compute_basic_namespace_grouping() + + # add all fw-rules: + self._add_all_fw_rules() + + def _compute_basic_namespace_grouping(self): + """ + computation of peer_pairs with possible grouping by namespaces. + Results are at: ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + :return: None + """ + self._compute_covered_peer_props() + # only Pod elements have namespaces (skipping IpBlocks and HostEPs) + src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") + if isinstance(src, ClusterEP)) + dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") + if isinstance(dst, ClusterEP)) + # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs + for src_ns in src_ns_set: + for dst_ns in dst_ns_set: + ns_product_props = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), + "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) + if ns_product_props.contained_in(self.covered_peer_props): + self.ns_ns_props |= ns_product_props + self.ns_pairs |= {(src_ns, dst_ns)} + else: + self.peer_props_without_ns_expr |= ns_product_props & self.peer_props + + # TODO: what about peer pairs with ip blocks from containing connections, not only peer_pairs for this connection? + src_peers_without_ns = PeerSet(set(src for src in self.peer_props.project_on_one_dimension("src_peers") + if isinstance(src, (IpBlock, HostEP, DNSEntry)))) + dst_peers_without_ns = PeerSet(set(dst for dst in self.peer_props.project_on_one_dimension("dst_peers") + if isinstance(dst, (IpBlock, HostEP, DNSEntry)))) + props_with_elems_without_ns = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers_without_ns}) |\ + ConnectivityProperties.make_conn_props_from_dict({"dst_peers": dst_peers_without_ns}) + self.peer_props_without_ns_expr |= props_with_elems_without_ns & self.peer_props + # compute pairs with src as pod/ip-block and dest as namespace + self._compute_peer_pairs_with_partial_ns_expr(dst_ns_set, False) + # compute pairs with src as pod/ip-block namespace dest as pod + self._compute_peer_pairs_with_partial_ns_expr(src_ns_set, True) + # remove pairs of (pod,pod) for trivial cases of communication from pod to itself + self.peer_props_without_ns_expr = self.peer_props_without_ns_expr.props_without_auto_conns() + + def _compute_covered_peer_props(self): + """ + compute the union (set) of all peer pairs for which communication is allowed in current connection-set (but + not necessarily only limited to current connection set) + :return: None + """ + covered_peer_props = self.peer_props | self.peer_props_in_containing_connections + all_peers_set = self.peer_props.project_on_one_dimension("src_peers") |\ + self.peer_props.project_on_one_dimension("dst_peers") + for pod in all_peers_set: + if isinstance(pod, ClusterEP): + covered_peer_props |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({pod}), + "dst_peers": PeerSet({pod})}) + self.covered_peer_props = covered_peer_props + + def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): + """ + computes and updates self.peer_pairs_with_partial_ns_expr with pairs where only one elem (src/dst) + can be grouped to an entire namespace + :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as ns (True) or dst (False) + :return: None + """ + # pod_set is the set of pods in pairs of peer_pairs_without_ns_expr, within elem type (src/dst) which is not + # in the grouping computation + + for ns in ns_set: + dim_name = "src_peers" if is_src_ns else "dst_peers" + other_dim_name = "dst_peers" if is_src_ns else "src_peers" + candidate_peers = self.peer_props_without_ns_expr.project_on_one_dimension(other_dim_name) + for peer in candidate_peers: + peer_with_ns_props = \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: PeerSet(self.cluster_info.ns_dict[ns]), + other_dim_name: PeerSet({peer})}) + if peer_with_ns_props.contained_in(self.peer_props_without_ns_expr): + self.peer_pairs_with_partial_ns_expr.add((ns, peer) if is_src_ns else (peer, ns)) + self.peer_props_without_ns_expr -= peer_with_ns_props + + def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): + """ + create a fw-rule from a fixed-elem and a set of namespaces + :param is_src_fixed: a flag indicating if the fixed elem is src (True) or dst (False) + :param ns_set: a set of namespaces + :param fixed_elem: the fixed element + :return: a list with created FWRule + """ + # currently no grouping of ns-list by labels of namespaces + grouped_elem = FWRuleElement(ns_set, self.cluster_info) + if is_src_fixed: + fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) + else: + fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) + return [fw_rule] + + def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set, + make_peer_sets=False): + """ + Implements grouping in the level of pods labels. + :param is_src_fixed: a bool flag to indicate if fixed_elem is at src or dst. + :param pods_set: the set of pods to be grouped + :param fixed_elem: the fixed element of the original fw-rules + :param extra_pods_set: an additional pods set from containing connections (with same fixed_elem) that can be + used for grouping (completing for a set of pods to cover some label grouping). + :return: a set of fw-rules result after grouping + """ + res = [] + # (1) try grouping by pods-labels: + chosen_rep, remaining_pods = self._get_pods_grouping_by_labels_main(pods_set, extra_pods_set) + for (key, values, ns_info) in chosen_rep: + map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) + all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) + pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) + grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) + if is_src_fixed: + fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) + else: + fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) + res.append(fw_rule) + + # TODO: should avoid having single pods remaining without labels grouping + # (2) add rules for remaining single pods: + if make_peer_sets and remaining_pods: + peer_set_elem = PeerSetElement(PeerSet(remaining_pods)) + if is_src_fixed: + fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) + else: + fw_rule = FWRule(peer_set_elem, fixed_elem, self.connections) + res.append(fw_rule) + else: + for pod in remaining_pods: + single_pod_elem = PodElement(pod, self.output_config.outputEndpoints == 'deployments') + if is_src_fixed: + fw_rule = FWRule(fixed_elem, single_pod_elem, self.connections) + else: + fw_rule = FWRule(single_pod_elem, fixed_elem, self.connections) + res.append(fw_rule) + return res + + def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): + """ + creating initial fw-rules from base elements + :param base_elems_pairs: a set of pairs (src,dst) , each of type: Pod/K8sNamespace/IpBlock + :return: list with created fw-rules + :rtype list[FWRule] + """ + res = [] + for (src, dst) in base_elems_pairs: + res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info)) + return res + + def _create_initial_fw_rules_from_peer_props(self, peer_props): + res = [] + min_peer_props = peer_props.minimize() + for cube in min_peer_props: + conn_cube = min_peer_props.get_connectivity_cube(cube) + src_peers = conn_cube["src_peers"] + dst_peers = conn_cube["dst_peers"] + # whole peers sets were handled in self.ns_pairs and self.peer_pairs_with_partial_ns_expr + assert src_peers and dst_peers + res.extend(FWRule.create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, + self.cluster_info)) + return res + + def _create_all_initial_fw_rules(self): + """ + Creating initial fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) + :return: a list of initial fw-rules of type FWRule + :rtype list[FWRule] + """ + + initial_fw_rules = [] + initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_pairs)) + initial_fw_rules.extend(self._create_initial_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) + initial_fw_rules.extend( + self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_with_partial_ns_expr)) + return initial_fw_rules + + def _add_all_fw_rules(self): + """ + Computation of fw-rules, following the ns-grouping of peer_pairs. + Results are at: self.minimized_rules_set + :return: None + """ + # create initial fw-rules from ns_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr + initial_fw_rules = self._create_all_initial_fw_rules() + # TODO: consider a higher resolution decision between option1 and option2 (per src,dst pair rather than per + # all ConnectionSet pairs) + + # option1 - start computation when src is fixed at first iteration, and merge applies to dst + option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) + # option2 - start computation when dst is fixed at first iteration, and merge applies to src + option2, convergence_iteration_2 = self._create_merged_rules_set(False, initial_fw_rules) + + # self.post_processing_fw_rules(option1) + # self.post_processing_fw_rules(option2) + + if self.output_config.fwRulesRunInTestMode: + # add info for documentation about computation results + self.results_info_per_option['option1_len'] = len(option1) + self.results_info_per_option['option2_len'] = len(option2) + self.results_info_per_option['convergence_iteration_1'] = convergence_iteration_1 + self.results_info_per_option['convergence_iteration_2'] = convergence_iteration_2 + + if self.output_config.fwRulesDebug: + print('option 1 rules:') + self._print_firewall_rules(option1) + print('option 2 rules: ') + self._print_firewall_rules(option2) + + # choose the option with less fw-rules + if len(option1) < len(option2): + self.minimized_fw_rules = option1 + return + self.minimized_fw_rules = option2 + + def _get_grouping_result(self, fixed_elem, set_for_grouping_elems, src_first): + """ + Apply grouping for a set of elements to create grouped fw-rules + :param fixed_elem: the fixed elements from the original fw-rules + :param set_for_grouping_elems: the set of elements to be grouped + :param src_first: a bool flag to indicate if fixed_elem is src or dst + :return: A list of fw-rules after possible grouping operations + """ + res = [] + # partition set_for_grouping_elems into: (1) ns_elems, (2) pod_and_pod_labels_elems, (3) ip_block_elems + peer_set_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, PeerSetElement)) + pod_and_pod_labels_elems = set(elem for elem in set_for_grouping_elems if + isinstance(elem, (PodElement, PodLabelsElement))) + ip_block_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, IPBlockElement)) + dns_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, DNSElement)) + ns_elems = set_for_grouping_elems - (peer_set_elems | pod_and_pod_labels_elems | ip_block_elems | dns_elems) + + if ns_elems: + # grouping of ns elements is straight-forward + ns_set = set.union(*(f.ns_info for f in ns_elems)) + res.extend(self.get_ns_fw_rules_grouped_by_common_elem(src_first, ns_set, fixed_elem)) + + for peer_set_elem in peer_set_elems: + res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, peer_set_elem.get_pods_set(), + fixed_elem, set(), True)) + + # fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) if src_first else \ + # FWRule(peer_set_elem, fixed_elem, self.connections) + # res.append(fw_rule) + + if pod_and_pod_labels_elems: + # grouping of pod and pod-labels elements + # TODO: currently adding this due to example in test24: a single pod-labels elem is replaced by another grouping + if len(pod_and_pod_labels_elems) == 1 and isinstance(list(pod_and_pod_labels_elems)[0], PodLabelsElement): + elem = list(pod_and_pod_labels_elems)[0] + fw_rule = FWRule(fixed_elem, elem, self.connections) if src_first else FWRule(elem, fixed_elem, + self.connections) + res.append(fw_rule) + else: + # set_for_grouping_pods is the set of all pods originated in pods and pod-labels elements, to be grouped + set_for_grouping_pods = set() + for e in pod_and_pod_labels_elems: + set_for_grouping_pods |= e.get_pods_set() + + # allow borrowing pods for labels-grouping from covered_peer_props + fixed_elem_pods = fixed_elem.get_pods_set() + # extra_pods_list is a list of pods sets that are paired with pods in fixed_elem_pods within + # covered_peer_props + extra_pods_list = [] + for p in fixed_elem_pods: + pods_to_add = self._get_peers_paired_with_given_peer(p, src_first) + extra_pods_list.append(pods_to_add) + # extra_pods_list_common is a set of pods that are paired with all pods in fixed_elem_pods within + # covered_peer_props + extra_pods_list_common = set() + if extra_pods_list: + extra_pods_list_common = set.intersection(*extra_pods_list) + + res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, set_for_grouping_pods, + fixed_elem, extra_pods_list_common)) + + if ip_block_elems: + # currently no grouping for ip blocks + for elem in ip_block_elems: + if src_first: + res.append(FWRule(fixed_elem, elem, self.connections)) + else: + res.append(FWRule(elem, fixed_elem, self.connections)) + + if dns_elems: + for elem in dns_elems: + if src_first: # do we need both if else? , dns_elem may be a dst always + res.append(FWRule(fixed_elem, elem, self.connections)) + else: + res.append(FWRule(elem, fixed_elem, self.connections)) + + return res + + def _get_peers_paired_with_given_peer(self, peer, is_src_peer): + this_dim = "src_peers" if is_src_peer else "dst_peers" + other_dim = "dst_peers" if is_src_peer else "src_peers" + props = self.covered_peer_props & ConnectivityProperties.make_conn_props_from_dict({this_dim: PeerSet({peer})}) + return props.project_on_one_dimension(other_dim) + + def _create_merged_rules_set(self, is_src_first, fw_rules): + """ + Computing a minimized set of fw-rules by merging src/dst elements iteratively + :param is_src_first: a bool flag to indicate if merge process starts with src or dest + :param fw_rules: a list of initial fw-rules + :return: a list of minimized fw-rules after merge process + """ + initial_fw_rules = fw_rules.copy() + if not initial_fw_rules: + return [], 0 + count_fw_rules = dict() # map number of fw-rules per iteration number + max_iter = self.output_config.fwRulesMaxIter + convergence_iteration = max_iter + for i in range(0, max_iter): + fw_rules_after_merge = [] + count_fw_rules[i] = len(initial_fw_rules) + if i > 1 and count_fw_rules[i] == count_fw_rules[i - 1]: + convergence_iteration = i + break + if i > 1 and self.output_config.fwRulesRunInTestMode: + assert count_fw_rules[i - 1] > count_fw_rules[i], "Expecting fewer fw_rules after each merge iteration." + # change the grouping target (src/dst) on each iteration + src_first = (i % 2 == 0) if is_src_first else (i % 2 == 1) + first_elem_set = set(f.src for f in initial_fw_rules) if src_first else set(f.dst for f in initial_fw_rules) + for elem in first_elem_set: + if src_first: + # TODO: equals or contained in? + # set_for_grouping_elems = set(f.dst for f in initial_fw_rules if elem <= f.src) + set_for_grouping_elems = set(f.dst for f in initial_fw_rules if elem == f.src) + else: + # set_for_grouping_elems = set(f.src for f in initial_fw_rules if elem <= f.dst) + set_for_grouping_elems = set(f.src for f in initial_fw_rules if elem == f.dst) + res = self._get_grouping_result(elem, set_for_grouping_elems, src_first) + fw_rules_after_merge.extend(res) + # prepare for next iteration + initial_fw_rules = fw_rules_after_merge + if self.output_config.fwRulesDebug: + print('fw rules after iteration: ' + str(i)) + self._print_firewall_rules(initial_fw_rules) + + return initial_fw_rules, convergence_iteration + + # --------------------------------------------------------------------------------------------------------- + # below functions are for debugging : + + def _print_results_info(self): + print('----------------') + print('results_info_per_option: ') + for key in self.results_info_per_option: + val = self.results_info_per_option[key] + print(str(key) + ':' + str(val)) + print('----------------') + + def _print_firewall_rules(self, rules): + print('-------------------') + print('rules for connections: ' + str(self.connections)) + for rule in rules: + # filter out rule of a pod to itslef + # if rule.is_rule_trivial(): + # continue + print(rule) diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index d42cd301c..e373b8538 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -3,30 +3,29 @@ # SPDX-License-Identifier: Apache2.0 # +from collections import defaultdict from nca.CoreDS.ConnectionSet import ConnectionSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod, HostEP, DNSEntry +from nca.CoreDS.ProtocolSet import ProtocolSet from .FWRule import FWRuleElement, FWRule, PodElement, LabelExpr, PodLabelsElement, IPBlockElement, DNSElement +from .MinimizeBasic import MinimizeBasic +from .MinimizeCsFWRulesOpt import MinimizeCsFwRulesOpt -class MinimizeCsFwRules: +class MinimizeCsFwRules(MinimizeBasic): """ This is a class for minimizing fw-rules within a specific connection-set """ - def __init__(self, cluster_info, allowed_labels, output_config): + def __init__(self, cluster_info, output_config): """ create an object of MinimizeCsFwRules :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info - :param allowed_labels: a set of label keys (set[str]) that appear in one of the policy yaml files. - using this set to determine which label can be used for grouping pods in fw-rules computation :param output_config: an OutputConfiguration object """ - - self.cluster_info = cluster_info - self.allowed_labels = allowed_labels - self.output_config = output_config - + super().__init__(cluster_info, output_config) self.peer_pairs = set() self.connections = ConnectionSet() self.peer_pairs_in_containing_connections = set() @@ -48,7 +47,7 @@ def compute_minimized_fw_rules_per_connection(self, connections, peer_pairs, pee class members used in computation of fw-rules: self.ns_pairs : pairs of namespaces, grouped from peer_pairs and peer_pairs_in_containing_connections - self.peer_pairs_with_partial_ns_expr: pairs of (pod,ns) or (ns,pod), with ns-grouping for one dimension + self.peers_with_ns_pairs: pairs of (pod,ns) or (ns,pod), with ns-grouping for one dimension self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current connection-set (but not necessarily only limited to current connection set) @@ -79,7 +78,7 @@ def _create_fw_rules(self): The main function for creating the minimized set of fw-rules for a given connection set :return: None """ - # partition peer_pairs to ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + # partition peer_pairs to ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr self._compute_basic_namespace_grouping() # add all fw-rules: @@ -88,7 +87,7 @@ def _create_fw_rules(self): def _compute_basic_namespace_grouping(self): """ computation of peer_pairs with possible grouping by namespaces. - Results are at: ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + Results are at: ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr :return: None """ self._compute_covered_peer_pairs_union() @@ -184,7 +183,7 @@ def _get_ns_covered_in_one_dimension(self, is_src_fixed, fixed_elem): def _compute_ns_pairs_with_partial_ns_expr(self, is_src_ns): """ - computes and updates self.peer_pairs_with_partial_ns_expr with pairs where only one elem (src/dst) + computes and updates self.peers_with_ns_pairs with pairs where only one elem (src/dst) can be grouped to an entire namespace :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as ns (True) or dst (False) :return: None @@ -221,99 +220,13 @@ def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_ele :return: a list with created FWRule """ # currently no grouping of ns-list by labels of namespaces - grouped_elem = FWRuleElement(ns_set) + grouped_elem = FWRuleElement(ns_set, self.cluster_info) if is_src_fixed: fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) else: fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) return [fw_rule] - def _get_pods_grouping_by_labels_main(self, pods_set, extra_pods_set): - """ - The main function to implement pods grouping by labels. - This function splits the pods into namespaces, and per ns calls get_pods_grouping_by_labels(). - :param pods_set: the pods for grouping - :param extra_pods_set: additional pods that can be used for grouping - :return: - res_chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. - res_remaining_pods: set of pods from pods_set that are not included in the grouping result (could not be grouped). - """ - ns_context_options = set(pod.namespace for pod in pods_set) - res_chosen_rep = [] - res_remaining_pods = set() - # grouping by pod-labels per each namespace separately - for ns in ns_context_options: - pods_set_per_ns = pods_set & self.cluster_info.ns_dict[ns] - extra_pods_set_per_ns = extra_pods_set & self.cluster_info.ns_dict[ns] - chosen_rep, remaining_pods = self._get_pods_grouping_by_labels(pods_set_per_ns, ns, extra_pods_set_per_ns) - res_chosen_rep.extend(chosen_rep) - res_remaining_pods |= remaining_pods - return res_chosen_rep, res_remaining_pods - - def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): - """ - Implements pods grouping by labels in a single namespace. - :param pods_set: the set of pods for grouping. - :param ns: the namespace - :param extra_pods_set: additional pods that can be used for completing the grouping - (originated in containing connections). - :return: - chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. - remaining_pods: set of pods from pods_list that are not included in the grouping result - """ - if self.output_config.fwRulesDebug: - print('get_pods_grouping_by_labels:') - print('pods_list: ' + ','.join([str(pod) for pod in pods_set])) - print('extra_pods_list: ' + ','.join([str(pod) for pod in extra_pods_set])) - all_pods_set = pods_set | extra_pods_set - allowed_labels = self.cluster_info.allowed_labels - pods_per_ns = self.cluster_info.ns_dict[ns] - # labels_rep_options is a list of tuples (key, (values, pods-set)), where each tuple in this list is a valid - # grouping of pods-set by "key in values" - labels_rep_options = [] - for key in allowed_labels: - values_for_key = self.cluster_info.get_all_values_set_for_key_per_namespace(key, {ns}) - fully_covered_label_values = set() - pods_with_fully_covered_label_values = set() - for v in values_for_key: - all_pods_per_label_val = self.cluster_info.pods_labels_map[(key, v)] & pods_per_ns - if not all_pods_per_label_val: - continue - pods_with_label_val_from_pods_list = all_pods_per_label_val & all_pods_set - pods_with_label_val_from_original_pods_list = all_pods_per_label_val & pods_set - # allow to "borrow" from extra_pods_set only if at least one pod is also in original pods_set - if all_pods_per_label_val == pods_with_label_val_from_pods_list and \ - pods_with_label_val_from_original_pods_list: - fully_covered_label_values |= {v} - pods_with_fully_covered_label_values |= pods_with_label_val_from_pods_list - # TODO: is it OK to ignore label-grouping if only one pod is involved? - if self.output_config.fwRulesGroupByLabelSinglePod: - if fully_covered_label_values and len( - pods_with_fully_covered_label_values) >= 1: # don't ignore label-grouping if only one pod is involved - labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) - else: - if fully_covered_label_values and len( - pods_with_fully_covered_label_values) > 1: # ignore label-grouping if only one pod is involved - labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) - - chosen_rep = [] - remaining_pods = pods_set.copy() - # sort labels_rep_options by length of pods_with_fully_covered_label_values, to prefer label-grouping that - # covers more pods - sorted_rep_options = sorted(labels_rep_options, key=lambda x: len(x[1][1]), reverse=True) - if self.output_config.fwRulesDebug: - print('sorted rep options:') - for (key, (label_vals, pods)) in sorted_rep_options: - print(key, label_vals, len(pods)) - ns_info = {ns} - for (k, (vals, pods)) in sorted_rep_options: - if (pods & pods_set).issubset(remaining_pods): - chosen_rep.append((k, vals, ns_info)) - remaining_pods -= pods - if not remaining_pods: - break - return chosen_rep, remaining_pods - def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set): """ Implements grouping in the level of pods labels. @@ -331,7 +244,7 @@ def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_se map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) - grouped_elem = PodLabelsElement(pod_label_expr, ns_info) + grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) if is_src_fixed: fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) else: @@ -358,7 +271,7 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections)) + res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info)) return res def _create_all_initial_fw_rules(self): @@ -380,7 +293,7 @@ def _add_all_fw_rules(self): Results are at: self.minimized_rules_set :return: None """ - # create initial fw-rules from ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + # create initial fw-rules from ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr initial_fw_rules = self._create_all_initial_fw_rules() # TODO: consider a higher resolution decision between option1 and option2 (per src,dst pair rather than per # all ConnectionSet pairs) @@ -451,10 +364,10 @@ def _get_grouping_result(self, fixed_elem, set_for_grouping_elems, src_first): # set_for_grouping_pods is the set of all pods originated in pods and pod-labels elements, to be grouped set_for_grouping_pods = set() for e in pod_and_pod_labels_elems: - set_for_grouping_pods |= e.get_pods_set(self.cluster_info) + set_for_grouping_pods |= e.get_pods_set() # allow borrowing pods for labels-grouping from covered_peer_pairs_union - fixed_elem_pods = fixed_elem.get_pods_set(self.cluster_info) + fixed_elem_pods = fixed_elem.get_pods_set() # extra_pods_list is a list of pods sets that are paired with pods in fixed_elem_pods within # covered_peer_pairs_union extra_pods_list = [] @@ -556,21 +469,21 @@ def get_src_dest_pairs_from_fw_rules(self, rules): # compute set of pods derived from rule src and rule dest if not isinstance(rule.src, (IPBlockElement, DNSElement)) and \ not isinstance(rule.dst, (IPBlockElement, DNSElement)): - src_set = rule.src.get_pods_set(self.cluster_info) - dest_set = rule.dst.get_pods_set(self.cluster_info) + src_set = rule.src.get_pods_set() + dest_set = rule.dst.get_pods_set() for src in src_set: for dst in dest_set: src_dest_pairs.append((src, dst)) elif isinstance(rule.src, IPBlockElement) and not isinstance(rule.dst, (IPBlockElement, DNSElement)): - dest_set = rule.dst.get_pods_set(self.cluster_info) + dest_set = rule.dst.get_pods_set() for dst in dest_set: src_dest_pairs.append((rule.src.element, dst)) elif not isinstance(rule.src, (IPBlockElement, DNSElement)) and \ isinstance(rule.dst, (IPBlockElement, DNSElement)): - src_set = rule.src.get_pods_set(self.cluster_info) + src_set = rule.src.get_pods_set() for src in src_set: src_dest_pairs.append((src, rule.dst.element)) @@ -592,7 +505,7 @@ def validate_ip_blocks(ips_list_1, ips_list_2): ip_block_2 |= ip return ip_block_1.contained_in(ip_block_2) - # for testing- make sure set of peer pairs derived from fw-rules is equivalent to the input peer pairs + # for testing - make sure set of peer pairs derived from fw-rules is equivalent to the input peer pairs def check_peer_pairs_equivalence(self, rules): orig_set = set(self.peer_pairs) allowed_extra_set = set(self.covered_peer_pairs_union) # set(self.peer_pairs_in_containing_connections) @@ -646,7 +559,6 @@ def check_peer_pairs_equivalence(self, rules): return True - # ================================================================================================================== class MinimizeFWRules: @@ -659,7 +571,7 @@ def __init__(self, fw_rules_map, cluster_info, output_config, results_map): create n object of MinimizeFWRules :param fw_rules_map: a map from ConnectionSet to list[FWRule] - the list of minimized fw-rules per connection :param cluster_info: an object of type ClusterInfo - :param output_config: an object of type OutputConiguration + :param output_config: an object of type OutputConfiguration :param results_map: (temp, for debugging) a map from connection to results info """ self.fw_rules_map = fw_rules_map @@ -765,3 +677,121 @@ def _get_all_rules_list_in_req_format(self, req_format): rules_list.append(rule_obj) rules_dict[str(rule_obj)] = 1 return rules_list + + @staticmethod + def minimize_firewall_rules(cluster_info, output_config, connections_sorted_by_size): + """ + Creates the set of minimized fw rules and prints to output + :param ClusterInfo cluster_info: the cluster info + :param OutputConfiguration output_config: the output configuration + :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules + """ + cs_containment_map = MinimizeFWRules._build_connections_containment_map(connections_sorted_by_size) + fw_rules_map = defaultdict(list) + results_map = dict() + minimize_cs = MinimizeCsFwRules(cluster_info, output_config) + # build fw_rules_map: per connection - a set of its minimized fw rules + for connections, peer_pairs in connections_sorted_by_size: + # currently skip "no connections" + if not connections: + continue + # TODO: figure out why we have pairs with (ip,ip) ? + peer_pairs_filtered = MinimizeFWRules._get_peer_pairs_filtered(peer_pairs) + peer_pairs_in_containing_connections = cs_containment_map[connections] + fw_rules, results_per_info = minimize_cs.compute_minimized_fw_rules_per_connection( + connections, peer_pairs_filtered, peer_pairs_in_containing_connections) + fw_rules_map[connections] = fw_rules + results_map[connections] = results_per_info + + minimize_fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, output_config, results_map) + return minimize_fw_rules + + @staticmethod + def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, peer_container, + connectivity_restriction): + relevant_protocols = ProtocolSet() + if connectivity_restriction: + if connectivity_restriction == 'TCP': + relevant_protocols.add_protocol('TCP') + else: # connectivity_restriction == 'non-TCP' + relevant_protocols = ProtocolSet.get_non_tcp_protocols() + + # TODO - Tanya: this reorder does not work + #reordered_conn_props = props.push_back_peers_dimensions() + reordered_conn_props = props + connections_to_peers = defaultdict(ConnectivityProperties) + for cube in reordered_conn_props: + conn_cube = reordered_conn_props.get_connectivity_cube(cube) + conns, src_peers, dst_peers = \ + MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) + conn_cube.unset_all_but_peers() + connections_to_peers[conns] |= ConnectivityProperties.make_conn_props(conn_cube) + connections_sorted_by_size = list(connections_to_peers.items()) + connections_sorted_by_size.sort(reverse=True) + return MinimizeFWRules.minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size) + + @staticmethod + def minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size): + """ + Creates the set of minimized fw rules and prints to output + :param ClusterInfo cluster_info: the cluster info + :param OutputConfiguration output_config: the output configuration + :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules + """ + cs_containment_map = MinimizeFWRules._build_connections_containment_map_opt(connections_sorted_by_size) + fw_rules_map = defaultdict(list) + results_map = dict() + minimize_cs_opt = MinimizeCsFwRulesOpt(cluster_info, output_config) + # build fw_rules_map: per connection - a set of its minimized fw rules + for connections, peer_props in connections_sorted_by_size: + # currently skip "no connections" + if not connections: + continue + # TODO: figure out why we have pairs with (ip,ip) ? + peer_props_in_containing_connections = cs_containment_map[connections] + fw_rules, results_per_info = minimize_cs_opt.compute_minimized_fw_rules_per_connection( + connections, peer_props, peer_props_in_containing_connections) + fw_rules_map[connections] = fw_rules + results_map[connections] = results_per_info + + minimize_fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, output_config, results_map) + return minimize_fw_rules + + @staticmethod + def _get_peer_pairs_filtered(peer_pairs): + """ + Filters out peer pairs where both src and dst are IpBlock + :param list peer_pairs: the peer pairs to filter + :return: a filtered set of peer pairs + """ + return set((src, dst) for (src, dst) in peer_pairs if not (isinstance(src, IpBlock) and isinstance(dst, IpBlock))) + + @staticmethod + def _build_connections_containment_map(connections_sorted_by_size): + """ + Build a map from a connection to a set of peer_pairs from connections it is contained in + :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :return: a map from connection to a set of peer pairs from containing connections + """ + cs_containment_map = defaultdict(set) + for (conn, _) in connections_sorted_by_size: + for (other_conn, peer_pairs) in connections_sorted_by_size: + if other_conn != conn and conn.contained_in(other_conn): + peer_pairs_filtered = MinimizeFWRules._get_peer_pairs_filtered(peer_pairs) + cs_containment_map[conn] |= peer_pairs_filtered + return cs_containment_map + + def _build_connections_containment_map_opt(connections_sorted_by_size): + """ + Build a map from a connection to a set of peer_pairs from connections it is contained in + :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :return: a map from connection to a set of peer pairs from containing connections + """ + cs_containment_map = defaultdict(ConnectivityProperties) + for (conn, _) in connections_sorted_by_size: + for (other_conn, peer_pairs) in connections_sorted_by_size: + if other_conn != conn and conn.contained_in(other_conn): + cs_containment_map[conn] |= peer_pairs + return cs_containment_map diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index a11adc83e..cab08be7b 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -16,6 +16,7 @@ from nca.CoreDS.DimensionsManager import DimensionsManager from nca.FWRules.ConnectivityGraph import ConnectivityGraph from nca.FWRules.MinimizeFWRules import MinimizeFWRules +from nca.FWRules.MinimizeBasic import MinimizeBasic from nca.FWRules.ClusterInfo import ClusterInfo from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnectionsFilter from nca.Resources.PolicyResources.CalicoNetworkPolicy import CalicoNetworkPolicy @@ -157,18 +158,30 @@ def compare_fw_rules(fw_rules1, fw_rules2, peer_container, rules_descr=""): if fw_rules1.fw_rules_map == fw_rules2.fw_rules_map: print(f"{text_prefix} are semantically equivalent") return - conn_props1 = ConnectionSet.fw_rules_to_conn_props(fw_rules1, peer_container) - conn_props2 = ConnectionSet.fw_rules_to_conn_props(fw_rules2, peer_container) - if conn_props1 == conn_props2: + conn_props1 = MinimizeBasic.fw_rules_to_conn_props(fw_rules1, peer_container) + conn_props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules2, peer_container) + BaseNetworkQuery.compare_conn_props(conn_props1, conn_props2, text_prefix) + + @staticmethod + def compare_conn_props(props1, props2, text_prefix): + if props1 == props2: print(f"{text_prefix} are semantically equivalent") else: - diff_prop = (conn_props1 - conn_props2) | (conn_props2 - conn_props1) + diff_prop = (props1 - props2) | (props2 - props1) if diff_prop.are_auto_conns(): print(f"{text_prefix} differ only in auto-connections") else: print(f"Error: {text_prefix} are different") assert False + @staticmethod + def compare_fw_rules_to_conn_props(fw_rules, props, peer_container, rules_descr=""): + text_prefix = "Connectivity properties and fw-rules generated from them" + if rules_descr: + text_prefix += " for " + rules_descr + props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, peer_container) + BaseNetworkQuery.compare_conn_props(props, props2, text_prefix) + class NetworkConfigQuery(BaseNetworkQuery): """ @@ -1105,10 +1118,16 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= :return the connectivity map in fw-rules, considering connectivity_restriction if required :rtype: (Union[str, dict], MinimizeFWRules) """ - cluster_info = ClusterInfo(peers_to_compare, self.config.get_allowed_labels()) - fw_rules_map = ConnectionSet.conn_props_to_fw_rules(props, cluster_info, self.config.peer_container, - connectivity_restriction) - fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, self.output_config, {}) + if self.output_config.fwRulesOverrideAllowedLabels: + allowed_labels = set(label for label in self.output_config.fwRulesOverrideAllowedLabels.split(',')) + else: + allowed_labels = self.config.get_allowed_labels() + cluster_info = ClusterInfo(peers_to_compare, allowed_labels) + + fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props, cluster_info, self.output_config, + self.config.peer_container, + connectivity_restriction) + self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container) # Tanya: debug formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) return formatted_rules, fw_rules @@ -1253,7 +1272,7 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, for cube in conn_diff_props: conn_cube = conn_diff_props.get_connectivity_cube(cube) conns, src_peers, dst_peers = \ - ConnectionSet.get_connection_set_and_peers_from_cube(conn_cube, self.config1.peer_container) + MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, self.config1.peer_container) conns1 = conns if props_based_on_config1 else no_conns conns2 = no_conns if props_based_on_config1 else conns if self.output_config.fullExplanation: From bf949ff094704ff754e16dc6d949b8e8fbfab8b2 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 3 Mar 2024 16:33:02 +0200 Subject: [PATCH 36/89] Fixed lint errors. Signed-off-by: Tanya --- nca/FWRules/ConnectivityGraph.py | 1 - nca/FWRules/FWRule.py | 14 ++++++++------ nca/FWRules/MinimizeCsFWRulesOpt.py | 5 +++-- nca/FWRules/MinimizeFWRules.py | 6 ++++-- 4 files changed, 15 insertions(+), 11 deletions(-) diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index 536301ce6..37f369539 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -7,7 +7,6 @@ from collections import defaultdict import networkx from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod -from nca.CoreDS.ConnectionSet import ConnectionSet from .DotGraph import DotGraph from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 6b8597d4b..418c4abf1 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -214,15 +214,16 @@ def get_peer_set(self): return PeerSet(self.get_pods_set()) @staticmethod - def create_fw_elements_from_base_element(base_elem, cluster_info): + def create_fw_elements_from_base_element(base_elem, cluster_info, output_config): """ create a list of fw-rule-elements from base-element :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param OutputConfiguration output_config: an object holding output configuration :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] """ if isinstance(base_elem, ClusterEP): - return [PodElement(base_elem)] + return [PodElement(base_elem, output_config.outputEndpoints == 'deployments')] elif isinstance(base_elem, IpBlock): return [IPBlockElement(ip) for ip in base_elem.split()] elif isinstance(base_elem, K8sNamespace): @@ -240,7 +241,7 @@ def create_fw_elements_from_base_element(base_elem, cluster_info): pods -= ns_pods if ipblocks_and_dns: for peer in base_elem: - res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info)) + res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info, output_config)) return res # unknown base-elem type return None @@ -721,18 +722,19 @@ def get_rule_in_req_format(self, req_format): return None @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections, cluster_info): + def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config): """ create fw-rules from single pair of base elements (src,dst) and a given connection set :param ConnectionSet connections: the allowed connections from src to dst :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param OutputConfiguration output_config: an object holding output configuration :return: list with created fw-rules :rtype list[FWRule] """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info) + src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config) + dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config) if src_elem is None or dst_elem is None: return [] return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 7e8680ccb..84c012627 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -231,7 +231,8 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info)) + res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, + self.output_config)) return res def _create_initial_fw_rules_from_peer_props(self, peer_props): @@ -244,7 +245,7 @@ def _create_initial_fw_rules_from_peer_props(self, peer_props): # whole peers sets were handled in self.ns_pairs and self.peer_pairs_with_partial_ns_expr assert src_peers and dst_peers res.extend(FWRule.create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, - self.cluster_info)) + self.cluster_info, self.output_config)) return res def _create_all_initial_fw_rules(self): diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index e373b8538..5626b6e3e 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -271,7 +271,8 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info)) + res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, + self.output_config)) return res def _create_all_initial_fw_rules(self): @@ -561,6 +562,7 @@ def check_peer_pairs_equivalence(self, rules): # ================================================================================================================== + class MinimizeFWRules: """ This is a class for minimizing and handling fw-rules globally for all connection sets @@ -718,7 +720,7 @@ def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, relevant_protocols = ProtocolSet.get_non_tcp_protocols() # TODO - Tanya: this reorder does not work - #reordered_conn_props = props.push_back_peers_dimensions() + # reordered_conn_props = props.push_back_peers_dimensions() reordered_conn_props = props connections_to_peers = defaultdict(ConnectivityProperties) for cube in reordered_conn_props: From 5532e4d48537d6dd22b4369b9c78540aa43da6d8 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 3 Mar 2024 17:44:26 +0200 Subject: [PATCH 37/89] Updating (some of) expected results for explainability queries, according to more condensed optimized output. Signed-off-by: Tanya --- .../basic_connectivity_expl_output.txt | 8 ++++---- ...connectivity_specific_nodes_expl_output.txt | 8 ++++---- .../poc1_expl_output.txt | 18 +++++------------- .../subset_deployment_expl_output.txt | 8 ++++---- .../test25_expl_output.txt | 3 +-- .../test4_expl_output.txt | 10 ++-------- 6 files changed, 20 insertions(+), 35 deletions(-) diff --git a/tests/expected_cmdline_output_files/basic_connectivity_expl_output.txt b/tests/expected_cmdline_output_files/basic_connectivity_expl_output.txt index 6c0f7d1e2..e66c15d80 100644 --- a/tests/expected_cmdline_output_files/basic_connectivity_expl_output.txt +++ b/tests/expected_cmdline_output_files/basic_connectivity_expl_output.txt @@ -2,11 +2,11 @@ final fw rules for query: , config: test_subset_topology.yaml: src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections -src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [deployment-D] conn: All connections +src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections -src_ns: [ns1] src_pods: [deployment-A] dst_ns: [default] dst_pods: [deployment-E] conn: All connections -src_ns: [ns1] src_pods: [deployment-B] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections -src_ns: [ns2] src_pods: [deployment-C] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections +src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections +src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections +src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections src_ns: [ns3] src_pods: [*] dst_ns: [default] dst_pods: [Pod4] conn: All connections diff --git a/tests/expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt b/tests/expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt index e07f0722f..973afd932 100644 --- a/tests/expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt +++ b/tests/expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt @@ -2,11 +2,11 @@ final fw rules for query: , config: test_subset_topology.yaml: src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections -src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [deployment-D] conn: All connections +src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections -src_ns: [ns1] src_pods: [deployment-A] dst_ns: [default] dst_pods: [deployment-E] conn: All connections -src_ns: [ns1] src_pods: [deployment-B] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections -src_ns: [ns2] src_pods: [deployment-C] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections +src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections +src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections +src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections src_ns: [ns3] src_pods: [*] dst_ns: [default] dst_pods: [Pod4] conn: All connections diff --git a/tests/expected_cmdline_output_files/poc1_expl_output.txt b/tests/expected_cmdline_output_files/poc1_expl_output.txt index 5feff2217..e02ea700f 100644 --- a/tests/expected_cmdline_output_files/poc1_expl_output.txt +++ b/tests/expected_cmdline_output_files/poc1_expl_output.txt @@ -1,26 +1,18 @@ final fw rules for query: , config: microservices-netpols.yaml: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [cartservice] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice, shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [frontend] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [recommendationservice] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/expected_cmdline_output_files/subset_deployment_expl_output.txt b/tests/expected_cmdline_output_files/subset_deployment_expl_output.txt index 3811c81e4..94010257f 100644 --- a/tests/expected_cmdline_output_files/subset_deployment_expl_output.txt +++ b/tests/expected_cmdline_output_files/subset_deployment_expl_output.txt @@ -1,8 +1,8 @@ final fw rules for query: , config: test_subset_topology.yaml: -src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [deployment-D] conn: All connections -src_ns: [ns1] src_pods: [deployment-A] dst_ns: [default] dst_pods: [deployment-E] conn: All connections -src_ns: [ns1] src_pods: [deployment-B] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections -src_ns: [ns2] src_pods: [deployment-C] dst_ns: [ns1] dst_pods: [deployment-A] conn: All connections +src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections +src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections +src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections +src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections Explainability results: diff --git a/tests/expected_cmdline_output_files/test25_expl_output.txt b/tests/expected_cmdline_output_files/test25_expl_output.txt index 53ff38ac5..781261b48 100644 --- a/tests/expected_cmdline_output_files/test25_expl_output.txt +++ b/tests/expected_cmdline_output_files/test25_expl_output.txt @@ -1,6 +1,5 @@ final fw rules for query: , config: test25-networkpolicy.yaml: -src_ns: [default] src_pods: [my-test-deployment-C] dst_ns: [default] dst_pods: [my-test-deployment-B] conn: All connections - +src_ns: [default] src_pods: [my-test-deployment-C] dst_ns: [default] dst_pods: [app=B] conn: All connections Explainability results: diff --git a/tests/expected_cmdline_output_files/test4_expl_output.txt b/tests/expected_cmdline_output_files/test4_expl_output.txt index 4668d14af..74eaa83ef 100644 --- a/tests/expected_cmdline_output_files/test4_expl_output.txt +++ b/tests/expected_cmdline_output_files/test4_expl_output.txt @@ -1,16 +1,10 @@ final fw rules for query: , config: test4-networkpolicy.yaml: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections +src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 -src_ns: [ibm-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-90 -src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-88 -src_ns: [kube-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections Explainability results: From 6e05b8805d9bea6d48ee6f3e3451f6f4a473253f Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 3 Mar 2024 18:29:39 +0200 Subject: [PATCH 38/89] Fixed converting fw-rules to connectivity properties, while taking into account TCP/non-TCP protocol restriction. Signed-off-by: Tanya --- nca/CoreDS/ConnectionSet.py | 9 +++++++-- nca/FWRules/MinimizeBasic.py | 13 +++++++++++-- nca/NetworkConfig/NetworkConfigQuery.py | 9 ++++----- .../test25_expl_output.txt | 1 + 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/nca/CoreDS/ConnectionSet.py b/nca/CoreDS/ConnectionSet.py index 1e0626163..42d44d26c 100644 --- a/nca/CoreDS/ConnectionSet.py +++ b/nca/CoreDS/ConnectionSet.py @@ -543,16 +543,21 @@ def print_diff(self, other, self_name, other_name): return 'No diff.' - def convert_to_connectivity_properties(self, peer_container): + def convert_to_connectivity_properties(self, peer_container, relevant_protocols=ProtocolSet()): """ Convert the current ConnectionSet to ConnectivityProperties format. This function is used for comparing fw-rules output between original and optimized implementation, when optimized_run == 'debug' :param PeerContainer peer_container: the peer container + :param ProtocolSet relevant_protocols: specify if all protocols refer to TCP / non-TCP protocols :return: the connection set in ConnectivityProperties format """ if self.allow_all: - return ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container) + if relevant_protocols: + protocols_conn = ConnectivityProperties.make_conn_props_from_dict({"protocols": relevant_protocols}) + else: + protocols_conn = ConnectivityProperties(create_all=True) + return ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container) & protocols_conn res = ConnectivityProperties.make_empty_props() for protocol, properties in self.allowed_protocols.items(): diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 61244e7ad..9fe042af7 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -132,21 +132,30 @@ def get_connection_set_and_peers_from_cube(the_cube, peer_container, return conns, src_peers, dst_peers @staticmethod - def fw_rules_to_conn_props(fw_rules, peer_container): + def fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction=None): """ Converting FWRules to ConnectivityProperties format. This function is used for comparing FWRules output between original and optimized solutions, when optimized_run == 'debug' :param MinimizeFWRules fw_rules: the given FWRules. :param PeerContainer peer_container: the peer container + param Union[str,None] connectivity_restriction: specify if connectivity is restricted to + TCP / non-TCP , or not :return: the resulting ConnectivityProperties. """ + relevant_protocols = ProtocolSet() + if connectivity_restriction: + if connectivity_restriction == 'TCP': + relevant_protocols.add_protocol('TCP') + else: # connectivity_restriction == 'non-TCP' + relevant_protocols = ProtocolSet.get_non_tcp_protocols() + res = ConnectivityProperties.make_empty_props() if fw_rules.fw_rules_map is None: return res for fw_rules_list in fw_rules.fw_rules_map.values(): for fw_rule in fw_rules_list: - conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container) + conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container, relevant_protocols) src_peers = fw_rule.src.get_peer_set() dst_peers = fw_rule.dst.get_peer_set() rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index cab08be7b..1a0795a5d 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -175,11 +175,9 @@ def compare_conn_props(props1, props2, text_prefix): assert False @staticmethod - def compare_fw_rules_to_conn_props(fw_rules, props, peer_container, rules_descr=""): + def compare_fw_rules_to_conn_props(fw_rules, props, peer_container, connectivity_restriction=None): text_prefix = "Connectivity properties and fw-rules generated from them" - if rules_descr: - text_prefix += " for " + rules_descr - props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, peer_container) + props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction) BaseNetworkQuery.compare_conn_props(props, props2, text_prefix) @@ -1127,7 +1125,8 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props, cluster_info, self.output_config, self.config.peer_container, connectivity_restriction) - self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container) # Tanya: debug + self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, + connectivity_restriction=connectivity_restriction) # Tanya: debug formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) return formatted_rules, fw_rules diff --git a/tests/expected_cmdline_output_files/test25_expl_output.txt b/tests/expected_cmdline_output_files/test25_expl_output.txt index 781261b48..ec53c86eb 100644 --- a/tests/expected_cmdline_output_files/test25_expl_output.txt +++ b/tests/expected_cmdline_output_files/test25_expl_output.txt @@ -1,6 +1,7 @@ final fw rules for query: , config: test25-networkpolicy.yaml: src_ns: [default] src_pods: [my-test-deployment-C] dst_ns: [default] dst_pods: [app=B] conn: All connections + Explainability results: From 7a6f4096a82227c3de58e22ff07d84c3855603dc Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 10 Mar 2024 19:38:37 +0200 Subject: [PATCH 39/89] Optimized handling IpBlocks in optimized fw-rules minimization Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 15 --------------- nca/CoreDS/Peer.py | 25 ++++++++++++++++++------- nca/FWRules/FWRule.py | 19 +++++++++++++------ nca/FWRules/MinimizeCsFWRulesOpt.py | 28 +++++++++++++++------------- nca/FWRules/MinimizeFWRules.py | 18 ++++++++++-------- 5 files changed, 56 insertions(+), 49 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 7917fdd84..e8af72468 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -523,21 +523,6 @@ def minimize(self): new_props = self._reorder_by_dim_list(new_all_dims_map) return self if len(self) <= len(new_props) else new_props - def push_back_peers_dimensions(self): - """ - Reorder the current properties by making "src_peers" and "dst_peers" the last two dimensions. - """ - new_all_dims_map = [i for i in range(len(self.all_dimensions_list))] - last_index = len(self.all_dimensions_list) - 1 - src_peers_index = self.all_dimensions_list.index("src_peers") - dst_peers_index = self.all_dimensions_list.index("dst_peers") - # switch between "src_peers", "dst_peers" and last two dimensions - new_all_dims_map[src_peers_index] = last_index - 1 - new_all_dims_map[last_index - 1] = src_peers_index - new_all_dims_map[dst_peers_index] = last_index - new_all_dims_map[last_index] = dst_peers_index - return self._reorder_by_dim_list(new_all_dims_map) - def _reorder_by_dim_list(self, new_all_dims_map): """ Reorder the current properties by the given dimensions order diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 178c0281a..4686f8f75 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -289,6 +289,9 @@ def __init__(self, cidr=None, exceptions=None, interval=None, name=None, namespa if not self.name: self.name = self.get_cidr_list_str() + def full_name(self): + return self.get_cidr_list_str() + def is_global_peer(self): return self.is_global @@ -296,7 +299,7 @@ def canonical_form(self): if self.namespace is None: return self.name else: - return self.namespace.name + '_' + self.name + return self.namespace.name + '_' + self.full_name() def copy(self): res = IpBlock(name=self.name, namespace=self.namespace, is_global=self.is_global) @@ -568,6 +571,10 @@ def __contains__(self, item): return False return super().__contains__(item) + def canonical_form(self): + # TODO: after moving to optimized HC implementation PeerSet may be always maintained in the canonical form + return PeerSet(self.get_set_without_ip_block()) | self.get_ip_block_canonical_form().get_peer_set() + def __eq__(self, other): # set comparison if self.get_set_without_ip_block() != other.get_set_without_ip_block(): @@ -605,6 +612,8 @@ def __and__(self, other): return res def __ior__(self, other): + # TODO - after moving to optimized HC implementation, create in canonical form (like __iand__); + # (in the original implementation we need split IpBlock for disjoint_ip_blocks() to work correctly) res = PeerSet(super().__ior__(other)) return res @@ -766,21 +775,19 @@ def get_peer_set_by_indices(self, peer_interval_set): :return: the PeerSet of peers referenced by the indices in the interval set """ peer_set = PeerSet() + ipv4block = IpBlock() + ipv6block = IpBlock() for interval in peer_interval_set: if interval.end <= self.max_ipv4_index: # this is IPv4Address start = ipaddress.IPv4Address(interval.start - self.min_ipv4_index) end = ipaddress.IPv4Address(interval.end - self.min_ipv4_index) - ipb = IpBlock( - interval=CanonicalIntervalSet.Interval(IPNetworkAddress(start), IPNetworkAddress(end))) - peer_set.add(ipb) + ipv4block.add_interval(CanonicalIntervalSet.Interval(IPNetworkAddress(start), IPNetworkAddress(end))) elif interval.end <= self.max_ipv6_index: # this is IPv6Address start = ipaddress.IPv6Address(interval.start - self.min_ipv6_index) end = ipaddress.IPv6Address(interval.end - self.min_ipv6_index) - ipb = IpBlock( - interval=CanonicalIntervalSet.Interval(IPNetworkAddress(start), IPNetworkAddress(end))) - peer_set.add(ipb) + ipv6block.add_interval(CanonicalIntervalSet.Interval(IPNetworkAddress(start), IPNetworkAddress(end))) else: # this is Pod assert interval.end <= self.max_pod_index @@ -788,6 +795,10 @@ def get_peer_set_by_indices(self, peer_interval_set): for ind in range(min(interval.start - self.min_pod_index, curr_pods_max_ind), min(interval.end - self.min_pod_index, curr_pods_max_ind) + 1): peer_set.add(self.ordered_peer_list[ind]) + if ipv4block: + peer_set.add(ipv4block) + if ipv6block: + peer_set.add(ipv6block) return peer_set instance = None diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 418c4abf1..1d972429a 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -214,18 +214,22 @@ def get_peer_set(self): return PeerSet(self.get_pods_set()) @staticmethod - def create_fw_elements_from_base_element(base_elem, cluster_info, output_config): + def create_fw_elements_from_base_element(base_elem, cluster_info, output_config, split_ip_blocks): """ create a list of fw-rule-elements from base-element :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :param OutputConfiguration output_config: an object holding output configuration + :param bool split_ip_blocks: whether to split IpBlocks. This flag is for alignment with original implementation; + after moving to optimized HC implementation we will never split IpBlocks. :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] """ if isinstance(base_elem, ClusterEP): return [PodElement(base_elem, output_config.outputEndpoints == 'deployments')] elif isinstance(base_elem, IpBlock): - return [IPBlockElement(ip) for ip in base_elem.split()] + if split_ip_blocks: + return [IPBlockElement(ip) for ip in base_elem.split()] + return [IPBlockElement(base_elem)] elif isinstance(base_elem, K8sNamespace): return [FWRuleElement({base_elem}, cluster_info)] elif isinstance(base_elem, DNSEntry): @@ -241,7 +245,8 @@ def create_fw_elements_from_base_element(base_elem, cluster_info, output_config) pods -= ns_pods if ipblocks_and_dns: for peer in base_elem: - res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info, output_config)) + res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info, output_config, + split_ip_blocks)) return res # unknown base-elem type return None @@ -722,7 +727,7 @@ def get_rule_in_req_format(self, req_format): return None @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config): + def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config, split_ip_blocks=False): """ create fw-rules from single pair of base elements (src,dst) and a given connection set :param ConnectionSet connections: the allowed connections from src to dst @@ -730,11 +735,13 @@ def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, outp :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :param OutputConfiguration output_config: an object holding output configuration + :param bool split_ip_blocks: whether to split IpBlocks. This flag is for alignment with original implementation; + after moving to optimized HC implementation we will never split IpBlocks. :return: list with created fw-rules :rtype list[FWRule] """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config) + src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config, split_ip_blocks) + dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config, split_ip_blocks) if src_elem is None or dst_elem is None: return [] return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 84c012627..6387afc90 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -5,7 +5,7 @@ from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet +from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet, Pod from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ DNSElement from .MinimizeBasic import MinimizeBasic @@ -94,9 +94,9 @@ def _compute_basic_namespace_grouping(self): self._compute_covered_peer_props() # only Pod elements have namespaces (skipping IpBlocks and HostEPs) src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") - if isinstance(src, ClusterEP)) + if isinstance(src, Pod)) dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") - if isinstance(dst, ClusterEP)) + if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs for src_ns in src_ns_set: for dst_ns in dst_ns_set: @@ -122,8 +122,6 @@ def _compute_basic_namespace_grouping(self): self._compute_peer_pairs_with_partial_ns_expr(dst_ns_set, False) # compute pairs with src as pod/ip-block namespace dest as pod self._compute_peer_pairs_with_partial_ns_expr(src_ns_set, True) - # remove pairs of (pod,pod) for trivial cases of communication from pod to itself - self.peer_props_without_ns_expr = self.peer_props_without_ns_expr.props_without_auto_conns() def _compute_covered_peer_props(self): """ @@ -151,16 +149,20 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): # in the grouping computation for ns in ns_set: + ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) dim_name = "src_peers" if is_src_ns else "dst_peers" other_dim_name = "dst_peers" if is_src_ns else "src_peers" - candidate_peers = self.peer_props_without_ns_expr.project_on_one_dimension(other_dim_name) - for peer in candidate_peers: - peer_with_ns_props = \ - ConnectivityProperties.make_conn_props_from_dict({dim_name: PeerSet(self.cluster_info.ns_dict[ns]), - other_dim_name: PeerSet({peer})}) - if peer_with_ns_props.contained_in(self.peer_props_without_ns_expr): - self.peer_pairs_with_partial_ns_expr.add((ns, peer) if is_src_ns else (peer, ns)) - self.peer_props_without_ns_expr -= peer_with_ns_props + paired_to_ns_peers = PeerSet() + for cube in self.peer_props_without_ns_expr: + conn_cube = self.peer_props_without_ns_expr.get_connectivity_cube(cube) + dim_peers = conn_cube[dim_name] + if ns_peers.issubset(dim_peers): + paired_to_ns_peers |= conn_cube[other_dim_name] + paired_to_ns_peers = paired_to_ns_peers.canonical_form() + self.peer_pairs_with_partial_ns_expr.add((ns, paired_to_ns_peers) if is_src_ns else (paired_to_ns_peers, ns)) + self.peer_props_without_ns_expr -= \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: PeerSet(self.cluster_info.ns_dict[ns]), + other_dim_name: paired_to_ns_peers}) def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index 5626b6e3e..391de6c03 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -272,7 +272,7 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): res = [] for (src, dst) in base_elems_pairs: res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, - self.output_config)) + self.output_config, True)) return res def _create_all_initial_fw_rules(self): @@ -719,16 +719,18 @@ def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, else: # connectivity_restriction == 'non-TCP' relevant_protocols = ProtocolSet.get_non_tcp_protocols() - # TODO - Tanya: this reorder does not work - # reordered_conn_props = props.push_back_peers_dimensions() - reordered_conn_props = props - connections_to_peers = defaultdict(ConnectivityProperties) - for cube in reordered_conn_props: - conn_cube = reordered_conn_props.get_connectivity_cube(cube) + peers_to_connections = defaultdict(ConnectionSet) + # pick up all connection sets relating to the same peer set pairs + for cube in props: + conn_cube = props.get_connectivity_cube(cube) conns, src_peers, dst_peers = \ MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) conn_cube.unset_all_but_peers() - connections_to_peers[conns] |= ConnectivityProperties.make_conn_props(conn_cube) + peers_to_connections[ConnectivityProperties.make_conn_props(conn_cube)] |= conns + # now combine all peer set pairs relating to the same connection sets + connections_to_peers = defaultdict(ConnectivityProperties) + for peers, conns in peers_to_connections.items(): + connections_to_peers[conns] |= peers connections_sorted_by_size = list(connections_to_peers.items()) connections_sorted_by_size.sort(reverse=True) return MinimizeFWRules.minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size) From 51eb02b7ccac4a469cc5efa6ef38dd75263db595 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 17 Mar 2024 14:48:11 +0200 Subject: [PATCH 40/89] Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya --- nca/FWRules/FWRule.py | 22 +---- nca/FWRules/MinimizeCsFWRulesOpt.py | 140 +++++++++++++++++++++------- 2 files changed, 110 insertions(+), 52 deletions(-) diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 1d972429a..5b8b4f768 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -214,40 +214,22 @@ def get_peer_set(self): return PeerSet(self.get_pods_set()) @staticmethod - def create_fw_elements_from_base_element(base_elem, cluster_info, output_config, split_ip_blocks): + def create_fw_elements_from_base_element(base_elem, cluster_info, output_config): """ create a list of fw-rule-elements from base-element :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :param OutputConfiguration output_config: an object holding output configuration - :param bool split_ip_blocks: whether to split IpBlocks. This flag is for alignment with original implementation; - after moving to optimized HC implementation we will never split IpBlocks. :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] """ if isinstance(base_elem, ClusterEP): return [PodElement(base_elem, output_config.outputEndpoints == 'deployments')] elif isinstance(base_elem, IpBlock): - if split_ip_blocks: - return [IPBlockElement(ip) for ip in base_elem.split()] - return [IPBlockElement(base_elem)] + return [IPBlockElement(ip) for ip in base_elem.split()] elif isinstance(base_elem, K8sNamespace): return [FWRuleElement({base_elem}, cluster_info)] elif isinstance(base_elem, DNSEntry): return [DNSElement(base_elem)] - elif isinstance(base_elem, PeerSet): - pods = PeerSet(base_elem.get_set_without_ip_block_or_dns_entry()) - ipblocks_and_dns = base_elem - pods - res = [] - while pods: - ns = list(pods)[0].namespace - ns_pods = pods & PeerSet(cluster_info.ns_dict[ns]) - res.append(PeerSetElement(ns_pods)) - pods -= ns_pods - if ipblocks_and_dns: - for peer in base_elem: - res.extend(FWRuleElement.create_fw_elements_from_base_element(peer, cluster_info, output_config, - split_ip_blocks)) - return res # unknown base-elem type return None diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 6387afc90..c5524d2e3 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -3,9 +3,11 @@ # SPDX-License-Identifier: Apache2.0 # +from collections import defaultdict from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet, Pod +from nca.Resources.OtherResources.K8sNamespace import K8sNamespace from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ DNSElement from .MinimizeBasic import MinimizeBasic @@ -27,8 +29,7 @@ def __init__(self, cluster_info, output_config): self.peer_props = ConnectivityProperties() self.connections = ConnectionSet() self.peer_props_in_containing_connections = ConnectivityProperties() - self.ns_pairs = set() - self.ns_ns_props = ConnectivityProperties() + self.ns_set_pairs = set() self.peer_pairs_with_partial_ns_expr = set() self.peer_props_without_ns_expr = ConnectivityProperties() self.covered_peer_props = ConnectivityProperties() @@ -46,7 +47,7 @@ def compute_minimized_fw_rules_per_connection(self, connections, peer_props, connection set class members used in computation of fw-rules: - self.ns_pairs : pairs of namespaces, grouped from peer_pairs and peer_pairs_in_containing_connections + self.ns_set_pairs : pairs of sets of namespaces, grouped together self.peer_pairs_with_partial_ns_expr: pairs of (peer,ns) or (ns,peer), with ns-grouping for one dimension self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current @@ -59,8 +60,7 @@ class members used in computation of fw-rules: self.peer_props = peer_props self.connections = connections self.peer_props_in_containing_connections = peer_props_in_containing_connections - self.ns_pairs = set() - self.ns_ns_props = ConnectivityProperties() + self.ns_set_pairs = set() self.peer_pairs_with_partial_ns_expr = set() self.peer_props_without_ns_expr = ConnectivityProperties() self.covered_peer_props = ConnectivityProperties() @@ -79,7 +79,7 @@ def _create_fw_rules(self): The main function for creating the minimized set of fw-rules for a given connection set :return: None """ - # partition peer_pairs to ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + # partition peer_props to ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr self._compute_basic_namespace_grouping() # add all fw-rules: @@ -88,7 +88,7 @@ def _create_fw_rules(self): def _compute_basic_namespace_grouping(self): """ computation of peer_pairs with possible grouping by namespaces. - Results are at: ns_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + Results are at: ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr :return: None """ self._compute_covered_peer_props() @@ -98,16 +98,21 @@ def _compute_basic_namespace_grouping(self): dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs + src_ns_to_dst_ns = defaultdict(set) for src_ns in src_ns_set: for dst_ns in dst_ns_set: ns_product_props = \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) if ns_product_props.contained_in(self.covered_peer_props): - self.ns_ns_props |= ns_product_props - self.ns_pairs |= {(src_ns, dst_ns)} + src_ns_to_dst_ns[src_ns].add(dst_ns) else: self.peer_props_without_ns_expr |= ns_product_props & self.peer_props + dst_ns_to_src_ns = defaultdict(set) + for src_ns, dst_ns_set in src_ns_to_dst_ns.items(): + dst_ns_to_src_ns[frozenset(dst_ns_set)].add(src_ns) + for dst_ns_set, src_ns_set in dst_ns_to_src_ns.items(): + self.ns_set_pairs.add((frozenset(src_ns_set), dst_ns_set)) # TODO: what about peer pairs with ip blocks from containing connections, not only peer_pairs for this connection? src_peers_without_ns = PeerSet(set(src for src in self.peer_props.project_on_one_dimension("src_peers") @@ -148,21 +153,25 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): # pod_set is the set of pods in pairs of peer_pairs_without_ns_expr, within elem type (src/dst) which is not # in the grouping computation - for ns in ns_set: - ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) - dim_name = "src_peers" if is_src_ns else "dst_peers" - other_dim_name = "dst_peers" if is_src_ns else "src_peers" - paired_to_ns_peers = PeerSet() - for cube in self.peer_props_without_ns_expr: - conn_cube = self.peer_props_without_ns_expr.get_connectivity_cube(cube) - dim_peers = conn_cube[dim_name] + dim_name = "src_peers" if is_src_ns else "dst_peers" + other_dim_name = "dst_peers" if is_src_ns else "src_peers" + for cube in self.peer_props_without_ns_expr: + conn_cube = self.peer_props_without_ns_expr.get_connectivity_cube(cube) + dim_peers = conn_cube[dim_name] + other_dim_peers = conn_cube[other_dim_name].canonical_form() + curr_ns_set = set() + curr_ns_peers = PeerSet() + for ns in ns_set: + ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) if ns_peers.issubset(dim_peers): - paired_to_ns_peers |= conn_cube[other_dim_name] - paired_to_ns_peers = paired_to_ns_peers.canonical_form() - self.peer_pairs_with_partial_ns_expr.add((ns, paired_to_ns_peers) if is_src_ns else (paired_to_ns_peers, ns)) - self.peer_props_without_ns_expr -= \ - ConnectivityProperties.make_conn_props_from_dict({dim_name: PeerSet(self.cluster_info.ns_dict[ns]), - other_dim_name: paired_to_ns_peers}) + curr_ns_set.add(ns) + curr_ns_peers |= ns_peers + if curr_ns_set: + self.peer_pairs_with_partial_ns_expr.add((frozenset(curr_ns_set), other_dim_peers) if is_src_ns + else (other_dim_peers, frozenset(curr_ns_set))) + self.peer_props_without_ns_expr -= \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ns_peers, + other_dim_name: other_dim_peers}) def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ @@ -180,6 +189,23 @@ def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_ele fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) return [fw_rule] + def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): + """ + Group a given set of pods by labels, and create FWRuleElements according to the grouping + :param PeerSet pods_set: a set of pods to be grouped by labels + :return: the resulting element list + """ + res = [] + chosen_rep, remaining_pods = self._get_pods_grouping_by_labels_main(pods_set, set()) + for (key, values, ns_info) in chosen_rep: + map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) + all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) + pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) + res.append(PodLabelsElement(pod_label_expr, ns_info, self.cluster_info)) + if remaining_pods: + res.append(PeerSetElement(PeerSet(remaining_pods))) + return res + def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set, make_peer_sets=False): """ @@ -233,8 +259,8 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, - self.output_config)) + res.extend(self._create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, + self.output_config)) return res def _create_initial_fw_rules_from_peer_props(self, peer_props): @@ -244,12 +270,64 @@ def _create_initial_fw_rules_from_peer_props(self, peer_props): conn_cube = min_peer_props.get_connectivity_cube(cube) src_peers = conn_cube["src_peers"] dst_peers = conn_cube["dst_peers"] - # whole peers sets were handled in self.ns_pairs and self.peer_pairs_with_partial_ns_expr + # whole peers sets were handled in self.ns_set_pairs and self.peer_pairs_with_partial_ns_expr assert src_peers and dst_peers - res.extend(FWRule.create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, - self.cluster_info, self.output_config)) + res.extend(self._create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, + self.cluster_info, self.output_config)) return res + def _create_fw_rules_from_base_elements(self, src, dst, connections, cluster_info, output_config): + """ + create fw-rules from single pair of base elements (src,dst) and a given connection set + :param ConnectionSet connections: the allowed connections from src to dst + :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock + :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param OutputConfiguration output_config: an object holding output configuration + :return: list with created fw-rules + :rtype list[FWRule] + """ + src_elem = self._create_fw_elements_from_base_element(src, cluster_info, output_config) + dst_elem = self._create_fw_elements_from_base_element(dst, cluster_info, output_config) + if src_elem is None or dst_elem is None: + return [] + return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] + + def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_config): + """ + create a list of fw-rule-elements from base-element + :param base_elem: of type ClusterEP/IpBlock/K8sNamespace/DNSEntry + :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info + :param OutputConfiguration output_config: an object holding output configuration + after moving to optimized HC implementation we will never split IpBlocks. + :return: list fw-rule-elements of type: list[PodElement]/list[IPBlockElement]/list[FWRuleElement]/list[DNSElement] + """ + if isinstance(base_elem, ClusterEP): + return [PodElement(base_elem, output_config.outputEndpoints == 'deployments')] + elif isinstance(base_elem, IpBlock): + return [IPBlockElement(base_elem)] + elif isinstance(base_elem, K8sNamespace): + return [FWRuleElement({base_elem}, cluster_info)] + elif isinstance(base_elem, DNSEntry): + return [DNSElement(base_elem)] + elif isinstance(base_elem, PeerSet): + pods = PeerSet(base_elem.get_set_without_ip_block_or_dns_entry()) + ipblocks_and_dns = base_elem - pods + res = [] + while pods: + ns = list(pods)[0].namespace + ns_pods = pods & PeerSet(cluster_info.ns_dict[ns]) + res.extend(self._create_fw_elements_by_pods_grouping_by_labels(ns_pods)) + pods -= ns_pods + if ipblocks_and_dns: + for peer in base_elem: + res.extend(self._create_fw_elements_from_base_element(peer, cluster_info, output_config)) + return res + elif isinstance(base_elem, frozenset): # set of namespaces + return [FWRuleElement(set(base_elem), cluster_info)] + # unknown base-elem type + return None + def _create_all_initial_fw_rules(self): """ Creating initial fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) @@ -258,7 +336,7 @@ def _create_all_initial_fw_rules(self): """ initial_fw_rules = [] - initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_pairs)) + initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_set_pairs)) initial_fw_rules.extend(self._create_initial_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) initial_fw_rules.extend( self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_with_partial_ns_expr)) @@ -270,10 +348,8 @@ def _add_all_fw_rules(self): Results are at: self.minimized_rules_set :return: None """ - # create initial fw-rules from ns_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr + # create initial fw-rules from ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr initial_fw_rules = self._create_all_initial_fw_rules() - # TODO: consider a higher resolution decision between option1 and option2 (per src,dst pair rather than per - # all ConnectionSet pairs) # option1 - start computation when src is fixed at first iteration, and merge applies to dst option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) From fedb46f5c37ede4c0f111aabe7d4b766f3d473c4 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 17 Mar 2024 14:53:56 +0200 Subject: [PATCH 41/89] Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya --- nca/FWRules/FWRule.py | 8 +++----- nca/FWRules/MinimizeFWRules.py | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 5b8b4f768..c5a28b98c 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -709,7 +709,7 @@ def get_rule_in_req_format(self, req_format): return None @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config, split_ip_blocks=False): + def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config): """ create fw-rules from single pair of base elements (src,dst) and a given connection set :param ConnectionSet connections: the allowed connections from src to dst @@ -717,13 +717,11 @@ def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, outp :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info :param OutputConfiguration output_config: an object holding output configuration - :param bool split_ip_blocks: whether to split IpBlocks. This flag is for alignment with original implementation; - after moving to optimized HC implementation we will never split IpBlocks. :return: list with created fw-rules :rtype list[FWRule] """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config, split_ip_blocks) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config, split_ip_blocks) + src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config) + dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config) if src_elem is None or dst_elem is None: return [] return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index 391de6c03..dab616015 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -272,7 +272,7 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): res = [] for (src, dst) in base_elems_pairs: res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, - self.output_config, True)) + self.output_config)) return res def _create_all_initial_fw_rules(self): From 79454dba7d49a27b1eecdf61a78013323ecc1774 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 19 Mar 2024 17:34:10 +0200 Subject: [PATCH 42/89] More optimization in calculation partial ns grouping. Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 10 ++++++++-- nca/FWRules/MinimizeCsFWRulesOpt.py | 30 ++++++++++++++++++---------- 2 files changed, 27 insertions(+), 13 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index e8af72468..ab301cd98 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -514,14 +514,20 @@ def minimize(self): """ Try to minimize the current properties by changing the order between "src_peers" and "dst_peers" dimensions """ + new_props = self.reorder_by_switching_src_dst_peers() + return self if len(self) <= len(new_props) else new_props + + def reorder_by_switching_src_dst_peers(self): + """ + Reorder self by switching the order between "src_peers" and "dst_peers" dimensions + """ new_all_dims_map = [i for i in range(len(self.all_dimensions_list))] src_peers_index = self.all_dimensions_list.index("src_peers") dst_peers_index = self.all_dimensions_list.index("dst_peers") # switch between "src_peers" and "dst_peers" dimensions new_all_dims_map[src_peers_index] = dst_peers_index new_all_dims_map[dst_peers_index] = src_peers_index - new_props = self._reorder_by_dim_list(new_all_dims_map) - return self if len(self) <= len(new_props) else new_props + return self._reorder_by_dim_list(new_all_dims_map) def _reorder_by_dim_list(self, new_all_dims_map): """ diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index c5524d2e3..bb3a27307 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -93,19 +93,20 @@ def _compute_basic_namespace_grouping(self): """ self._compute_covered_peer_props() # only Pod elements have namespaces (skipping IpBlocks and HostEPs) - src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") + all_src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") if isinstance(src, Pod)) - dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") + all_dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs src_ns_to_dst_ns = defaultdict(set) - for src_ns in src_ns_set: - for dst_ns in dst_ns_set: + for src_ns in all_src_ns_set: + for dst_ns in all_dst_ns_set: ns_product_props = \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) if ns_product_props.contained_in(self.covered_peer_props): src_ns_to_dst_ns[src_ns].add(dst_ns) + self.covered_peer_props -= ns_product_props else: self.peer_props_without_ns_expr |= ns_product_props & self.peer_props dst_ns_to_src_ns = defaultdict(set) @@ -124,9 +125,10 @@ def _compute_basic_namespace_grouping(self): ConnectivityProperties.make_conn_props_from_dict({"dst_peers": dst_peers_without_ns}) self.peer_props_without_ns_expr |= props_with_elems_without_ns & self.peer_props # compute pairs with src as pod/ip-block and dest as namespace - self._compute_peer_pairs_with_partial_ns_expr(dst_ns_set, False) + self._compute_peer_pairs_with_partial_ns_expr(all_dst_ns_set, False) # compute pairs with src as pod/ip-block namespace dest as pod - self._compute_peer_pairs_with_partial_ns_expr(src_ns_set, True) + if self.peer_props_without_ns_expr: + self._compute_peer_pairs_with_partial_ns_expr(all_src_ns_set, True) def _compute_covered_peer_props(self): """ @@ -155,8 +157,12 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): dim_name = "src_peers" if is_src_ns else "dst_peers" other_dim_name = "dst_peers" if is_src_ns else "src_peers" - for cube in self.peer_props_without_ns_expr: - conn_cube = self.peer_props_without_ns_expr.get_connectivity_cube(cube) + # We search for partial ns grouping in self.covered_peer_props rather than in self.peer_props_without_ns_expr, + # thus allowing overlapping of fw rules. Also, we start from optimal order betwen src_peers and dst_peers, + # based on whether we search for whole src or dst namespace. + props = self.covered_peer_props.reorder_by_switching_src_dst_peers() if is_src_ns else self.covered_peer_props + for cube in props: + conn_cube = props.get_connectivity_cube(cube) dim_peers = conn_cube[dim_name] other_dim_peers = conn_cube[other_dim_name].canonical_form() curr_ns_set = set() @@ -319,9 +325,8 @@ def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_ ns_pods = pods & PeerSet(cluster_info.ns_dict[ns]) res.extend(self._create_fw_elements_by_pods_grouping_by_labels(ns_pods)) pods -= ns_pods - if ipblocks_and_dns: - for peer in base_elem: - res.extend(self._create_fw_elements_from_base_element(peer, cluster_info, output_config)) + for peer in ipblocks_and_dns: + res.extend(self._create_fw_elements_from_base_element(peer, cluster_info, output_config)) return res elif isinstance(base_elem, frozenset): # set of namespaces return [FWRuleElement(set(base_elem), cluster_info)] @@ -350,6 +355,9 @@ def _add_all_fw_rules(self): """ # create initial fw-rules from ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr initial_fw_rules = self._create_all_initial_fw_rules() + self.minimized_fw_rules = initial_fw_rules + return # Tanya: temp + # TODO - remove the code below after checking and updating all expected results # option1 - start computation when src is fixed at first iteration, and merge applies to dst option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) From 1d411e4dae2bfa3ba60e439f27f611b4138d09f0 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 19 Mar 2024 17:37:25 +0200 Subject: [PATCH 43/89] Fixed lint error Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index bb3a27307..bdd89c2e9 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -94,9 +94,9 @@ def _compute_basic_namespace_grouping(self): self._compute_covered_peer_props() # only Pod elements have namespaces (skipping IpBlocks and HostEPs) all_src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") - if isinstance(src, Pod)) + if isinstance(src, Pod)) all_dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") - if isinstance(dst, Pod)) + if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs src_ns_to_dst_ns = defaultdict(set) for src_ns in all_src_ns_set: From 11c15ffb8e446100a615e021c668d5f6b4751419 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 24 Mar 2024 15:47:20 +0200 Subject: [PATCH 44/89] Refining basic namespace grouping by finding more opportunities to use properties in containing connections. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 39 ++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 9 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index bdd89c2e9..e142d139e 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -93,9 +93,9 @@ def _compute_basic_namespace_grouping(self): """ self._compute_covered_peer_props() # only Pod elements have namespaces (skipping IpBlocks and HostEPs) - all_src_ns_set = set(src.namespace for src in self.peer_props.project_on_one_dimension("src_peers") + all_src_ns_set = set(src.namespace for src in self.covered_peer_props.project_on_one_dimension("src_peers") if isinstance(src, Pod)) - all_dst_ns_set = set(dst.namespace for dst in self.peer_props.project_on_one_dimension("dst_peers") + all_dst_ns_set = set(dst.namespace for dst in self.covered_peer_props.project_on_one_dimension("dst_peers") if isinstance(dst, Pod)) # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs src_ns_to_dst_ns = defaultdict(set) @@ -105,8 +105,11 @@ def _compute_basic_namespace_grouping(self): ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) if ns_product_props.contained_in(self.covered_peer_props): - src_ns_to_dst_ns[src_ns].add(dst_ns) self.covered_peer_props -= ns_product_props + if ns_product_props & self.peer_props: + # ensure that the found ns-pair is at least partially included in the current connections' properties + # (rather than being wholly contained in containing connections' properties) + src_ns_to_dst_ns[src_ns].add(dst_ns) else: self.peer_props_without_ns_expr |= ns_product_props & self.peer_props dst_ns_to_src_ns = defaultdict(set) @@ -158,9 +161,10 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): dim_name = "src_peers" if is_src_ns else "dst_peers" other_dim_name = "dst_peers" if is_src_ns else "src_peers" # We search for partial ns grouping in self.covered_peer_props rather than in self.peer_props_without_ns_expr, - # thus allowing overlapping of fw rules. Also, we start from optimal order betwen src_peers and dst_peers, + # thus allowing overlapping of fw rules. Also, we start from optimal order between src_peers and dst_peers, # based on whether we search for whole src or dst namespace. props = self.covered_peer_props.reorder_by_switching_src_dst_peers() if is_src_ns else self.covered_peer_props + ns_set_to_peer_set = defaultdict(PeerSet) for cube in props: conn_cube = props.get_connectivity_cube(cube) dim_peers = conn_cube[dim_name] @@ -173,11 +177,28 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): curr_ns_set.add(ns) curr_ns_peers |= ns_peers if curr_ns_set: - self.peer_pairs_with_partial_ns_expr.add((frozenset(curr_ns_set), other_dim_peers) if is_src_ns - else (other_dim_peers, frozenset(curr_ns_set))) - self.peer_props_without_ns_expr -= \ - ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ns_peers, - other_dim_name: other_dim_peers}) + ns_set_to_peer_set[frozenset(curr_ns_set)] |= other_dim_peers + for curr_ns_set, other_dim_peers in ns_set_to_peer_set.items(): + curr_ns_peers = PeerSet(set.union(*[self.cluster_info.ns_dict[ns] for ns in curr_ns_set])) + other_dim_peers_without_ip_block = PeerSet(other_dim_peers.get_set_without_ip_block()) + other_dim_peers_ip_block = other_dim_peers.get_ip_block_canonical_form().get_peer_set() + curr_covered_without_ip_block = \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ns_peers, + other_dim_name: other_dim_peers_without_ip_block}) + curr_covered_ip_block = \ + ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ns_peers, + other_dim_name: other_dim_peers_ip_block}) + # ensure that the found pairs (with and without IpBlocks) are at least partially included + # in the current connections' properties (rather than being wholly contained + # in containing connections' properties) + if self.peer_props_without_ns_expr & curr_covered_without_ip_block: + self.peer_props_without_ns_expr -= curr_covered_without_ip_block + self.peer_pairs_with_partial_ns_expr.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns + else (other_dim_peers_without_ip_block, curr_ns_set)) + if self.peer_props_without_ns_expr & curr_covered_ip_block: + self.peer_props_without_ns_expr -= curr_covered_ip_block + self.peer_pairs_with_partial_ns_expr.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns + else (other_dim_peers_ip_block, curr_ns_set)) def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ From e54149880bd9cffafb68517f86df73635a646ec4 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 24 Mar 2024 17:57:49 +0200 Subject: [PATCH 45/89] One more refinemenet of basic namespace grouping Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index e142d139e..030e3d17c 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -173,7 +173,9 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): curr_ns_peers = PeerSet() for ns in ns_set: ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) - if ns_peers.issubset(dim_peers): + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ns_peers, + other_dim_name: other_dim_peers}) + if ns_peers.issubset(dim_peers) and (curr_covered & self.peer_props_without_ns_expr): curr_ns_set.add(ns) curr_ns_peers |= ns_peers if curr_ns_set: From 63c2eca0c2d541cc3c81eefd7d996e1584c37149 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 24 Mar 2024 19:40:24 +0200 Subject: [PATCH 46/89] One more refinemenet of basic namespace grouping Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 22 +++++++++++++++++++--- 1 file changed, 19 insertions(+), 3 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 030e3d17c..a320f2d83 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -294,9 +294,25 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): def _create_initial_fw_rules_from_peer_props(self, peer_props): res = [] - min_peer_props = peer_props.minimize() - for cube in min_peer_props: - conn_cube = min_peer_props.get_connectivity_cube(cube) + # first, try to group peers paired with src/dst ipblocks + ipblock = IpBlock.get_all_ips_block_peer_set() + src_ipblock_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": ipblock}) & peer_props + if src_ipblock_props: + res.extend(self._create_fw_rules_from_peer_props_aux(src_ipblock_props)) + peer_props -= src_ipblock_props + dst_ipblock_props = ConnectivityProperties.make_conn_props_from_dict({"dst_peers": ipblock}) & peer_props + if dst_ipblock_props: + res.extend(self._create_fw_rules_from_peer_props_aux(dst_ipblock_props)) + peer_props -= dst_ipblock_props + # now group the rest of peers + if peer_props: + res.extend(self._create_fw_rules_from_peer_props_aux(peer_props.minimize())) + return res + + def _create_fw_rules_from_peer_props_aux(self, peer_props): + res = [] + for cube in peer_props: + conn_cube = peer_props.get_connectivity_cube(cube) src_peers = conn_cube["src_peers"] dst_peers = conn_cube["dst_peers"] # whole peers sets were handled in self.ns_set_pairs and self.peer_pairs_with_partial_ns_expr From 6fb48d3181462b757e00d1a12d220dfc0e3459c2 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 26 Mar 2024 16:25:49 +0200 Subject: [PATCH 47/89] More refinemenets of peer grouping from properties Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 6 ++++-- nca/NetworkConfig/NetworkConfigQuery.py | 27 ++++++++++++++----------- 2 files changed, 19 insertions(+), 14 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index a320f2d83..b3217f309 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -298,12 +298,14 @@ def _create_initial_fw_rules_from_peer_props(self, peer_props): ipblock = IpBlock.get_all_ips_block_peer_set() src_ipblock_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": ipblock}) & peer_props if src_ipblock_props: - res.extend(self._create_fw_rules_from_peer_props_aux(src_ipblock_props)) peer_props -= src_ipblock_props + src_ipblock_props = src_ipblock_props.reorder_by_switching_src_dst_peers() + res.extend(self._create_fw_rules_from_peer_props_aux(src_ipblock_props)) dst_ipblock_props = ConnectivityProperties.make_conn_props_from_dict({"dst_peers": ipblock}) & peer_props if dst_ipblock_props: - res.extend(self._create_fw_rules_from_peer_props_aux(dst_ipblock_props)) peer_props -= dst_ipblock_props + res.extend(self._create_fw_rules_from_peer_props_aux(dst_ipblock_props)) + # now group the rest of peers if peer_props: res.extend(self._create_fw_rules_from_peer_props_aux(peer_props.minimize())) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 1a0795a5d..d9258951b 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -850,14 +850,11 @@ def compute_connectivity_output_optimized(self): "dst_peers": opt_peers_to_compare}) base_peers_num = len(opt_peers_to_compare) subset_peers = self.compute_subset(opt_peers_to_compare) - all_peers = subset_peers if len(subset_peers) != base_peers_num: # remove connections where both of src_peers and dst_peers are out of the subset subset_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": subset_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"dst_peers": subset_peers}) all_conns_opt &= subset_conns - src_peers, dst_peers = ExplTracker().extract_peers(all_conns_opt) - all_peers = src_peers | dst_peers all_conns_opt = self.config.filter_conns_by_peer_types(all_conns_opt) expl_conns = all_conns_opt if self.config.policies_container.layers.does_contain_istio_layers(): @@ -867,7 +864,7 @@ def compute_connectivity_output_optimized(self): else: output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare) if ExplTracker().is_active(): - ExplTracker().set_connections_and_peers(expl_conns, all_peers) + ExplTracker().set_connections_and_peers(expl_conns, opt_peers_to_compare) return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp def exec(self): @@ -929,14 +926,15 @@ def get_connectivity_output_full(self, connections, peers, peers_to_compare): formatted_rules, fw_rules = self.fw_rules_from_connections_dict(connections, peers_to_compare) return formatted_rules, fw_rules - def get_props_output_full(self, props, peers_to_compare): + def get_props_output_full(self, props, all_peers): """ get the connectivity map output considering all connections in the output :param ConnectivityProperties props: properties describing allowed connections - :param PeerSet peers_to_compare: the peers to consider for dot/fw-rules output + :param PeerSet all_peers: the peers to consider for dot/fw-rules output whereas all other values should be filtered out in the output :rtype ([Union[str, dict], MinimizeFWRules]) """ + peers_to_compare = props.project_on_one_dimension("src_peers") | props.project_on_one_dimension("dst_peers") if self.output_config.outputFormat in ['dot', 'jpg', 'html']: dot_full = self.dot_format_from_props(props, peers_to_compare) return dot_full, None @@ -944,7 +942,7 @@ def get_props_output_full(self, props, peers_to_compare): conns_wo_fw_rules = self.txt_no_fw_rules_format_from_props(props, peers_to_compare) return conns_wo_fw_rules, None # handle other formats - formatted_rules, fw_rules = self.fw_rules_from_props(props, peers_to_compare) + formatted_rules, fw_rules = self.fw_rules_from_props(props, all_peers) return formatted_rules, fw_rules def get_connectivity_output_split_by_tcp(self, connections, peers, peers_to_compare): @@ -991,14 +989,15 @@ def get_connectivity_output_split_by_tcp(self, connections, peers, peers_to_comp res_str = formatted_rules_tcp + formatted_rules_non_tcp return res_str, fw_rules_tcp, fw_rules_non_tcp - def get_props_output_split_by_tcp(self, props, peers_to_compare): + def get_props_output_split_by_tcp(self, props, all_peers): """ get the connectivity map output as two parts: TCP and non-TCP :param ConnectivityProperties props: properties describing allowed connections - :param PeerSet peers_to_compare: the peers to consider for dot/fw-rules output + :param PeerSet all_peers: the peers to consider for dot/fw-rules output whereas all other values should be filtered out in the output :rtype (Union[str, dict], MinimizeFWRules, MinimizeFWRules) """ + peers_to_compare = props.project_on_one_dimension("src_peers") | props.project_on_one_dimension("dst_peers") connectivity_tcp_str = 'TCP' connectivity_non_tcp_str = 'non-TCP' props_tcp, props_non_tcp = self.convert_props_to_split_by_tcp(props) @@ -1015,8 +1014,8 @@ def get_props_output_split_by_tcp(self, props, peers_to_compare): res_str = txt_no_fw_rules_tcp + txt_no_fw_rules_non_tcp return res_str, None, None # handle formats other than dot and txt_no_fw_rules - formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, peers_to_compare, connectivity_tcp_str) - formatted_rules_non_tcp, fw_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, peers_to_compare, + formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, all_peers, connectivity_tcp_str) + formatted_rules_non_tcp, fw_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, all_peers, connectivity_non_tcp_str) if self.output_config.outputFormat in ['json', 'yaml']: # get a dict object containing the two maps on different keys (TCP_rules and non-TCP_rules) @@ -1276,7 +1275,10 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, conns2 = no_conns if props_based_on_config1 else conns if self.output_config.fullExplanation: if self.config1.optimized_run == 'true': - different_conns_list.append(PeersAndConnections(str(src_peers), str(dst_peers), conns1, conns2)) + src_peers_str_sorted = str(sorted([str(peer) for peer in src_peers])) + dst_peers_str_sorted = str(sorted([str(peer) for peer in dst_peers])) + different_conns_list.append(PeersAndConnections(src_peers_str_sorted, dst_peers_str_sorted, + conns1, conns2)) else: # 'debug': produce the same output format as in the original implementation (per peer pairs) for src_peer in src_peers: for dst_peer in dst_peers: @@ -1741,6 +1743,7 @@ def compute_diff_original(self): # noqa: C901 return keys_list, conn_graph_removed_per_key, conn_graph_added_per_key + # TODO - rewrite this function using new optimized fw-rules creation def compute_diff_optimized(self): # noqa: C901 """ Compute changed connections (by optimized implementation) as following: From 4203525bb5446c96be7b7fb60e97c659fe078759 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 26 Mar 2024 16:56:03 +0200 Subject: [PATCH 48/89] More refinemenets of peer grouping from properties Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 9 ++++++++- nca/FWRules/MinimizeCsFWRulesOpt.py | 3 +-- nca/NetworkConfig/NetworkConfigQuery.py | 12 +++++------- 3 files changed, 14 insertions(+), 10 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index ab301cd98..b0e9d36dd 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -472,6 +472,13 @@ def make_all_props(): """ return ConnectivityProperties(create_all=True) + def get_all_peers(self): + """ + Return all peers appearing in self. + :return: PeerSet + """ + return self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers") + def are_auto_conns(self): """ :return: True iff the given connections are connections from peers to themselves, @@ -503,7 +510,7 @@ def get_auto_conns_from_peers(self): Build properties containing all connections from peer to itself, for all peers in the current properties :return: the resulting auto connections properties """ - peers = self.project_on_one_dimension("src_peers") | self.project_on_one_dimension("dst_peers") + peers = self.get_all_peers() auto_conns = ConnectivityProperties() for peer in peers: auto_conns |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({peer}), diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index b3217f309..bcbaeb784 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -140,8 +140,7 @@ def _compute_covered_peer_props(self): :return: None """ covered_peer_props = self.peer_props | self.peer_props_in_containing_connections - all_peers_set = self.peer_props.project_on_one_dimension("src_peers") |\ - self.peer_props.project_on_one_dimension("dst_peers") + all_peers_set = self.peer_props.get_all_peers() for pod in all_peers_set: if isinstance(pod, ClusterEP): covered_peer_props |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({pod}), diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index d9258951b..c4a8a81d9 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -840,8 +840,7 @@ def compute_connectivity_output_optimized(self): all_conns_opt = opt_conns.all_allowed_conns opt_peers_to_compare = self.config.peer_container.get_all_peers_group(include_dns_entries=True) # add all relevant IpBlocks, used in connections - opt_peers_to_compare |= all_conns_opt.project_on_one_dimension('src_peers') | \ - all_conns_opt.project_on_one_dimension('dst_peers') + opt_peers_to_compare |= all_conns_opt.get_all_peers() if exclude_ipv6: # remove connections where any of src_peers or dst_peers contain automatically-added IPv6 blocks, # while keeping connections with IPv6 blocks directly referenced in policies @@ -864,7 +863,7 @@ def compute_connectivity_output_optimized(self): else: output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare) if ExplTracker().is_active(): - ExplTracker().set_connections_and_peers(expl_conns, opt_peers_to_compare) + ExplTracker().set_connections_and_peers(expl_conns, all_conns_opt.get_all_peers()) return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp def exec(self): @@ -934,7 +933,7 @@ def get_props_output_full(self, props, all_peers): whereas all other values should be filtered out in the output :rtype ([Union[str, dict], MinimizeFWRules]) """ - peers_to_compare = props.project_on_one_dimension("src_peers") | props.project_on_one_dimension("dst_peers") + peers_to_compare = props.get_all_peers() if self.output_config.outputFormat in ['dot', 'jpg', 'html']: dot_full = self.dot_format_from_props(props, peers_to_compare) return dot_full, None @@ -997,7 +996,7 @@ def get_props_output_split_by_tcp(self, props, all_peers): whereas all other values should be filtered out in the output :rtype (Union[str, dict], MinimizeFWRules, MinimizeFWRules) """ - peers_to_compare = props.project_on_one_dimension("src_peers") | props.project_on_one_dimension("dst_peers") + peers_to_compare = props.get_all_peers() connectivity_tcp_str = 'TCP' connectivity_non_tcp_str = 'non-TCP' props_tcp, props_non_tcp = self.convert_props_to_split_by_tcp(props) @@ -1244,8 +1243,7 @@ def filter_conns_by_input_or_internal_constraints(self, conns1, conns2): :rtype: [ConnectivityProperties, ConnectivityProperties] :return: two resulting allowed connections """ - all_peers = conns1.project_on_one_dimension('src_peers') | conns1.project_on_one_dimension('dst_peers') | \ - conns2.project_on_one_dimension('src_peers') | conns2.project_on_one_dimension('dst_peers') + all_peers = conns1.get_all_peers() | conns2.get_all_peers() exclude_ipv6 = self.config1.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) and \ self.config2.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) conns_filter = ConnectivityProperties.make_all_props() From 62aa803b587dbab85032ddb206fc7af92d627da7 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 26 Mar 2024 17:11:30 +0200 Subject: [PATCH 49/89] More refinements of peer grouping from properties Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index c4a8a81d9..48e7d466a 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -849,11 +849,14 @@ def compute_connectivity_output_optimized(self): "dst_peers": opt_peers_to_compare}) base_peers_num = len(opt_peers_to_compare) subset_peers = self.compute_subset(opt_peers_to_compare) + all_peers = subset_peers if len(subset_peers) != base_peers_num: # remove connections where both of src_peers and dst_peers are out of the subset subset_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": subset_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"dst_peers": subset_peers}) all_conns_opt &= subset_conns + src_peers, dst_peers = ExplTracker().extract_peers(all_conns_opt) + all_peers = src_peers | dst_peers all_conns_opt = self.config.filter_conns_by_peer_types(all_conns_opt) expl_conns = all_conns_opt if self.config.policies_container.layers.does_contain_istio_layers(): @@ -863,7 +866,7 @@ def compute_connectivity_output_optimized(self): else: output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare) if ExplTracker().is_active(): - ExplTracker().set_connections_and_peers(expl_conns, all_conns_opt.get_all_peers()) + ExplTracker().set_connections_and_peers(expl_conns, all_peers) return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp def exec(self): From 70d2aaf7bae4f087fcd98be87149ba2fc85def43 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 31 Mar 2024 17:58:25 +0300 Subject: [PATCH 50/89] Added outputEndpoints option handling to PeerSetElement. Refined ns-set pairs grouping computation -trying starting from src_peers and from dst_peers and choosing a more compact grouping. Added grouping by full IpBlock. Signed-off-by: Tanya --- nca/FWRules/FWRule.py | 6 +- nca/FWRules/MinimizeCsFWRulesOpt.py | 144 +++++++++++++++++++--------- 2 files changed, 102 insertions(+), 48 deletions(-) diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index c5a28b98c..7e511b43b 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -387,8 +387,7 @@ def get_pod_str(self): """ :return: string for the field src_pods or dst_pods in representation for txt rule format """ - sorted_pods_names = ', '.join(sorted(self._get_pods_names().split(', '))) - return f'[{sorted_pods_names}]' + return f'[{self._get_pods_names()}]' def _get_pods_names(self): res = '' @@ -400,7 +399,8 @@ def _get_pods_names(self): unique_names.add(peer.owner_name) else: res += (', ' if res else '') + peer.name - return res + sorted_res = ', '.join(sorted(res.split(', '))) + return sorted_res def __str__(self): """ diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index bcbaeb784..813c65902 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -30,7 +30,7 @@ def __init__(self, cluster_info, output_config): self.connections = ConnectionSet() self.peer_props_in_containing_connections = ConnectivityProperties() self.ns_set_pairs = set() - self.peer_pairs_with_partial_ns_expr = set() + self.base_elem_pairs = set() self.peer_props_without_ns_expr = ConnectivityProperties() self.covered_peer_props = ConnectivityProperties() self.results_info_per_option = dict() @@ -48,10 +48,10 @@ def compute_minimized_fw_rules_per_connection(self, connections, peer_props, class members used in computation of fw-rules: self.ns_set_pairs : pairs of sets of namespaces, grouped together - self.peer_pairs_with_partial_ns_expr: pairs of (peer,ns) or (ns,peer), with ns-grouping for one dimension - self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping - self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current - connection-set (but not necessarily only limited to current connection set) + self.base_elem_pairs: pairs of (peer,ns) or (ns,peer), with ns-grouping for one dimension + self.peer_props_without_ns_expr: properties containing peers without possible ns/full IpBlock grouping + self.covered_peer_props: properties of all peer sets for which communication is allowed in current + or containing connection-set :return: minimized_fw_rules: a list of fw-rules (of type list[FWRule]) @@ -61,7 +61,7 @@ class members used in computation of fw-rules: self.connections = connections self.peer_props_in_containing_connections = peer_props_in_containing_connections self.ns_set_pairs = set() - self.peer_pairs_with_partial_ns_expr = set() + self.base_elem_pairs = set() self.peer_props_without_ns_expr = ConnectivityProperties() self.covered_peer_props = ConnectivityProperties() self.results_info_per_option = dict() @@ -79,7 +79,7 @@ def _create_fw_rules(self): The main function for creating the minimized set of fw-rules for a given connection set :return: None """ - # partition peer_props to ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr + # partition peer_props to ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr self._compute_basic_namespace_grouping() # add all fw-rules: @@ -87,8 +87,8 @@ def _create_fw_rules(self): def _compute_basic_namespace_grouping(self): """ - computation of peer_pairs with possible grouping by namespaces. - Results are at: ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_pairs_without_ns_expr + computation of peer sets with possible grouping by namespaces. + Results are at: ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr :return: None """ self._compute_covered_peer_props() @@ -97,28 +97,7 @@ def _compute_basic_namespace_grouping(self): if isinstance(src, Pod)) all_dst_ns_set = set(dst.namespace for dst in self.covered_peer_props.project_on_one_dimension("dst_peers") if isinstance(dst, Pod)) - # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs - src_ns_to_dst_ns = defaultdict(set) - for src_ns in all_src_ns_set: - for dst_ns in all_dst_ns_set: - ns_product_props = \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), - "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) - if ns_product_props.contained_in(self.covered_peer_props): - self.covered_peer_props -= ns_product_props - if ns_product_props & self.peer_props: - # ensure that the found ns-pair is at least partially included in the current connections' properties - # (rather than being wholly contained in containing connections' properties) - src_ns_to_dst_ns[src_ns].add(dst_ns) - else: - self.peer_props_without_ns_expr |= ns_product_props & self.peer_props - dst_ns_to_src_ns = defaultdict(set) - for src_ns, dst_ns_set in src_ns_to_dst_ns.items(): - dst_ns_to_src_ns[frozenset(dst_ns_set)].add(src_ns) - for dst_ns_set, src_ns_set in dst_ns_to_src_ns.items(): - self.ns_set_pairs.add((frozenset(src_ns_set), dst_ns_set)) - - # TODO: what about peer pairs with ip blocks from containing connections, not only peer_pairs for this connection? + self._compute_full_ns_grouping(all_src_ns_set, all_dst_ns_set) src_peers_without_ns = PeerSet(set(src for src in self.peer_props.project_on_one_dimension("src_peers") if isinstance(src, (IpBlock, HostEP, DNSEntry)))) dst_peers_without_ns = PeerSet(set(dst for dst in self.peer_props.project_on_one_dimension("dst_peers") @@ -128,10 +107,14 @@ def _compute_basic_namespace_grouping(self): ConnectivityProperties.make_conn_props_from_dict({"dst_peers": dst_peers_without_ns}) self.peer_props_without_ns_expr |= props_with_elems_without_ns & self.peer_props # compute pairs with src as pod/ip-block and dest as namespace - self._compute_peer_pairs_with_partial_ns_expr(all_dst_ns_set, False) + self._compute_partial_ns_grouping(all_dst_ns_set, False) # compute pairs with src as pod/ip-block namespace dest as pod if self.peer_props_without_ns_expr: - self._compute_peer_pairs_with_partial_ns_expr(all_src_ns_set, True) + self._compute_partial_ns_grouping(all_src_ns_set, True) + if self.peer_props_without_ns_expr: + self._compute_full_ipblock_grouping(False) + if self.peer_props_without_ns_expr: + self._compute_full_ipblock_grouping(True) def _compute_covered_peer_props(self): """ @@ -147,16 +130,55 @@ def _compute_covered_peer_props(self): "dst_peers": PeerSet({pod})}) self.covered_peer_props = covered_peer_props - def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): + def _compute_full_ns_grouping(self, all_src_ns_set, all_dst_ns_set): + """ + Compute pairs of ns sets that are grouped together, according to peer_props, + while possibly borrowing from covered_peer_props. Put the result in self.ns_set_pairs. + :param all_src_ns_set: relevant ns set of src peers + :param all_dst_ns_set: relevant ns set of dst peers """ - computes and updates self.peer_pairs_with_partial_ns_expr with pairs where only one elem (src/dst) + src_ns_to_dst_ns = defaultdict(set) + dst_ns_to_src_ns = defaultdict(set) + for src_ns in all_src_ns_set: + for dst_ns in all_dst_ns_set: + ns_product_props = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet(self.cluster_info.ns_dict[src_ns]), + "dst_peers": PeerSet(self.cluster_info.ns_dict[dst_ns])}) + if ns_product_props.contained_in(self.covered_peer_props): + self.covered_peer_props -= ns_product_props + if ns_product_props & self.peer_props: + # ensure that the found ns-pair is at least partially included in the current connections' properties + # (rather than being wholly contained in containing connections' properties) + src_ns_to_dst_ns[src_ns].add(dst_ns) + dst_ns_to_src_ns[dst_ns].add(src_ns) + else: + self.peer_props_without_ns_expr |= ns_product_props & self.peer_props + # Try src ns first or dst ns first, and choose the more compact grouping + final_src_ns_to_dst_ns = defaultdict(set) + final_dst_ns_to_src_ns = defaultdict(set) + for src_ns, dst_ns_set in src_ns_to_dst_ns.items(): + final_dst_ns_to_src_ns[frozenset(dst_ns_set)].add(src_ns) + for dst_ns, src_ns_set in dst_ns_to_src_ns.items(): + final_src_ns_to_dst_ns[frozenset(src_ns_set)].add(dst_ns) + if len(final_dst_ns_to_src_ns) <= len(final_src_ns_to_dst_ns): + for dst_ns_set, src_ns_set in final_dst_ns_to_src_ns.items(): + self.ns_set_pairs.add((frozenset(src_ns_set), dst_ns_set)) + else: + for src_ns_set, dst_ns_set in final_src_ns_to_dst_ns.items(): + self.ns_set_pairs.add((src_ns_set, frozenset(dst_ns_set))) + + @staticmethod + def is_full_ipblock(ipblock): + return ipblock == IpBlock.get_all_ips_block() or ipblock == IpBlock.get_all_ips_block(True, False) \ + or ipblock == IpBlock.get_all_ips_block(False, True) + + def _compute_partial_ns_grouping(self, ns_set, is_src_ns): + """ + computes and updates self.base_elem_pairs with pairs where only one elem (src/dst) can be grouped to an entire namespace :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as ns (True) or dst (False) :return: None """ - # pod_set is the set of pods in pairs of peer_pairs_without_ns_expr, within elem type (src/dst) which is not - # in the grouping computation - dim_name = "src_peers" if is_src_ns else "dst_peers" other_dim_name = "dst_peers" if is_src_ns else "src_peers" # We search for partial ns grouping in self.covered_peer_props rather than in self.peer_props_without_ns_expr, @@ -194,13 +216,45 @@ def _compute_peer_pairs_with_partial_ns_expr(self, ns_set, is_src_ns): # in containing connections' properties) if self.peer_props_without_ns_expr & curr_covered_without_ip_block: self.peer_props_without_ns_expr -= curr_covered_without_ip_block - self.peer_pairs_with_partial_ns_expr.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns + self.base_elem_pairs.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns else (other_dim_peers_without_ip_block, curr_ns_set)) if self.peer_props_without_ns_expr & curr_covered_ip_block: self.peer_props_without_ns_expr -= curr_covered_ip_block - self.peer_pairs_with_partial_ns_expr.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns + self.base_elem_pairs.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns else (other_dim_peers_ip_block, curr_ns_set)) + def _compute_full_ipblock_grouping(self, is_src_ns): + """ + computes and updates self.base_elem_pairs with pairs where one elem (src/dst) + can be grouped to an entire IpBlock + :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as IpBlock (True) or dst (False) + :return: None + """ + + dim_name = "src_peers" if is_src_ns else "dst_peers" + other_dim_name = "dst_peers" if is_src_ns else "src_peers" + # We search for grouping by full IpBlock in self.covered_peer_props rather than in self.peer_props_without_ns_expr, + # thus allowing overlapping of fw rules. Also, we start from optimal order between src_peers and dst_peers, + # based on whether we search for full src or dst IpBlock + props = self.covered_peer_props.reorder_by_switching_src_dst_peers() if is_src_ns else self.covered_peer_props + ipblock_to_peer_set = defaultdict(PeerSet) + for cube in props: + conn_cube = props.get_connectivity_cube(cube) + dim_peers = conn_cube[dim_name] + other_dim_peers = conn_cube[other_dim_name].canonical_form() + ipblock = dim_peers.get_ip_block_canonical_form() + if self.is_full_ipblock(ipblock): + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ipblock.get_peer_set(), + other_dim_name: other_dim_peers}) + if curr_covered & self.peer_props_without_ns_expr: + ipblock_to_peer_set[ipblock] |= other_dim_peers + for curr_ipblock, other_dim_peers in ipblock_to_peer_set.items(): + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ipblock.get_peer_set(), + other_dim_name: other_dim_peers}) + self.peer_props_without_ns_expr -= curr_covered + self.base_elem_pairs.add((curr_ipblock.get_peer_set(), other_dim_peers) if is_src_ns + else (other_dim_peers, curr_ipblock.get_peer_set())) + def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ create a fw-rule from a fixed-elem and a set of namespaces @@ -231,7 +285,7 @@ def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) res.append(PodLabelsElement(pod_label_expr, ns_info, self.cluster_info)) if remaining_pods: - res.append(PeerSetElement(PeerSet(remaining_pods))) + res.append(PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments')) return res def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set, @@ -262,7 +316,7 @@ def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_se # TODO: should avoid having single pods remaining without labels grouping # (2) add rules for remaining single pods: if make_peer_sets and remaining_pods: - peer_set_elem = PeerSetElement(PeerSet(remaining_pods)) + peer_set_elem = PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments') if is_src_fixed: fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) else: @@ -316,7 +370,7 @@ def _create_fw_rules_from_peer_props_aux(self, peer_props): conn_cube = peer_props.get_connectivity_cube(cube) src_peers = conn_cube["src_peers"] dst_peers = conn_cube["dst_peers"] - # whole peers sets were handled in self.ns_set_pairs and self.peer_pairs_with_partial_ns_expr + # whole peers sets were handled in self.ns_set_pairs and self.base_elem_pairs assert src_peers and dst_peers res.extend(self._create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, self.cluster_info, self.output_config)) @@ -384,7 +438,7 @@ def _create_all_initial_fw_rules(self): initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_set_pairs)) initial_fw_rules.extend(self._create_initial_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) initial_fw_rules.extend( - self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_with_partial_ns_expr)) + self._create_initial_fw_rules_from_base_elements_list(self.base_elem_pairs)) return initial_fw_rules def _add_all_fw_rules(self): @@ -393,7 +447,7 @@ def _add_all_fw_rules(self): Results are at: self.minimized_rules_set :return: None """ - # create initial fw-rules from ns_set_pairs, peer_pairs_with_partial_ns_expr, peer_props_without_ns_expr + # create initial fw-rules from ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr initial_fw_rules = self._create_all_initial_fw_rules() self.minimized_fw_rules = initial_fw_rules return # Tanya: temp From a98798f54c2e3b9ef537076e7edced376ecd7732 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 31 Mar 2024 18:06:52 +0300 Subject: [PATCH 51/89] Fixing lint errors. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 813c65902..cd2a70916 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -217,11 +217,11 @@ def _compute_partial_ns_grouping(self, ns_set, is_src_ns): if self.peer_props_without_ns_expr & curr_covered_without_ip_block: self.peer_props_without_ns_expr -= curr_covered_without_ip_block self.base_elem_pairs.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns - else (other_dim_peers_without_ip_block, curr_ns_set)) + else (other_dim_peers_without_ip_block, curr_ns_set)) if self.peer_props_without_ns_expr & curr_covered_ip_block: self.peer_props_without_ns_expr -= curr_covered_ip_block self.base_elem_pairs.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns - else (other_dim_peers_ip_block, curr_ns_set)) + else (other_dim_peers_ip_block, curr_ns_set)) def _compute_full_ipblock_grouping(self, is_src_ns): """ @@ -253,7 +253,7 @@ def _compute_full_ipblock_grouping(self, is_src_ns): other_dim_name: other_dim_peers}) self.peer_props_without_ns_expr -= curr_covered self.base_elem_pairs.add((curr_ipblock.get_peer_set(), other_dim_peers) if is_src_ns - else (other_dim_peers, curr_ipblock.get_peer_set())) + else (other_dim_peers, curr_ipblock.get_peer_set())) def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ From a5c980895b0e95c3da236dbd7990f799fdf641f2 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 10:39:28 +0300 Subject: [PATCH 52/89] Fixing handling txt-no_fw_rules format in the optimized solution Signed-off-by: Tanya --- nca/CoreDS/Peer.py | 13 +++++++++++++ nca/FWRules/ConnectivityGraph.py | 8 +++++--- 2 files changed, 18 insertions(+), 3 deletions(-) diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 4686f8f75..92cb50607 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -575,6 +575,19 @@ def canonical_form(self): # TODO: after moving to optimized HC implementation PeerSet may be always maintained in the canonical form return PeerSet(self.get_set_without_ip_block()) | self.get_ip_block_canonical_form().get_peer_set() + def split(self): + """ + Splits self's IpBlocks into multiple IpBlock objects, each containing a single range + Return the resulting PeerSet + """ + res = PeerSet() + for peer in self: + if isinstance(peer, IpBlock): + res |= peer.split() + else: + res.add(peer) + return res + def __eq__(self, other): # set comparison if self.get_set_without_ip_block() != other.get_set_without_ip_block(): diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index 37f369539..7c3b66701 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -6,7 +6,7 @@ import itertools from collections import defaultdict import networkx -from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod +from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod, PeerSet from .DotGraph import DotGraph from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo @@ -60,8 +60,10 @@ def add_edges_from_cube_dict(self, conn_cube, peer_container): """ conns, src_peers, dst_peers = \ MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container) - for src_peer in src_peers: - for dst_peer in dst_peers: + split_src_peers = src_peers.split() + split_dst_peers = dst_peers.split() + for src_peer in split_src_peers: + for dst_peer in split_dst_peers: self.connections_to_peers[conns].append((src_peer, dst_peer)) def add_props_to_graph(self, props, peer_container): From 43d2e5b1849a128ff886132eba556a821a3a3cb2 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 10:41:21 +0300 Subject: [PATCH 53/89] Fixing lint error Signed-off-by: Tanya --- nca/FWRules/ConnectivityGraph.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index 7c3b66701..a568d4cad 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -6,7 +6,7 @@ import itertools from collections import defaultdict import networkx -from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod, PeerSet +from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod from .DotGraph import DotGraph from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo From 36edddf279449554f8d940473c574000b92e65ee Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 12:41:47 +0300 Subject: [PATCH 54/89] Fix: taking into account connectivity restriction (TCP/non-TCP) in generation of dot output in optimized solution Signed-off-by: Tanya --- nca/FWRules/ConnectivityGraph.py | 22 +++++++++++++++++----- nca/NetworkConfig/NetworkConfigQuery.py | 4 ++-- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index a568d4cad..fe9b5dc3a 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -7,6 +7,7 @@ from collections import defaultdict import networkx from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod +from nca.CoreDS.ProtocolSet import ProtocolSet from .DotGraph import DotGraph from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo @@ -51,29 +52,40 @@ def add_edges(self, connections): """ self.connections_to_peers.update(connections) - def add_edges_from_cube_dict(self, conn_cube, peer_container): + def add_edges_from_cube_dict(self, conn_cube, peer_container, connectivity_restriction=None): """ Add edges to the graph according to the give cube :param ConnectivityCube conn_cube: the given cube whereas all other values should be filtered out in the output - :param PeerContainer peer_container: the peer container + :param PeerContainer peer_container: the peer container + :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP, or not """ + + relevant_protocols = ProtocolSet() + if connectivity_restriction: + if connectivity_restriction == 'TCP': + relevant_protocols.add_protocol('TCP') + else: # connectivity_restriction == 'non-TCP' + relevant_protocols = ProtocolSet.get_non_tcp_protocols() + conns, src_peers, dst_peers = \ - MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container) + MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) split_src_peers = src_peers.split() split_dst_peers = dst_peers.split() for src_peer in split_src_peers: for dst_peer in split_dst_peers: self.connections_to_peers[conns].append((src_peer, dst_peer)) - def add_props_to_graph(self, props, peer_container): + def add_props_to_graph(self, props, peer_container, connectivity_restriction=None): """ Add edges to the graph according to the given connectivity properties :param ConnectivityProperties props: the given connectivity properties :param PeerContainer peer_container: the peer container + :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP, or not + """ for cube in props: - self.add_edges_from_cube_dict(props.get_connectivity_cube(cube), peer_container) + self.add_edges_from_cube_dict(props.get_connectivity_cube(cube), peer_container, connectivity_restriction) def _get_peer_details(self, peer, format_requirement=False): """ diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 48e7d466a..13d95bc09 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1077,7 +1077,7 @@ def dot_format_from_props(self, props, peers, connectivity_restriction=None): :return the connectivity map in dot-format, considering connectivity_restriction if required """ conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) - conn_graph.add_props_to_graph(props, self.config.peer_container) + conn_graph.add_props_to_graph(props, self.config.peer_container, connectivity_restriction) return conn_graph.get_connectivity_dot_format_str(connectivity_restriction) def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restriction=None): @@ -1090,7 +1090,7 @@ def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restricti :return the connectivity map in txt_no_fw_rules format, considering connectivity_restriction if required """ conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) - conn_graph.add_props_to_graph(props, self.config.peer_container) + conn_graph.add_props_to_graph(props, self.config.peer_container, connectivity_restriction) return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction) def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None): From 91f13ffd1a2029a12208cc5f07e956b67e433a33 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 18:14:13 +0300 Subject: [PATCH 55/89] Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 13d95bc09..6a2896c5a 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1013,7 +1013,7 @@ def get_props_output_split_by_tcp(self, props, all_peers): txt_no_fw_rules_tcp = self.txt_no_fw_rules_format_from_props(props_tcp, peers_to_compare, connectivity_tcp_str) txt_no_fw_rules_non_tcp = self.txt_no_fw_rules_format_from_props(props_non_tcp, peers_to_compare, connectivity_non_tcp_str) - res_str = txt_no_fw_rules_tcp + txt_no_fw_rules_non_tcp + res_str = txt_no_fw_rules_tcp + '\n\n' + txt_no_fw_rules_non_tcp return res_str, None, None # handle formats other than dot and txt_no_fw_rules formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, all_peers, connectivity_tcp_str) @@ -1091,7 +1091,7 @@ def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restricti """ conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) conn_graph.add_props_to_graph(props, self.config.peer_container, connectivity_restriction) - return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction) + return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction + " Connections:") def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None): """ From 55b2786ed89c5d336de6b917478c50ba1902d2e7 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 2 Apr 2024 18:28:33 +0300 Subject: [PATCH 56/89] Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 6a2896c5a..60c4ce3e1 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1091,7 +1091,8 @@ def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restricti """ conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) conn_graph.add_props_to_graph(props, self.config.peer_container, connectivity_restriction) - return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction + " Connections:") + return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction + " Connections:" + if connectivity_restriction else None) def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None): """ From 05de16fe53ecd2aaced177d5143356319a895438 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 7 Apr 2024 12:23:26 +0300 Subject: [PATCH 57/89] Added grouping by dns entries to the optimized algorithm. Signed-off-by: Tanya --- nca/CoreDS/Peer.py | 6 +++++ nca/FWRules/MinimizeCsFWRulesOpt.py | 41 ++++++++++++++++++++--------- 2 files changed, 35 insertions(+), 12 deletions(-) diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 92cb50607..40b1efce3 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -680,6 +680,12 @@ def get_set_without_ip_block_or_dns_entry(self): """ return set(elem for elem in self if not isinstance(elem, (IpBlock, DNSEntry))) + def get_dns_entries(self): + """ + :return: a set with all elements from self which are DNSEntries + """ + return set(elem for elem in self if isinstance(elem, DNSEntry)) + def get_ip_block_canonical_form(self): """ :return: IpBlock element in canonical form for all elements from self which are IpBlock diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index cd2a70916..7a0426e63 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -112,9 +112,9 @@ def _compute_basic_namespace_grouping(self): if self.peer_props_without_ns_expr: self._compute_partial_ns_grouping(all_src_ns_set, True) if self.peer_props_without_ns_expr: - self._compute_full_ipblock_grouping(False) + self._compute_full_ipblock_and_dns_grouping(False) if self.peer_props_without_ns_expr: - self._compute_full_ipblock_grouping(True) + self._compute_full_ipblock_and_dns_grouping(True) def _compute_covered_peer_props(self): """ @@ -223,7 +223,7 @@ def _compute_partial_ns_grouping(self, ns_set, is_src_ns): self.base_elem_pairs.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns else (other_dim_peers_ip_block, curr_ns_set)) - def _compute_full_ipblock_grouping(self, is_src_ns): + def _compute_full_ipblock_and_dns_grouping(self, is_src_ns): """ computes and updates self.base_elem_pairs with pairs where one elem (src/dst) can be grouped to an entire IpBlock @@ -237,23 +237,40 @@ def _compute_full_ipblock_grouping(self, is_src_ns): # thus allowing overlapping of fw rules. Also, we start from optimal order between src_peers and dst_peers, # based on whether we search for full src or dst IpBlock props = self.covered_peer_props.reorder_by_switching_src_dst_peers() if is_src_ns else self.covered_peer_props - ipblock_to_peer_set = defaultdict(PeerSet) + ipblock_dnsentry_to_peer_set = defaultdict(PeerSet) for cube in props: conn_cube = props.get_connectivity_cube(cube) dim_peers = conn_cube[dim_name] other_dim_peers = conn_cube[other_dim_name].canonical_form() ipblock = dim_peers.get_ip_block_canonical_form() if self.is_full_ipblock(ipblock): - curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ipblock.get_peer_set(), - other_dim_name: other_dim_peers}) - if curr_covered & self.peer_props_without_ns_expr: - ipblock_to_peer_set[ipblock] |= other_dim_peers - for curr_ipblock, other_dim_peers in ipblock_to_peer_set.items(): - curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_ipblock.get_peer_set(), + self._add_to_map_if_covered(dim_name, ipblock.get_peer_set(), other_dim_name, other_dim_peers, + ipblock_dnsentry_to_peer_set) + dns_entries = dim_peers.get_dns_entries() + if dns_entries: + self._add_to_map_if_covered(dim_name, dns_entries, other_dim_name, other_dim_peers, + ipblock_dnsentry_to_peer_set) + for curr_peers, other_dim_peers in ipblock_dnsentry_to_peer_set.items(): + curr_peers = PeerSet(set(curr_peers)) # peel off the frozenset + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: curr_peers, other_dim_name: other_dim_peers}) self.peer_props_without_ns_expr -= curr_covered - self.base_elem_pairs.add((curr_ipblock.get_peer_set(), other_dim_peers) if is_src_ns - else (other_dim_peers, curr_ipblock.get_peer_set())) + self.base_elem_pairs.add((curr_peers, other_dim_peers) if is_src_ns else (other_dim_peers, curr_peers)) + + def _add_to_map_if_covered(self, dim_name, dim_peers, other_dim_name, other_dim_peers, peers_to_peers_map): + """ + An auxiliary method that checks whether the product of dim_peers and other_dim_peers is covered + by self.peer_props_without_ns_expr, and adds the peer sets to peers_to_peers_map if True. + :param str dim_name: the first dimension name + :param PeerSet dim_peers: a set of peers for the first dimension + :param str other_dim_name: the second dimension name + :param PeerSet other_dim_peers: a set of peers for the second dimension + :param dict peer_to_peer_map: the map from first dimention peers to second dimention peers + """ + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: dim_peers, + other_dim_name: other_dim_peers}) + if curr_covered & self.peer_props_without_ns_expr: + peers_to_peers_map[frozenset(dim_peers)] |= other_dim_peers def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): """ From 9ad18b1f3419bc864d9f3944b44f469a4ec0485d Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 9 Apr 2024 12:29:43 +0300 Subject: [PATCH 58/89] Changed expected results of connectivity map query tests according to optimized runs Signed-off-by: Tanya --- ...obal-interferes-local-print-all-pairs.json | 430 +--- ...lobal-interferes-local-print-all-pairs.txt | 74 +- ...obal-interferes-local-print-all-pairs.yaml | 302 +-- ...and-sub-deny-not-equiv-all-peer-pairs.json | 144 +- ...-and-sub-deny-not-equiv-all-peer-pairs.txt | 25 +- ...and-sub-deny-not-equiv-all-peer-pairs.yaml | 101 +- ...stcase15_with_ingress_connectivity_map.txt | 57 +- .../testcase16-scheme_output.txt | 2 +- .../testcase18_connectivity_map.txt | 19 +- ...-connectivity_map_with_labels_to_apply.txt | 4 +- ...tcase19-deny-all-profiles-connectivity.txt | 9 +- ...-1-k8s-calico-istio-2_connectivity_map.txt | 5 +- ...alico-istio-ingress-2_connectivity_map.txt | 4 - ...-calico-istio-ingress_connectivity_map.txt | 4 - ...ig-1-k8s-calico-istio_connectivity_map.txt | 4 - ...g-1-k8s-istio-ingress_connectivity_map.txt | 13 +- .../livesim_test_all_txt.txt | 7 +- ...lico-testcase20-Eran_gnps_query_output.txt | 121 +- ...ico-testcase20-Eran_gnps_query_output.yaml | 1844 +---------------- ...e20-np_2_all_outbound_hep_query_output.txt | 5 +- ...20-np_2_all_outbound_hep_query_output.yaml | 21 - ...-np_3_outbound_hep_to_wep_query_output.txt | 5 +- ...np_3_outbound_hep_to_wep_query_output.yaml | 21 - ...und_all_namespaceSelector_query_output.txt | 5 +- ...nd_all_namespaceSelector_query_output.yaml | 21 - .../cyclonus-simple-example-scheme_output.txt | 2 +- ...cyclonus-simple-example-scheme_output.yaml | 14 +- .../istio-test1-scheme_query1_output.txt | 2 +- .../istio-test1-scheme_query1_output.yaml | 2 +- .../istio-test1-scheme_query2_output.txt | 3 +- .../istio-test1-scheme_query2_output.yaml | 10 - .../expected_output/poc1-scheme_output.csv | 4 +- .../expected_output/poc1-scheme_output.dot | 30 +- .../expected_output/poc1-scheme_output.md | 4 +- .../expected_output/poc1-scheme_output.txt | 4 +- .../expected_output/poc1-scheme_output.yaml | 8 +- .../expected_output/poc2-scheme_output.txt | 4 +- .../expected_output/poc2-scheme_output.yaml | 8 +- .../expected_output/poc3-scheme_output.txt | 4 +- .../expected_output/poc3-scheme_output.yaml | 8 +- ...4_scheme_connectivity_map_query_output.txt | 4 +- ..._scheme_connectivity_map_query_output.yaml | 8 +- ...loyment_fullname_and_global_subset_dot.dot | 8 - ...lobal_subset_endpoints_deployments_dot.dot | 8 - .../subset_deployment_fullname_subset_dot.dot | 1 - ...lname_subset_endpoints_deployments_dot.dot | 1 - .../expected_output/subset_labels2_dot.dot | 1 - ...bset_labels2_endpoints_deployments_dot.dot | 1 - .../expected_output/subset_labels3_dot.dot | 7 - ...bset_labels3_endpoints_deployments_dot.dot | 7 - .../expected_output/subset_labels6_dot.dot | 7 - ...bset_labels6_endpoints_deployments_dot.dot | 7 - .../expected_output/subset_no_subset_dot.dot | 3 - ...et_no_subset_endpoints_deployments_dot.dot | 3 - .../expected_output/test1-scheme_output.txt | 4 +- .../expected_output/test1-scheme_output.yaml | 12 +- .../expected_output/test13-scheme_output.txt | 4 +- .../expected_output/test13-scheme_output.yaml | 4 +- .../expected_output/test14-scheme_output.txt | 4 +- .../expected_output/test14-scheme_output.yaml | 4 +- .../expected_output/test16-scheme_output.txt | 5 +- .../expected_output/test16-scheme_output.yaml | 37 +- .../expected_output/test18-scheme_output.txt | 3 +- .../expected_output/test18-scheme_output.yaml | 9 +- .../expected_output/test2-scheme_output.txt | 4 +- .../expected_output/test2-scheme_output.yaml | 4 +- .../expected_output/test24-scheme_output.txt | 2 +- .../expected_output/test24-scheme_output.yaml | 2 +- ...me_connectivity_map_by_deployments_dot.dot | 2 - ...25-scheme_connectivity_map_by_pods_csv.csv | 3 +- ...25-scheme_connectivity_map_by_pods_dot.dot | 2 - ...25-scheme_connectivity_map_by_pods_txt.txt | 3 +- ...-scheme_connectivity_map_by_pods_yaml.yaml | 12 +- .../online_boutique/connectivity-scheme.yaml | 34 +- ...boutique_multi_layer_from_live_cluster.txt | 2 +- .../sidecars-disable-egress-scheme.yaml | 3 +- ...est-connectivity-map-missing-resources.dot | 53 +- ...-and-k8s-ingress-test-connectivity-map.dot | 54 +- ...est-connectivity-map-missing-resources.dot | 29 +- ...ex-istio-ingress-test-connectivity-map.dot | 29 +- ...est-connectivity-map-missing-resources.dot | 26 +- ...-k8s-ingress-all-test-connectivity-map.dot | 26 +- ..._adding_default_sidecar_after_specific.txt | 2 +- ...nectivity_map_bookinfo_default_sidecar.txt | 6 +- ...ap_bookinfo_multiple_sidecar_overrides.txt | 2 +- ...ific_sidecar_overrides_default_sidecar.txt | 3 +- ...rent_sidecars_override_default_sidecar.txt | 2 +- ...boutique_resources_with_istio_gateways.txt | 1 - ...utique_frontend_sidecar_disable_egress.txt | 1 - ...host_name_contains_service_entry_hosts.txt | 1 - ...ar_host_name_does_not_contain_se_hosts.txt | 1 - ...ly_istio_ingress_test_connectivity_map.txt | 11 +- .../istio_egress_test_connectivity_map.txt | 1 - .../istio_ingress_test_connectivity_map.txt | 3 +- .../new_online_boutique_connectivity_map.txt | 3 +- ...ne_boutique_synth_res_connectivity_map.txt | 4 +- ...ars-and-gateways-test-connectivity-map.txt | 1 - .../ipblocktest-conn-graph-no-fw-rules.txt | 178 +- .../k8s_ingress_test_connectivity_map.txt | 3 +- .../new_online_boutique_connectivity_map.txt | 4 +- ...outique_synthesis_res_connectivity_map.txt | 4 +- ...outique_synthesis_res_connectivity_map.txt | 4 +- 102 files changed, 431 insertions(+), 3600 deletions(-) diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json index 16f265dcd..6918997f7 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json @@ -12,434 +12,14 @@ "description": "Allowed connections from local_np which are extended in global_np", "connections": [ { - "src": "default/cog-agents-d54st", - "dst": "kube-system/calico-node-mgdlr", + "src": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", + "dst": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", "conns_config1": "Protocol: TCP", "conns_config2": "No connections" }, { - "src": "default/cog-agents-d54st", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-gzdfm", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-gzdfm", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-gzdfm", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-gzdfm", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-wczq8", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-wczq8", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-wczq8", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-wczq8", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/kube-fluentd-h6rjg", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/kube-fluentd-h6rjg", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/kube-fluentd-h6rjg", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/kube-fluentd-h6rjg", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/vpn-858f6d9777-2bw5m", - "dst": "default/cog-agents-d54st", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/vpn-858f6d9777-2bw5m", - "dst": "default/cog-agents-js4qc", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/vpn-858f6d9777-2bw5m", - "dst": "default/cog-agents-qr8gp", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/vpn-858f6d9777-2bw5m", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", + "src": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", + "dst": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "conns_config1": "All connections", "conns_config2": "No connections" } @@ -447,4 +27,4 @@ } ] } -] \ No newline at end of file +] diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt index b65db10c0..9fe82f7e6 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt @@ -1,74 +1,4 @@ global_np interferes with local_np Allowed connections from local_np which are extended in global_np: -src: default/cog-agents-d54st, dst: kube-system/calico-node-mgdlr, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/keepalived-watcher-57ghx, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/keepalived-watcher-gzdfm, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/keepalived-watcher-wczq8, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/kube-fluentd-h6rjg, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-d54st, dst: kube-system/vpn-858f6d9777-2bw5m, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/calico-node-mgdlr, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/keepalived-watcher-57ghx, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/keepalived-watcher-gzdfm, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/keepalived-watcher-wczq8, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/kube-fluentd-h6rjg, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-js4qc, dst: kube-system/vpn-858f6d9777-2bw5m, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/calico-node-mgdlr, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/keepalived-watcher-57ghx, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/keepalived-watcher-gzdfm, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/keepalived-watcher-wczq8, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/kube-fluentd-h6rjg, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-agents-qr8gp, dst: kube-system/vpn-858f6d9777-2bw5m, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/calico-node-mgdlr, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/keepalived-watcher-57ghx, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/keepalived-watcher-gzdfm, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/keepalived-watcher-wczq8, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/kube-fluentd-h6rjg, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: global_np allows communication using protocol TCP while local_np does not. -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: kube-system/vpn-858f6d9777-2bw5m, description: global_np allows communication using protocol TCP while local_np does not. -src: kube-system/calico-node-mgdlr, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/calico-node-mgdlr, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/calico-node-mgdlr, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/calico-node-mgdlr, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-57ghx, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-57ghx, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-57ghx, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-57ghx, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-gzdfm, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-gzdfm, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-gzdfm, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-gzdfm, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-wczq8, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-wczq8, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-wczq8, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/keepalived-watcher-wczq8, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/kube-fluentd-h6rjg, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/kube-fluentd-h6rjg, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/kube-fluentd-h6rjg, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/kube-fluentd-h6rjg, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/tiller-deploy-5c45c9966b-nqwz6, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/tiller-deploy-5c45c9966b-nqwz6, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/tiller-deploy-5c45c9966b-nqwz6, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/tiller-deploy-5c45c9966b-nqwz6, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. -src: kube-system/vpn-858f6d9777-2bw5m, dst: default/cog-agents-d54st, description: global_np allows all connections while local_np does not. -src: kube-system/vpn-858f6d9777-2bw5m, dst: default/cog-agents-js4qc, description: global_np allows all connections while local_np does not. -src: kube-system/vpn-858f6d9777-2bw5m, dst: default/cog-agents-qr8gp, description: global_np allows all connections while local_np does not. -src: kube-system/vpn-858f6d9777-2bw5m, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, description: global_np allows all connections while local_np does not. +src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: global_np allows communication using protocol TCP while local_np does not. +src: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], description: global_np allows all connections while local_np does not. diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml index f63f2ebda..7dca5f580 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml @@ -7,291 +7,21 @@ explanation: - description: Allowed connections from local_np which are extended in global_np connections: - - src: default/cog-agents-d54st - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-d54st - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-js4qc - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-agents-qr8gp - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-gzdfm - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-gzdfm - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-gzdfm - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-gzdfm - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-wczq8 - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-wczq8 - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-wczq8 - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/keepalived-watcher-wczq8 - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/kube-fluentd-h6rjg - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/kube-fluentd-h6rjg - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/kube-fluentd-h6rjg - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/kube-fluentd-h6rjg - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/tiller-deploy-5c45c9966b-nqwz6 - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/tiller-deploy-5c45c9966b-nqwz6 - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/tiller-deploy-5c45c9966b-nqwz6 - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/tiller-deploy-5c45c9966b-nqwz6 - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/vpn-858f6d9777-2bw5m - dst: default/cog-agents-d54st - conns_config1: All connections - conns_config2: No connections - - src: kube-system/vpn-858f6d9777-2bw5m - dst: default/cog-agents-js4qc - conns_config1: All connections - conns_config2: No connections - - src: kube-system/vpn-858f6d9777-2bw5m - dst: default/cog-agents-qr8gp - conns_config1: All connections - conns_config2: No connections - - src: kube-system/vpn-858f6d9777-2bw5m - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc + - src: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' + dst: '[''kube-system/calico-node-mgdlr'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', + ''kube-system/keepalived-watcher-57ghx'', ''kube-system/keepalived-watcher-gzdfm'', + ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', + ''kube-system/vpn-858f6d9777-2bw5m'']' + conns_config1: 'Protocol: TCP' + conns_config2: No connections + - src: '[''kube-system/calico-node-mgdlr'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', + ''kube-system/keepalived-watcher-57ghx'', ''kube-system/keepalived-watcher-gzdfm'', + ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', + ''kube-system/vpn-858f6d9777-2bw5m'']' + dst: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' conns_config1: All connections conns_config2: No connections diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json index 6aca12634..5a01ea44b 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json @@ -12,146 +12,8 @@ "description": "Connections allowed in np_SupsetAllowFirst which are different in np_SubsetDenyFirst", "connections": [ { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/keepalived-watcher-57ghx", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "Protocol: TCP", - "conns_config2": "No connections" - }, - { - "src": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "dst": "kube-system/vpn-858f6d9777-2bw5m", + "src": "['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd']", + "dst": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", "conns_config1": "Protocol: TCP", "conns_config2": "No connections" } @@ -159,4 +21,4 @@ } ] } -] \ No newline at end of file +] diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt index b6b2f3b2d..ce3a46ba8 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt @@ -1,26 +1,3 @@ np_SupsetAllowFirst and np_SubsetDenyFirst are not semantically equivalent. Connections allowed in np_SupsetAllowFirst which are different in np_SubsetDenyFirst: -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/calico-node-mgdlr, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/keepalived-watcher-57ghx, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/keepalived-watcher-gzdfm, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/keepalived-watcher-wczq8, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/kube-fluentd-h6rjg, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/file-plugin-7bfb8b69bf-p86gk, dst: kube-system/vpn-858f6d9777-2bw5m, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/calico-node-mgdlr, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/keepalived-watcher-gzdfm, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/keepalived-watcher-wczq8, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/kube-fluentd-h6rjg, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/keepalived-watcher-57ghx, dst: kube-system/vpn-858f6d9777-2bw5m, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/calico-node-mgdlr, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/keepalived-watcher-57ghx, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/keepalived-watcher-gzdfm, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/keepalived-watcher-wczq8, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/kube-fluentd-h6rjg, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. -src: kube-system/storage-watcher-8494b4b8bb-f8csd, dst: kube-system/vpn-858f6d9777-2bw5m, description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. +src: ['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml index 1c1718406..c6f78cb50 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml @@ -9,99 +9,12 @@ - description: Connections allowed in np_SupsetAllowFirst which are different in np_SubsetDenyFirst connections: - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/file-plugin-7bfb8b69bf-p86gk - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/keepalived-watcher-57ghx - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/calico-node-mgdlr - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/keepalived-watcher-57ghx - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/kube-fluentd-h6rjg - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: 'Protocol: TCP' - conns_config2: No connections - - src: kube-system/storage-watcher-8494b4b8bb-f8csd - dst: kube-system/vpn-858f6d9777-2bw5m + - src: '[''kube-system/file-plugin-7bfb8b69bf-p86gk'', ''kube-system/keepalived-watcher-57ghx'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'']' + dst: '[''kube-system/calico-node-mgdlr'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', + ''kube-system/keepalived-watcher-57ghx'', ''kube-system/keepalived-watcher-gzdfm'', + ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', + ''kube-system/vpn-858f6d9777-2bw5m'']' conns_config1: 'Protocol: TCP' conns_config2: No connections diff --git a/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt index 1cf884728..ef33ae76f 100644 --- a/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt @@ -1,50 +1,14 @@ final fw rules for query: connectivity_map, config: ip: -src: 0.0.0.0/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src: ::/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst: ::/0 conn: All connections +src: 0.0.0.0/0,::/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections +src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [calico-node] conn: TCP {'dst_ports': '210', 'hosts': 'first.bar.com', 'paths': '(/abc(/*)?)-(/abc/def(/*)?)'} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [file-plugin-7bfb8b69bf] conn: TCP {'dst_ports': '80', 'hosts': 'first.bar.com', 'paths': '/abc/def(/*)?'} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 213 src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-fluentd] conn: TCP {'dst_ports': '80', 'hosts': 'second.bar.com', 'paths': '(/xyz(/*)?)-(/xyz)'} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: TCP {'dst_ports': '102', 'hosts': 'second.bar.com', 'paths': '/xyz'} -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [calico-node] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [calico-node] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [calico-node] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [file-plugin-7bfb8b69bf] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [file-plugin-7bfb8b69bf] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [file-plugin-7bfb8b69bf] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [heapster-7df8cb8c66] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [heapster-7df8cb8c66] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [heapster-7df8cb8c66] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-amd64-d66bf76db] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-amd64-d66bf76db] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-amd64-d66bf76db] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-autoscaler-78f5fdbd46] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-autoscaler-78f5fdbd46] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-dns-autoscaler-78f5fdbd46] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [kube-fluentd] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-fluentd] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [kube-fluentd] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [kubernetes-dashboard-5b5f985bcf] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [kubernetes-dashboard-5b5f985bcf] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [kubernetes-dashboard-5b5f985bcf] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [storage-watcher-8494b4b8bb] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [storage-watcher-8494b4b8bb] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [storage-watcher-8494b4b8bb] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [tiller-deploy-5c45c9966b] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [tiller-deploy-5c45c9966b] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [tiller-deploy-5c45c9966b] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [vpn-858f6d9777] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [vpn-858f6d9777] dst: ::/0 conn: All connections -src_ns: [kube-system] src_pods: [vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections +src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst: 0.0.0.0/0,::/0 conn: All connections +src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections final fw rules for query: connectivity_map, config: global-simple: src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [!has(app)] conn: TCP 200-250 @@ -65,15 +29,4 @@ src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube- final fw rules for query: connectivity_map, config: global-not-simple-with-ingress: src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: TCP {'dst_ports': '102', 'hosts': 'second.bar.com', 'paths': '/xyz'} -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [calico-node] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [file-plugin-7bfb8b69bf] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [heapster-7df8cb8c66] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [kube-dns-amd64-d66bf76db] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [kube-dns-autoscaler-78f5fdbd46] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [kube-fluentd] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [kubernetes-dashboard-5b5f985bcf] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [storage-watcher-8494b4b8bb] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [tiller-deploy-5c45c9966b] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 +src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 diff --git a/tests/calico_testcases/expected_output/testcase16-scheme_output.txt b/tests/calico_testcases/expected_output/testcase16-scheme_output.txt index 554889130..d1e1d5d0e 100644 --- a/tests/calico_testcases/expected_output/testcase16-scheme_output.txt +++ b/tests/calico_testcases/expected_output/testcase16-scheme_output.txt @@ -4,4 +4,4 @@ src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connectio src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [!has(tier)] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [!has(tier)] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 64.0.0.0-255.255.255.255 conn: TCP +src_ns: [kube-system] src_pods: [*] dst: 64.0.0.0-255.255.255.255 conn: TCP diff --git a/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt index 379dd8351..fb613ac88 100644 --- a/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt @@ -1,17 +1,12 @@ final fw rules for query: connectivity_map, config: np-pod-based-policies: -src: 0.0.0.0/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src: ::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: ::/0 conn: All connections -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections +src: 0.0.0.0/0,::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections +src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections +src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections +src_ns: [kube-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections final fw rules for query: connectivity_map, config: np-ports-based: -src: 0.0.0.0/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src: ::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst: ::/0 conn: All connections +src: 0.0.0.0/0,::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections +src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: TCP -src_ns: [kube-system] src_pods: [*] dst: ::/0 conn: TCP +src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: TCP src_ns: [kube-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP diff --git a/tests/calico_testcases/expected_output/testcase19-connectivity_map_with_labels_to_apply.txt b/tests/calico_testcases/expected_output/testcase19-connectivity_map_with_labels_to_apply.txt index 94f0bdcb2..1ae6eb841 100644 --- a/tests/calico_testcases/expected_output/testcase19-connectivity_map_with_labels_to_apply.txt +++ b/tests/calico_testcases/expected_output/testcase19-connectivity_map_with_labels_to_apply.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map_with_labels_to_apply, config: np9-cnc-fe-between-namespaces-with-label-to-apply: src: 0.0.0.0/0 dst_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] dst_pods: [*] conn: All connections src_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] src_pods: [*] dst_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] dst_pods: [*] conn: All connections -src_ns: [acc-research,operia-benchmark] src_pods: [*] dst_ns: [cnc-fe] dst_pods: [*] conn: All connections +src_ns: [acc-research,operia-benchmark] src_pods: [*] dst_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-fe,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] dst_pods: [*] conn: All connections +src_ns: [blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,vtngc-data] src_pods: [*] dst_ns: [acc-research,blue-umbrella,cap-agent,cap-unauth,chaos-testing,cnc-clntn-mgmt,cnc-kt,cnc-nlp,cnc-ntsgin,cnc-pdf-tool,cnc-tooling,ctighs,ctighs-va,operia-benchmark,vtngc-data] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt b/tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt index c20904b9b..f8bf44069 100644 --- a/tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt +++ b/tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt @@ -1,9 +1,2 @@ final fw rules for query: deny-all-profiles-connectivity, config: deny-all-profiles: -src_ns: [acc-research] src_pods: [*] dst_ns: [acc-research] dst_pods: [*] conn: All connections -src_ns: [blue-umbrella] src_pods: [*] dst_ns: [blue-umbrella] dst_pods: [*] conn: All connections -src_ns: [cap-unauth] src_pods: [*] dst_ns: [cap-unauth] dst_pods: [*] conn: All connections -src_ns: [chaos-testing] src_pods: [*] dst_ns: [chaos-testing] dst_pods: [*] conn: All connections -src_ns: [cnc-pdf-tool] src_pods: [*] dst_ns: [cnc-pdf-tool] dst_pods: [*] conn: All connections -src_ns: [ctighs-va] src_pods: [*] dst_ns: [ctighs-va] dst_pods: [*] conn: All connections -src_ns: [ctighs] src_pods: [*] dst_ns: [ctighs] dst_pods: [*] conn: All connections -src_ns: [operia-benchmark] src_pods: [*] dst_ns: [operia-benchmark] dst_pods: [*] conn: All connections + diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt index 596813bc0..20007690b 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt @@ -1,8 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections + diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt index 0d5a656e5..239f0fbb8 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt @@ -2,10 +2,6 @@ For connections of type TCP, final fw rules for query: connectivity-6, config: t src: 0.0.0.0/0 dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-6, config: testcase26-config-1-k8s-calico-istio-ingress-2: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt index 5fbd16f71..6037c6402 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt @@ -1,9 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt index 19b8e1418..64cdc6ddf 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt @@ -1,9 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt index 6f31cfe4f..56236fbd2 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt @@ -2,23 +2,20 @@ For connections of type TCP, final fw rules for query: connectivity-2, config: t src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app!=productpage] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default,istio-system] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1-b6994bb9] conn: All connections -src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [app=reviews] conn: All connections +src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections +src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app!=ratings] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app=reviews] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: All connections -src_ns: [default] src_pods: [productpage-v1-6b746f74dc] dst_ns: [default] dst_pods: [*] conn: All connections +src_ns: [default] src_pods: [productpage-v1-6b746f74dc] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} src_ns: [istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections +src_ns: [istio-system] src_pods: [*] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-2, config: testcase26-config-1-k8s-istio-ingress: src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (productpage,ratings)] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [app!=ratings] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections src_ns: [istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [default,istio-system] dst_pods: [*] conn: All connections +src_ns: [istio-system] src_pods: [*] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt index f65c0a624..f5fafd8a5 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt +++ b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt @@ -3,13 +3,11 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections -src_ns: [ingress-controller-ns,kube-system] src_pods: [*] dst_ns: [ingress-controller-ns] dst_pods: [*] conn: All connections src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: TCP {'dst_ports': '5678', 'paths': '/foo(/*)?'} -src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [!has(dep)] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections +src_ns: [kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: , config: **: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections @@ -17,7 +15,6 @@ src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections -src_ns: [ingress-controller-ns,istio-system,kube-system] src_pods: [*] dst_ns: [ingress-controller-ns] dst_pods: [*] conn: All connections src_ns: [istio-system,kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [!has(dep)] conn: All connections -src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [istio-system,kube-system] dst_pods: [*] conn: All connections +src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt index 30dbdeb7e..a23a77456 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt @@ -1,124 +1,7 @@ final fw rules for query: Eran_gnps, config: Eran_gnps: -src: 0.0.0.0-5.10.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src: 119.81.136.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 119.81.137.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 119.81.138.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 119.81.140.0-130.198.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 130.198.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 130.198.120.0-158.85.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 158.85.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 158.85.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 158.85.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 158.85.120.0-159.8.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.122.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.122.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.122.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.122.120.0-159.122.135.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.122.136.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.122.137.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.122.138.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.122.140.0-159.253.155.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.253.156.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.253.157.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.253.158.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.253.160.0-161.202.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.8.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.8.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.8.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.8.120.0-159.8.195.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.8.196.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.8.197.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 159.8.198.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 159.8.200.0-159.122.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 161.202.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 161.202.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 161.202.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 161.202.120.0-168.1.15.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 168.1.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 168.1.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 168.1.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 168.1.120.0-169.38.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 168.1.16.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 168.1.17.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 168.1.18.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 168.1.20.0-168.1.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.38.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.38.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.38.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.38.120.0-169.45.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.45.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.45.120.0-169.46.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.46.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.46.120.0-169.47.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.47.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.47.120.0-169.48.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.48.118.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.48.119.0-169.51.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.51.118.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.51.119.0-169.54.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.54.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.54.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.54.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.54.120.0-169.55.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.55.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.55.120.0-169.56.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.56.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.56.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.56.118.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.56.119.0-169.57.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.57.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.57.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.57.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.57.120.0-169.57.135.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.57.136.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.57.137.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.57.138.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.57.140.0-169.60.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.60.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.60.120.0-169.61.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 169.61.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 169.61.120.0-173.192.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 173.192.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 173.192.120.0-173.193.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 173.193.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 173.193.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 173.193.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 173.193.120.0-174.133.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 174.133.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 174.133.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 174.133.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 174.133.120.0-184.172.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 184.172.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 184.172.120.0-192.255.17.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 192.255.18.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 192.255.19.0-192.255.37.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 192.255.38.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 192.255.39.0-198.23.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 198.23.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 198.23.120.0-208.43.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 208.43.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 208.43.120.0-255.255.255.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 5.10.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 5.10.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 5.10.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 5.10.120.0-50.22.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.22.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.22.120.0-50.22.254.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.22.255.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.23.0.0-50.23.115.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.23.116.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.23.117.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.23.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.23.120.0-50.23.166.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 50.23.167.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 50.23.168.0-66.228.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 66.228.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 66.228.120.0-67.228.117.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 67.228.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 67.228.120.0-75.126.60.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP -src: 75.126.61.0/24 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections -src: 75.126.62.0-119.81.135.255 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src: 5.10.116.0/24,5.10.118.0/23,50.22.118.0/23,50.22.255.0/24,50.23.116.0/24,50.23.118.0/23,50.23.167.0/24,66.228.118.0/23,67.228.118.0/23,75.126.61.0/24,119.81.136.0/24,119.81.138.0/23,130.198.118.0/23,158.85.116.0/24,158.85.118.0/23,159.8.116.0/24,159.8.118.0/23,159.8.196.0/24,159.8.198.0/23,159.122.116.0/24,159.122.118.0/23,159.122.136.0/24,159.122.138.0/23,159.253.156.0/24,159.253.158.0/23,161.202.116.0/24,161.202.118.0/23,168.1.16.0/24,168.1.18.0/23,168.1.116.0/24,168.1.118.0/23,169.38.116.0/24,169.38.118.0/23,169.45.118.0/23,169.46.118.0/23,169.47.118.0/23,169.48.118.0/24,169.51.118.0/24,169.54.116.0/24,169.54.118.0/23,169.55.118.0/23,169.56.116.0/24,169.56.118.0/24,169.57.116.0/24,169.57.118.0/23,169.57.136.0/24,169.57.138.0/23,169.60.118.0/23,169.61.118.0/23,173.192.118.0/23,173.193.116.0/24,173.193.118.0/23,174.133.116.0/24,174.133.118.0/23,184.172.118.0/23,192.255.18.0/24,192.255.38.0/24,198.23.118.0/23,208.43.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst: 0.0.0.0/0 conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml index 841824d94..dc4306108 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml @@ -5,1829 +5,121 @@ explanation: - rules: - src_ip_block: - - 0.0.0.0/6 - - 4.0.0.0/8 - - 5.0.0.0/13 - - 5.10.0.0/18 - - 5.10.112.0/22 - - 5.10.64.0/19 - - 5.10.96.0/20 - - 5.8.0.0/15 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 119.81.137.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 119.128.0.0/9 - - 119.81.140.0/22 - - 119.81.144.0/20 - - 119.81.160.0/19 - - 119.81.192.0/18 - - 119.82.0.0/15 - - 119.84.0.0/14 - - 119.88.0.0/13 - - 119.96.0.0/11 - - 120.0.0.0/5 - - 128.0.0.0/7 - - 130.0.0.0/9 - - 130.128.0.0/10 - - 130.192.0.0/14 - - 130.196.0.0/15 - - 130.198.0.0/18 - - 130.198.112.0/22 - - 130.198.116.0/23 - - 130.198.64.0/19 - - 130.198.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 130.198.120.0/21 - - 130.198.128.0/17 - - 130.199.0.0/16 - - 130.200.0.0/13 - - 130.208.0.0/12 - - 130.224.0.0/11 - - 131.0.0.0/8 - - 132.0.0.0/6 - - 136.0.0.0/5 - - 144.0.0.0/5 - - 152.0.0.0/6 - - 156.0.0.0/7 - - 158.0.0.0/10 - - 158.64.0.0/12 - - 158.80.0.0/14 - - 158.84.0.0/16 - - 158.85.0.0/18 - - 158.85.112.0/22 - - 158.85.64.0/19 - - 158.85.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 158.85.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 158.128.0.0/9 - - 158.85.120.0/21 - - 158.85.128.0/17 - - 158.86.0.0/15 - - 158.88.0.0/13 - - 158.96.0.0/11 - - 159.0.0.0/13 - - 159.8.0.0/18 - - 159.8.112.0/22 - - 159.8.64.0/19 - - 159.8.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.122.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.122.120.0/21 - - 159.122.128.0/21 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.122.137.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.122.140.0/22 - - 159.122.144.0/20 - - 159.122.160.0/19 - - 159.122.192.0/18 - - 159.123.0.0/16 - - 159.124.0.0/14 - - 159.128.0.0/10 - - 159.192.0.0/11 - - 159.224.0.0/12 - - 159.240.0.0/13 - - 159.248.0.0/14 - - 159.252.0.0/16 - - 159.253.0.0/17 - - 159.253.128.0/20 - - 159.253.144.0/21 - - 159.253.152.0/22 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.253.157.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.253.160.0/19 - - 159.253.192.0/18 - - 159.254.0.0/15 - - 160.0.0.0/8 - - 161.0.0.0/9 - - 161.128.0.0/10 - - 161.192.0.0/13 - - 161.200.0.0/15 - - 161.202.0.0/18 - - 161.202.112.0/22 - - 161.202.64.0/19 - - 161.202.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.8.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.8.120.0/21 - - 159.8.128.0/18 - - 159.8.192.0/22 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.8.197.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 159.10.0.0/15 - - 159.112.0.0/13 - - 159.12.0.0/14 - - 159.120.0.0/15 - - 159.122.0.0/18 - - 159.122.112.0/22 - - 159.122.64.0/19 - - 159.122.96.0/20 - - 159.16.0.0/12 - - 159.32.0.0/11 - - 159.64.0.0/11 - - 159.8.200.0/21 - - 159.8.208.0/20 - - 159.8.224.0/19 - - 159.9.0.0/16 - - 159.96.0.0/12 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 161.202.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 161.202.120.0/21 - - 161.202.128.0/17 - - 161.203.0.0/16 - - 161.204.0.0/14 - - 161.208.0.0/12 - - 161.224.0.0/11 - - 162.0.0.0/7 - - 164.0.0.0/6 - - 168.0.0.0/16 - - 168.1.0.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 168.1.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 168.1.120.0/21 - - 168.1.128.0/17 - - 168.128.0.0/9 - - 168.16.0.0/12 - - 168.2.0.0/15 - - 168.32.0.0/11 - - 168.4.0.0/14 - - 168.64.0.0/10 - - 168.8.0.0/13 - - 169.0.0.0/11 - - 169.32.0.0/14 - - 169.36.0.0/15 - - 169.38.0.0/18 - - 169.38.112.0/22 - - 169.38.64.0/19 - - 169.38.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 168.1.17.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 168.1.112.0/22 - - 168.1.20.0/22 - - 168.1.24.0/21 - - 168.1.32.0/19 - - 168.1.64.0/19 - - 168.1.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.38.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.38.120.0/21 - - 169.38.128.0/17 - - 169.39.0.0/16 - - 169.40.0.0/14 - - 169.44.0.0/16 - - 169.45.0.0/18 - - 169.45.112.0/22 - - 169.45.116.0/23 - - 169.45.64.0/19 - - 169.45.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.45.120.0/21 - - 169.45.128.0/17 - - 169.46.0.0/18 - - 169.46.112.0/22 - - 169.46.116.0/23 - - 169.46.64.0/19 - - 169.46.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.46.120.0/21 - - 169.46.128.0/17 - - 169.47.0.0/18 - - 169.47.112.0/22 - - 169.47.116.0/23 - - 169.47.64.0/19 - - 169.47.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.47.120.0/21 - - 169.47.128.0/17 - - 169.48.0.0/18 - - 169.48.112.0/22 - - 169.48.116.0/23 - - 169.48.64.0/19 - - 169.48.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.48.119.0/24 - - 169.48.120.0/21 - - 169.48.128.0/17 - - 169.49.0.0/16 - - 169.50.0.0/16 - - 169.51.0.0/18 - - 169.51.112.0/22 - - 169.51.116.0/23 - - 169.51.64.0/19 - - 169.51.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.51.119.0/24 - - 169.51.120.0/21 - - 169.51.128.0/17 - - 169.52.0.0/15 - - 169.54.0.0/18 - - 169.54.112.0/22 - - 169.54.64.0/19 - - 169.54.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.54.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.54.120.0/21 - - 169.54.128.0/17 - - 169.55.0.0/18 - - 169.55.112.0/22 - - 169.55.116.0/23 - - 169.55.64.0/19 - - 169.55.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.55.120.0/21 - - 169.55.128.0/17 - - 169.56.0.0/18 - - 169.56.112.0/22 - - 169.56.64.0/19 - - 169.56.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.56.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.56.119.0/24 - - 169.56.120.0/21 - - 169.56.128.0/17 - - 169.57.0.0/18 - - 169.57.112.0/22 - - 169.57.64.0/19 - - 169.57.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.57.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.57.120.0/21 - - 169.57.128.0/21 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.57.137.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.57.140.0/22 - - 169.57.144.0/20 - - 169.57.160.0/19 - - 169.57.192.0/18 - - 169.58.0.0/15 - - 169.60.0.0/18 - - 169.60.112.0/22 - - 169.60.116.0/23 - - 169.60.64.0/19 - - 169.60.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.60.120.0/21 - - 169.60.128.0/17 - - 169.61.0.0/18 - - 169.61.112.0/22 - - 169.61.116.0/23 - - 169.61.64.0/19 - - 169.61.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 169.128.0.0/9 - - 169.61.120.0/21 - - 169.61.128.0/17 - - 169.62.0.0/15 - - 169.64.0.0/10 - - 170.0.0.0/7 - - 172.0.0.0/8 - - 173.0.0.0/9 - - 173.128.0.0/10 - - 173.192.0.0/18 - - 173.192.112.0/22 - - 173.192.116.0/23 - - 173.192.64.0/19 - - 173.192.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 173.192.120.0/21 - - 173.192.128.0/17 - - 173.193.0.0/18 - - 173.193.112.0/22 - - 173.193.64.0/19 - - 173.193.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 173.193.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 173.193.120.0/21 - - 173.193.128.0/17 - - 173.194.0.0/15 - - 173.196.0.0/14 - - 173.200.0.0/13 - - 173.208.0.0/12 - - 173.224.0.0/11 - - 174.0.0.0/9 - - 174.128.0.0/14 - - 174.132.0.0/16 - - 174.133.0.0/18 - - 174.133.112.0/22 - - 174.133.64.0/19 - - 174.133.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 174.133.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 174.133.120.0/21 - - 174.133.128.0/17 - - 174.134.0.0/15 - - 174.136.0.0/13 - - 174.144.0.0/12 - - 174.160.0.0/11 - - 174.192.0.0/10 - - 175.0.0.0/8 - - 176.0.0.0/5 - - 184.0.0.0/9 - - 184.128.0.0/11 - - 184.160.0.0/13 - - 184.168.0.0/14 - - 184.172.0.0/18 - - 184.172.112.0/22 - - 184.172.116.0/23 - - 184.172.64.0/19 - - 184.172.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 184.172.120.0/21 - - 184.172.128.0/17 - - 184.173.0.0/16 - - 184.174.0.0/15 - - 184.176.0.0/12 - - 184.192.0.0/10 - - 185.0.0.0/8 - - 186.0.0.0/7 - - 188.0.0.0/6 - - 192.0.0.0/9 - - 192.128.0.0/10 - - 192.192.0.0/11 - - 192.224.0.0/12 - - 192.240.0.0/13 - - 192.248.0.0/14 - - 192.252.0.0/15 - - 192.254.0.0/16 - - 192.255.0.0/20 - - 192.255.16.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 192.255.19.0/24 - - 192.255.20.0/22 - - 192.255.24.0/21 - - 192.255.32.0/22 - - 192.255.36.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 192.255.128.0/17 - - 192.255.39.0/24 - - 192.255.40.0/21 - - 192.255.48.0/20 - - 192.255.64.0/18 - - 193.0.0.0/8 - - 194.0.0.0/7 - - 196.0.0.0/7 - - 198.0.0.0/12 - - 198.16.0.0/14 - - 198.20.0.0/15 - - 198.22.0.0/16 - - 198.23.0.0/18 - - 198.23.112.0/22 - - 198.23.116.0/23 - - 198.23.64.0/19 - - 198.23.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 198.128.0.0/9 - - 198.23.120.0/21 - - 198.23.128.0/17 - - 198.24.0.0/13 - - 198.32.0.0/11 - - 198.64.0.0/10 - - 199.0.0.0/8 - - 200.0.0.0/5 - - 208.0.0.0/11 - - 208.32.0.0/13 - - 208.40.0.0/15 - - 208.42.0.0/16 - - 208.43.0.0/18 - - 208.43.112.0/22 - - 208.43.116.0/23 - - 208.43.64.0/19 - - 208.43.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 208.128.0.0/9 - - 208.43.120.0/21 - - 208.43.128.0/17 - - 208.44.0.0/14 - - 208.48.0.0/12 - - 208.64.0.0/10 - - 209.0.0.0/8 - - 210.0.0.0/7 - - 212.0.0.0/6 - - 216.0.0.0/5 - - 224.0.0.0/3 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 5.10.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 16.0.0.0/4 - - 32.0.0.0/4 - - 48.0.0.0/7 - - 5.10.120.0/21 - - 5.10.128.0/17 - - 5.11.0.0/16 - - 5.12.0.0/14 - - 5.128.0.0/9 - - 5.16.0.0/12 - - 5.32.0.0/11 - - 5.64.0.0/10 - - 50.0.0.0/12 - - 50.16.0.0/14 - - 50.20.0.0/15 - - 50.22.0.0/18 - - 50.22.112.0/22 - - 50.22.116.0/23 - - 50.22.64.0/19 - - 50.22.96.0/20 - - 6.0.0.0/7 - - 8.0.0.0/5 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.22.120.0/21 - - 50.22.128.0/18 - - 50.22.192.0/19 - - 50.22.224.0/20 - - 50.22.240.0/21 - - 50.22.248.0/22 - - 50.22.252.0/23 - - 50.22.254.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.23.0.0/18 - - 50.23.112.0/22 - - 50.23.64.0/19 - - 50.23.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.23.117.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.23.120.0/21 - - 50.23.128.0/19 - - 50.23.160.0/22 - - 50.23.164.0/23 - - 50.23.166.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 50.128.0.0/9 - - 50.23.168.0/21 - - 50.23.176.0/20 - - 50.23.192.0/18 - - 50.24.0.0/13 - - 50.32.0.0/11 - - 50.64.0.0/10 - - 51.0.0.0/8 - - 52.0.0.0/6 - - 56.0.0.0/5 - - 64.0.0.0/7 - - 66.0.0.0/9 - - 66.128.0.0/10 - - 66.192.0.0/11 - - 66.224.0.0/14 - - 66.228.0.0/18 - - 66.228.112.0/22 - - 66.228.116.0/23 - - 66.228.64.0/19 - - 66.228.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 66.228.120.0/21 - - 66.228.128.0/17 - - 66.229.0.0/16 - - 66.230.0.0/15 - - 66.232.0.0/13 - - 66.240.0.0/12 - - 67.0.0.0/9 - - 67.128.0.0/10 - - 67.192.0.0/11 - - 67.224.0.0/14 - - 67.228.0.0/18 - - 67.228.112.0/22 - - 67.228.116.0/23 - - 67.228.64.0/19 - - 67.228.96.0/20 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 67.228.120.0/21 - - 67.228.128.0/17 - - 67.229.0.0/16 - - 67.230.0.0/15 - - 67.232.0.0/13 - - 67.240.0.0/12 - - 68.0.0.0/6 - - 72.0.0.0/7 - - 74.0.0.0/8 - - 75.0.0.0/10 - - 75.112.0.0/13 - - 75.120.0.0/14 - - 75.124.0.0/15 - - 75.126.0.0/19 - - 75.126.32.0/20 - - 75.126.48.0/21 - - 75.126.56.0/22 - - 75.126.60.0/24 - - 75.64.0.0/11 - - 75.96.0.0/12 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 112.0.0.0/6 - - 116.0.0.0/7 - - 118.0.0.0/8 - - 119.0.0.0/10 - - 119.64.0.0/12 - - 119.80.0.0/16 - - 119.81.0.0/17 - - 119.81.128.0/21 - - 75.126.128.0/17 - - 75.126.62.0/23 - - 75.126.64.0/18 - - 75.127.0.0/16 - - 75.128.0.0/9 - - 76.0.0.0/6 - - 80.0.0.0/4 - - 96.0.0.0/4 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ns: - - kube-system - src_pods: - - '*' - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All connections - - src_ip_block: - - 119.81.136.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 119.81.138.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 130.198.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 158.85.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 158.85.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.122.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.122.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.122.136.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.122.138.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.253.156.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.253.158.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.8.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.8.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.8.196.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 159.8.198.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 161.202.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 161.202.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 168.1.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 168.1.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 168.1.16.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 168.1.18.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.38.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.38.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.45.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.46.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.47.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.48.118.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.51.118.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.54.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.54.118.0/23 + - 0.0.0.0/0 dst_ns: - None dst_pods: - vendor.role=worker_public connection: - - All connections - - src_ip_block: - - 169.55.118.0/23 - dst_ns: + - Protocol: ICMP + - Protocol: TCP + Ports: + - 52311 + - Protocol: UDP + Ports: + - 52311 + - Protocol: VRRP + - src_ns: - None - dst_pods: + src_pods: - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - - 169.56.116.0/24 dst_ns: - None dst_pods: - vendor.role=worker_public connection: - - All connections - - src_ip_block: - - 169.56.118.0/24 + - Protocol: ICMP + - Protocol: TCP + Ports: + - 52311 + - Protocol: UDP + Ports: + - 52311 + - Protocol: VRRP + - src_ns: + - kube-system + src_pods: + - '*' dst_ns: - None dst_pods: - vendor.role=worker_public connection: - - All connections + - Protocol: ICMP + - Protocol: TCP + Ports: + - 52311 + - Protocol: UDP + Ports: + - 52311 + - Protocol: VRRP - src_ip_block: - - 169.57.116.0/24 + - 0.0.0.0/0 dst_ns: - - None + - kube-system dst_pods: - - vendor.role=worker_public + - '*' connection: - All connections - src_ip_block: + - 119.81.136.0/24 + - 119.81.138.0/23 + - 130.198.118.0/23 + - 158.85.116.0/24 + - 158.85.118.0/23 + - 159.122.116.0/24 + - 159.122.118.0/23 + - 159.122.136.0/24 + - 159.122.138.0/23 + - 159.253.156.0/24 + - 159.253.158.0/23 + - 159.8.116.0/24 + - 159.8.118.0/23 + - 159.8.196.0/24 + - 159.8.198.0/23 + - 161.202.116.0/24 + - 161.202.118.0/23 + - 168.1.116.0/24 + - 168.1.118.0/23 + - 168.1.16.0/24 + - 168.1.18.0/23 + - 169.38.116.0/24 + - 169.38.118.0/23 + - 169.45.118.0/23 + - 169.46.118.0/23 + - 169.47.118.0/23 + - 169.48.118.0/24 + - 169.51.118.0/24 + - 169.54.116.0/24 + - 169.54.118.0/23 + - 169.55.118.0/23 + - 169.56.116.0/24 + - 169.56.118.0/24 + - 169.57.116.0/24 - 169.57.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 169.57.136.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 169.57.138.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 169.60.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 169.61.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 173.192.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 173.193.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 173.193.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 174.133.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 174.133.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 184.172.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 192.255.18.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 192.255.38.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 198.23.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 208.43.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 5.10.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 5.10.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.22.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.22.255.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.23.116.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.23.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 50.23.167.0/24 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 66.228.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 67.228.118.0/23 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - All connections - - src_ip_block: - 75.126.61.0/24 dst_ns: - None diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.txt index afb0a5ae6..4fd648692 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.txt @@ -1,10 +1,7 @@ final fw rules for query: np_2_all_outbound_hep, config: np_2_outbound_hep_all_ep: src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.200.0/27 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.113.0/24 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.115.0/29 conn: All connections +src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22,198.51.200.0/27,203.0.113.0/24,203.0.115.0/29 conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.yaml index 77b6cc464..93edbd3c0 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_2_all_outbound_hep_query_output.yaml @@ -26,29 +26,8 @@ - vendor.role=worker_public dst_ip_block: - 198.51.100.0/22 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 198.51.200.0/27 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.113.0/24 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.115.0/29 connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt index 891c3f19a..7a31de5fa 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt @@ -1,10 +1,7 @@ final fw rules for query: np_3_outbound_hep_to_wep, config: np_3_outbound_hep_to_wep: src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.200.0/27 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.113.0/24 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.115.0/29 conn: All connections +src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22,198.51.200.0/27,203.0.113.0/24,203.0.115.0/29 conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml index d3792c4da..50fe35773 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml @@ -26,29 +26,8 @@ - vendor.role=worker_public dst_ip_block: - 198.51.100.0/22 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 198.51.200.0/27 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.113.0/24 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.115.0/29 connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt index cd6f2ebf2..839d7c5f2 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt @@ -1,10 +1,7 @@ final fw rules for query: np_4_outbound_all_namespaceSelector, config: np_4_outbound_all_namespaceSelector: src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.200.0/27 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.113.0/24 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst: 203.0.115.0/29 conn: All connections +src_ns: [None] src_pods: [vendor.role=worker_public] dst: 198.51.100.0/22,198.51.200.0/27,203.0.113.0/24,203.0.115.0/29 conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml index b2b6372e6..f7674a104 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml @@ -26,29 +26,8 @@ - vendor.role=worker_public dst_ip_block: - 198.51.100.0/22 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 198.51.200.0/27 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.113.0/24 - connection: - - All connections - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ip_block: - 203.0.115.0/29 connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt index 91e2dcc3c..285f7aae9 100644 --- a/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: cyclonus-simple-example: src: 0.0.0.0/0 dst_ns: [y] dst_pods: [b] conn: All connections src: 0.0.0.0/24 dst_ns: [y] dst_pods: [c] conn: All connections -src_ns: [y] src_pods: [a] dst_ns: [y] dst_pods: [b] conn: All connections src_ns: [y] src_pods: [pod!=c] dst: 0.0.0.0/0 conn: All connections +src_ns: [y] src_pods: [pod!=c] dst_ns: [y] dst_pods: [b] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.yaml index 5a56fce8e..47d5dfc8f 100644 --- a/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.yaml @@ -23,18 +23,18 @@ - src_ns: - y src_pods: - - a - dst_ns: - - y - dst_pods: - - b + - pod!=c + dst_ip_block: + - 0.0.0.0/0 connection: - All connections - src_ns: - y src_pods: - pod!=c - dst_ip_block: - - 0.0.0.0/0 + dst_ns: + - y + dst_pods: + - b connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt index 75198d391..9b3ca6bdf 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: istio-policy1, config: istio-policy1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections -src: 1.2.3.0/24 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 26257 +src: 1.2.3.0/24 dst_ns: [default] dst_pods: [*] conn: TCP 26257 src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml index 0f991aa23..cc5165a1d 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml @@ -9,7 +9,7 @@ dst_ns: - default dst_pods: - - app=skydive + - '*' connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt index 534455a61..be20d1830 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt @@ -1,6 +1,5 @@ For connections of type TCP, final fw rules for query: istio-policy2, config: istio-policy2: -src: 1.2.3.0/24 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 -src: 2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 +src: 1.2.3.0/24,2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 src_ns: [default] src_pods: [app=special_skydive] dst_ns: [default] dst_pods: [*] conn: TCP 30,50 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml index 7494479f1..b07aea12c 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml @@ -6,16 +6,6 @@ - TCP_rules: - src_ip_block: - 1.2.3.0/24 - dst_ns: - - default - dst_pods: - - app=skydive - connection: - - Protocol: TCP - Ports: - - 30 - - 50 - - src_ip_block: - 2.2.2.2/32 dst_ns: - default diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv index 5f038f887..2a79d8ad9 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv @@ -1,8 +1,8 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_csv, config: poc1","","","","","", "","[default]","[app in (checkoutservice,frontend,recommendationservice)]","[default]","[productcatalogservice]","TCP 3550", -"","[default]","[app in (checkoutservice,frontend)]","[default]","[shippingservice]","TCP 50051", -"","[default]","[checkoutservice]","[default]","[paymentservice]","TCP 50051", +"","[default]","[checkoutservice]","[default]","[app in (paymentservice,shippingservice)]","TCP 50051", +"","[default]","[frontend]","[default]","[shippingservice]","TCP 50051", "","[default]","[frontend]","[default]","[checkoutservice]","TCP 5050", "","[default]","[cartservice]","[default]","[redis-cart]","TCP 6379", "","[default]","[app in (checkoutservice,frontend)]","[default]","[currencyservice]","TCP 7000", diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot index 90c2bbabc..18504f73a 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot @@ -6,18 +6,24 @@ digraph { subgraph cluster_map_explanation { dict_box [label=<
Connectivity legend
tcp3550 TCP 3550
tcp50051 TCP 50051
tcp5050 TCP 5050
tcp6379 TCP 6379
tcp7000 TCP 7000
tcp7070 TCP 7070
tcp8080 TCP 8080
tcp9555 TCP 9555
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] - "default/adservice(Deployment)" [label=<
default/adservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/cartservice(Deployment)" [label=<
default/cartservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/checkoutservice(Deployment)" [label=<
default/checkoutservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/currencyservice(Deployment)" [label=<
default/currencyservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/emailservice(Deployment)" [label=<
default/emailservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/frontend(Deployment)" [label=<
default/frontend(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/loadgenerator(Deployment)" [label=<
default/loadgenerator(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/paymentservice(Deployment)" [label=<
default/paymentservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/productcatalogservice(Deployment)" [label=<
default/productcatalogservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/recommendationservice(Deployment)" [label=<
default/recommendationservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/redis-cart(Deployment)" [label=<
default/redis-cart(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/shippingservice(Deployment)" [label=<
default/shippingservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] +subgraph cluster_default_namespace{ + label="default" + fontsize=20 + fontcolor=blue + tooltip="Namespace" + "default/adservice(Deployment)" [label=<
adservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/cartservice(Deployment)" [label=<
cartservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/checkoutservice(Deployment)" [label=<
checkoutservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/currencyservice(Deployment)" [label=<
currencyservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/emailservice(Deployment)" [label=<
emailservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/frontend(Deployment)" [label=<
frontend(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/loadgenerator(Deployment)" [label=<
loadgenerator(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/paymentservice(Deployment)" [label=<
paymentservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/productcatalogservice(Deployment)" [label=<
productcatalogservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/recommendationservice(Deployment)" [label=<
recommendationservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/redis-cart(Deployment)" [label=<
redis-cart(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] + "default/shippingservice(Deployment)" [label=<
shippingservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] +} "0.0.0.0/0" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/cartservice(Deployment)" -> "default/redis-cart(Deployment)"[label="tcp6379" labeltooltip="TCP 6379" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/checkoutservice(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="TCP 7070" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md index 0a30780ef..c8df5ef6b 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md @@ -2,8 +2,8 @@ |---|---|---|---|---|---| |connectivity_map_md, config: poc1|||||| ||[default]|[app in (checkoutservice,frontend,recommendationservice)]|[default]|[productcatalogservice]|TCP 3550| -||[default]|[app in (checkoutservice,frontend)]|[default]|[shippingservice]|TCP 50051| -||[default]|[checkoutservice]|[default]|[paymentservice]|TCP 50051| +||[default]|[checkoutservice]|[default]|[app in (paymentservice,shippingservice)]|TCP 50051| +||[default]|[frontend]|[default]|[shippingservice]|TCP 50051| ||[default]|[frontend]|[default]|[checkoutservice]|TCP 5050| ||[default]|[cartservice]|[default]|[redis-cart]|TCP 6379| ||[default]|[app in (checkoutservice,frontend)]|[default]|[currencyservice]|TCP 7000| diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt index ec60d2067..39806a076 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt @@ -2,12 +2,12 @@ final fw rules for query: connectivity_map, config: poc1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml index 1172f890e..0c4af1724 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml @@ -19,11 +19,11 @@ - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - shippingservice + - app in (paymentservice,shippingservice) connection: - Protocol: TCP Ports: @@ -31,11 +31,11 @@ - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - paymentservice + - shippingservice connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt index 8147ff7fc..565a70e26 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt @@ -4,14 +4,14 @@ src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml index bf8ba580b..90c958705 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml @@ -19,11 +19,11 @@ - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - shippingservice + - app in (paymentservice,shippingservice) connection: - Protocol: TCP Ports: @@ -31,11 +31,11 @@ - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - paymentservice + - shippingservice connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt index f4e18a56b..fc3189565 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt @@ -3,13 +3,13 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml index 1ea54f5f0..99327d1ff 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml @@ -19,11 +19,11 @@ - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - shippingservice + - app in (paymentservice,shippingservice) connection: - Protocol: TCP Ports: @@ -31,11 +31,11 @@ - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - paymentservice + - shippingservice connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt index 67f82c94f..c70ca8299 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt @@ -4,14 +4,14 @@ src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 23,8080 src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml index 8577c70ea..8f7438933 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml @@ -32,11 +32,11 @@ - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - shippingservice + - app in (paymentservice,shippingservice) connection: - Protocol: TCP Ports: @@ -44,11 +44,11 @@ - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - paymentservice + - shippingservice connection: - Protocol: TCP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_dot.dot index 3b0127ed0..e71488c49 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_dot.dot @@ -10,7 +10,6 @@ subgraph cluster_default_namespace{ fontcolor=blue tooltip="Namespace" "default/deployment-E-1" [label=<
deployment-E-1
deployment-E-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] - "default/deployment-Eb-1" [label=<
deployment-Eb-1
deployment-Eb-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } subgraph cluster_ns1_namespace{ label="ns1" @@ -18,13 +17,6 @@ subgraph cluster_ns1_namespace{ fontcolor=blue tooltip="Namespace" "ns1/deployment-A-1" [label=<
deployment-A-1
deployment-A-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] -} -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F-1" [label=<
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } "ns1/deployment-A-1" -> "default/deployment-E-1"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white diff --git a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot index 5e1ba84aa..194240eb6 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot @@ -10,7 +10,6 @@ subgraph cluster_default_namespace{ fontcolor=blue tooltip="Namespace" "default/deployment-E(Deployment)" [label=<
deployment-E(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "default/deployment-Eb(Deployment)" [label=<
deployment-Eb(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } subgraph cluster_ns1_namespace{ label="ns1" @@ -18,13 +17,6 @@ subgraph cluster_ns1_namespace{ fontcolor=blue tooltip="Namespace" "ns1/deployment-A(Deployment)" [label=<
deployment-A(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] -} -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F(Deployment)" [label=<
deployment-F(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } "ns1/deployment-A(Deployment)" -> "default/deployment-E(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white diff --git a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_dot.dot index bdcf681e7..7accdda89 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_dot.dot @@ -25,7 +25,6 @@ subgraph cluster_ns2_namespace{ fontcolor=blue tooltip="Namespace" "ns2/deployment-C-1" [label=<
deployment-C-1
deployment-C-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] - "ns2/deployment-F-1" [label=<
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } "ns1/deployment-A-1" -> "default/deployment-E-1"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ns1/deployment-B-1" -> "ns1/deployment-A-1"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_dot.dot index 9e8133aef..0c5fbd210 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_dot.dot @@ -25,7 +25,6 @@ subgraph cluster_ns2_namespace{ fontcolor=blue tooltip="Namespace" "ns2/deployment-C(Deployment)" [label=<
deployment-C(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] - "ns2/deployment-F(Deployment)" [label=<
deployment-F(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } "ns1/deployment-A(Deployment)" -> "default/deployment-E(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ns1/deployment-B(Deployment)" -> "ns1/deployment-A(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels2_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels2_dot.dot index c82720200..c296dd79f 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels2_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels2_dot.dot @@ -10,7 +10,6 @@ subgraph cluster_default_namespace{ fontcolor=blue tooltip="Namespace" "default/Pod4" [label=<
Pod4
> shape=box fontcolor=blue tooltip="Workload"] - "default/Pod5" [label=<
Pod5
> shape=box fontcolor=blue tooltip="Workload"] } subgraph cluster_ns1_namespace{ label="ns1" diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_dot.dot index 0735527f4..279244399 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_dot.dot @@ -10,7 +10,6 @@ subgraph cluster_default_namespace{ fontcolor=blue tooltip="Namespace" "default/Pod4(Pod)" [label=<
Pod4(Pod)
> shape=box fontcolor=blue tooltip="Workload"] - "default/Pod5(Pod)" [label=<
Pod5(Pod)
> shape=box fontcolor=blue tooltip="Workload"] } subgraph cluster_ns1_namespace{ label="ns1" diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels3_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels3_dot.dot index 1dc0b2176..f5fd0c092 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels3_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels3_dot.dot @@ -21,13 +21,6 @@ subgraph cluster_ns1_namespace{ "ns1/deployment-A-1" [label=<
deployment-A-1
deployment-A-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "ns1/deployment-B-1" [label=<
deployment-B-1
deployment-B-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F-1" [label=<
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] -} subgraph cluster_ns3_namespace{ label="ns3" fontsize=20 diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_dot.dot index 0c38d745f..d81da5bec 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_dot.dot @@ -21,13 +21,6 @@ subgraph cluster_ns1_namespace{ "ns1/deployment-A(Deployment)" [label=<
deployment-A(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] "ns1/deployment-B(Deployment)" [label=<
deployment-B(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F(Deployment)" [label=<
deployment-F(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] -} subgraph cluster_ns3_namespace{ label="ns3" fontsize=20 diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot index 0183148ae..aeb594797 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot @@ -4,13 +4,6 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F-1" [label=<
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] -} color=white labelloc = "b" fontsize=15 diff --git a/tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot index dd8065172..d87698526 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot @@ -4,13 +4,6 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { -subgraph cluster_ns2_namespace{ - label="ns2" - fontsize=20 - fontcolor=blue - tooltip="Namespace" - "ns2/deployment-F(Deployment)" [label=<
deployment-F(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] -} color=white labelloc = "b" fontsize=15 diff --git a/tests/fw_rules_tests/policies/expected_output/subset_no_subset_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_no_subset_dot.dot index aa5feb87f..f4cde674c 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_no_subset_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_no_subset_dot.dot @@ -4,7 +4,6 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" fontsize=20 @@ -12,7 +11,6 @@ subgraph cluster_default_namespace{ tooltip="Namespace" "default/Pod1" [label=<
Pod1
> shape=box fontcolor=blue tooltip="Workload"] "default/Pod4" [label=<
Pod4
> shape=box fontcolor=blue tooltip="Workload"] - "default/Pod5" [label=<
Pod5
deployment-Eb-1
deployment-Eb-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/deployment-E-1" [label=<
deployment-E-1
deployment-E-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } subgraph cluster_ns1_namespace{ @@ -30,7 +28,6 @@ subgraph cluster_ns2_namespace{ fontcolor=blue tooltip="Namespace" "ns2/Pod3" [label=<
Pod3
> shape=box fontcolor=blue tooltip="Workload"] - "ns2/Pod6" [label=<
Pod6
deployment-F-1
deployment-F-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "ns2/deployment-C-1" [label=<
deployment-C-1
deployment-C-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "ns2/deployment-D-1" [label=<
deployment-D-1
deployment-D-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } diff --git a/tests/fw_rules_tests/policies/expected_output/subset_no_subset_endpoints_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/subset_no_subset_endpoints_deployments_dot.dot index 53f31ef93..57c6dd0a7 100644 --- a/tests/fw_rules_tests/policies/expected_output/subset_no_subset_endpoints_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/subset_no_subset_endpoints_deployments_dot.dot @@ -4,7 +4,6 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" fontsize=20 @@ -12,7 +11,6 @@ subgraph cluster_default_namespace{ tooltip="Namespace" "default/Pod1(Pod)" [label=<
Pod1(Pod)
> shape=box fontcolor=blue tooltip="Workload"] "default/Pod4(Pod)" [label=<
Pod4(Pod)
> shape=box fontcolor=blue tooltip="Workload"] - "default/Pod5(Pod)" [label=<
Pod5(Pod)
deployment-Eb(Deployment)
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/deployment-E(Deployment)" [label=<
deployment-E(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } subgraph cluster_ns1_namespace{ @@ -30,7 +28,6 @@ subgraph cluster_ns2_namespace{ fontcolor=blue tooltip="Namespace" "ns2/Pod3(Pod)" [label=<
Pod3(Pod)
> shape=box fontcolor=blue tooltip="Workload"] - "ns2/Pod6(Pod)" [label=<
Pod6(Pod)
deployment-F(Deployment)
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "ns2/deployment-C(Deployment)" [label=<
deployment-C(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] "ns2/deployment-D(Deployment)" [label=<
deployment-D(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } diff --git a/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.txt index 47ab7b0a6..100c7b3f8 100644 --- a/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: np1: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: All connections +src_ns: [default] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.yaml index c53adf7ec..3fb84324e 100644 --- a/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test1-scheme_output.yaml @@ -27,25 +27,27 @@ - All connections - src_ns: - default - - ibm-system-new - - kube-system-new - - kube-system-new-dummy-to-ignore src_pods: - '*' dst_ns: - default - ibm-system-new + - kube-system-new - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: - All connections - src_ns: - - default + - ibm-system-new + - kube-system-new + - kube-system-new-dummy-to-ignore src_pods: - '*' dst_ns: - - kube-system-new + - default + - ibm-system-new + - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: diff --git a/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.txt index 449596add..3382143a9 100644 --- a/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: np13: src: 0.0.0.0/0 dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections +src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.yaml index 146b92586..40cb83e91 100644 --- a/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test13-scheme_output.yaml @@ -27,7 +27,6 @@ - All connections - src_ns: - default - - ibm-system-new - kube-system-new - kube-system-new-dummy-to-ignore src_pods: @@ -46,6 +45,9 @@ - '*' dst_ns: - default + - ibm-system-new + - kube-system-new + - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: diff --git a/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.txt index 634477134..06ad08aec 100644 --- a/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: np14: src: 0.0.0.0/0 dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections +src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.yaml index 398327826..70fe2e3ab 100644 --- a/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test14-scheme_output.yaml @@ -27,7 +27,6 @@ - All connections - src_ns: - default - - ibm-system-new - kube-system-new - kube-system-new-dummy-to-ignore src_pods: @@ -46,6 +45,9 @@ - '*' dst_ns: - default + - ibm-system-new + - kube-system-new + - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: diff --git a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt index e03e6962e..5e80c5363 100644 --- a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt @@ -1,10 +1,7 @@ final fw rules for query: connectivity_map, config: np16: -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system-new] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system-new] dst_pods: [*] conn: UDP 53 src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system-new] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system-new] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system-new] dst_pods: [tier=frontend] conn: UDP 53 src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml index e9da05bbb..a519885ce 100644 --- a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml @@ -6,16 +6,6 @@ - rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system-new - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -23,32 +13,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system-new - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system-new - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -56,10 +26,13 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system-new dst_pods: - - tier=frontend + - '*' connection: - Protocol: UDP Ports: diff --git a/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.txt index 1d2359fd9..cbae5155f 100644 --- a/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.txt @@ -2,5 +2,4 @@ final fw rules for query: connectivity_map, config: np18: src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [*] conn: All connections src_ns: [kube-system-new] src_pods: [!has(tier) or tier=not_frontend_for_demo] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system-new] src_pods: [!has(tier) or tier=not_frontend_for_demo] dst_ns: [kube-system-new] dst_pods: [*] conn: All connections -src_ns: [kube-system-new] src_pods: [tier=frontend] dst: 49.50.0.0/32 conn: All connections -src_ns: [kube-system-new] src_pods: [tier=frontend] dst: 49.50.0.2/32 conn: All connections +src_ns: [kube-system-new] src_pods: [*] dst: 49.50.0.0/32,49.50.0.2/32 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.yaml index 793fadf25..1db41f134 100644 --- a/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test18-scheme_output.yaml @@ -33,16 +33,9 @@ - src_ns: - kube-system-new src_pods: - - tier=frontend + - '*' dst_ip_block: - 49.50.0.0/32 - connection: - - All connections - - src_ns: - - kube-system-new - src_pods: - - tier=frontend - dst_ip_block: - 49.50.0.2/32 connection: - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt index f1a8460bd..cf494a6c4 100644 --- a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt @@ -2,6 +2,6 @@ final fw rules for query: connectivity_map, config: np2: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections +src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: All connections +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml index d3583d093..74f3eef95 100644 --- a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml @@ -57,7 +57,6 @@ - All connections - src_ns: - default - - ibm-system-new - kube-system-new - kube-system-new-dummy-to-ignore src_pods: @@ -75,7 +74,10 @@ src_pods: - '*' dst_ns: + - default + - ibm-system-new - kube-system-new + - kube-system-new-dummy-to-ignore dst_pods: - '*' connection: diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt index 3060bd316..557aa0788 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt @@ -1,3 +1,3 @@ final fw rules for query: connectivity_map, config: np24: -src_ns: [default] src_pods: [common=M] dst_ns: [default] dst_pods: [app=skydive] conn: UDP 53 +src_ns: [default] src_pods: [test in (A,B)] dst_ns: [default] dst_pods: [app=skydive] conn: UDP 53 src_ns: [default] src_pods: [test=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml index 2a1c2056f..e56cae2fb 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml @@ -7,7 +7,7 @@ - src_ns: - default src_pods: - - common=M + - test in (A,B) dst_ns: - default dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_dot.dot b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_dot.dot index 0d1328b7e..8b26b004e 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_dot.dot @@ -4,13 +4,11 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" fontsize=20 fontcolor=blue tooltip="Namespace" - "default/my-test-deployment-A(Deployment)" [label=<
my-test-deployment-A(Deployment)
my-test-deployment-D(Deployment)
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/my-test-deployment-B(Deployment)" [label=<
my-test-deployment-B(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] "default/my-test-deployment-C(Deployment)" [label=<
my-test-deployment-C(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv index b02905cc5..51f11b95c 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv @@ -1,4 +1,3 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_by_pods_csv, config: np25","","","","","", -"","[default]","[my-test-deployment-C-1]","[default]","[app=B]","All connections", -"","[default]","[my-test-deployment-C-2]","[default]","[app=B]","All connections", +"","[default]","[my-test-deployment-C-1, my-test-deployment-C-2]","[default]","[app=B]","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_dot.dot b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_dot.dot index aac2ca22f..bdf0a0988 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_dot.dot +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_dot.dot @@ -4,13 +4,11 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" fontsize=20 fontcolor=blue tooltip="Namespace" - "default/my-test-deployment-A-1" [label=<
my-test-deployment-A-1
my-test-deployment-A-2
my-test-deployment-D-1
my-test-deployment-D-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/my-test-deployment-B-1" [label=<
my-test-deployment-B-1
my-test-deployment-B-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] "default/my-test-deployment-C-1" [label=<
my-test-deployment-C-1
my-test-deployment-C-2
> shape=box color=blue4 tooltip="A set of workloads having exactly the same connectivity"] } diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt index 9ccd97c90..22b5c262c 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt @@ -1,3 +1,2 @@ final fw rules for query: connectivity_map_by_pods_txt, config: np25: -src_ns: [default] src_pods: [my-test-deployment-C-1] dst_ns: [default] dst_pods: [app=B] conn: All connections -src_ns: [default] src_pods: [my-test-deployment-C-2] dst_ns: [default] dst_pods: [app=B] conn: All connections +src_ns: [default] src_pods: [my-test-deployment-C-1, my-test-deployment-C-2] dst_ns: [default] dst_pods: [app=B] conn: All connections \ No newline at end of file diff --git a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml index 94081ae37..0afa0d81f 100644 --- a/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml @@ -7,17 +7,7 @@ - src_ns: - default src_pods: - - my-test-deployment-C-1 - dst_ns: - - default - dst_pods: - - app=B - connection: - - All connections - - src_ns: - - default - src_pods: - - my-test-deployment-C-2 + - my-test-deployment-C-1, my-test-deployment-C-2 dst_ns: - default dst_pods: diff --git a/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml b/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml index dae0fc255..ad6aa3842 100644 --- a/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml +++ b/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml @@ -24,23 +24,23 @@ networkConfigList: expectedWarnings: 0 queries: - - name: new_online_boutique_connectivity_map - connectivityMap: - - new_online_boutique - expected: 0 - #outputConfiguration: - # outputFormat: dot - # outputPath: online_boutique_new_istio_policies.dot - expectedOutput: ../../expected_output/new_online_boutique_connectivity_map.txt - - - name: new_online_boutique_synth_res_connectivity_map - connectivityMap: - - new_online_boutique_synthesis_res - expected: 0 - #outputConfiguration: - # outputFormat: dot - # outputPath: online_boutique_new_istio_policies_synthesis_res.dot - expectedOutput: ../../expected_output/new_online_boutique_synth_res_connectivity_map.txt +# - name: new_online_boutique_connectivity_map +# connectivityMap: +# - new_online_boutique +# expected: 0 +# #outputConfiguration: +# # outputFormat: dot +# # outputPath: online_boutique_new_istio_policies.dot +# expectedOutput: ../../expected_output/new_online_boutique_connectivity_map.txt +# +# - name: new_online_boutique_synth_res_connectivity_map +# connectivityMap: +# - new_online_boutique_synthesis_res +# expected: 0 +# #outputConfiguration: +# # outputFormat: dot +# # outputPath: online_boutique_new_istio_policies_synthesis_res.dot +# expectedOutput: ../../expected_output/new_online_boutique_synth_res_connectivity_map.txt - name: new_online_boutique_synth_res_connectivity_map_wo_fw_rules connectivityMap: diff --git a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt index 33b80f29b..81cff8378 100644 --- a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt +++ b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt @@ -12,7 +12,7 @@ src_ns: [istio-system] src_pods: [istiod] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [istiod] dst: connected-with-mesh.example.com conn: All connections src_ns: [istio-system] src_pods: [istiod] dst_ns: [default,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '8443', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [istio-ingressgateway] conn: All connections +src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} diff --git a/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml b/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml index 4da44d216..ddcd6e3d2 100644 --- a/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml +++ b/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml @@ -1,5 +1,6 @@ resourceList: - - ../../online_boutique/new_online_boutique_manifests_istio/all_deployments.yaml +# - ../../online_boutique/new_online_boutique_manifests_istio/all_deployments.yaml + - ../all_deployments.yaml - ../onlineboutique-services.yaml networkConfigList: diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot index 158efcfe8..45e5db22a 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -64,23 +64,40 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot index d39210c65..77250fbd0 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -51,24 +51,41 @@ All"] "example/deploy-gggg(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 @@ -100,3 +117,4 @@ subgraph cluster_example_namespace{ fontcolor=maroon } } + diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot index 276f6f2e8..b31b60983 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -53,15 +53,24 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot index be13cf727..ccc2023b5 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -48,15 +48,24 @@ All"] "example/deploy-hhhh(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot index 307da6b09..6655f83f7 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -51,14 +51,22 @@ subgraph cluster_ingress_controller_ns_namespace{ "example/deploy-gggg(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'},{'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'},{'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'},{'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'},{'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'},{'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'},{'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'},{'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'},{'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot index 0f24c68a7..1008b214a 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -44,14 +44,22 @@ All"] "example/deploy-ffff(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-gggg(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'},{'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'},{'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'},{'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'},{'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'},{'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'},{'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt index e4ec5ec27..7213be4c8 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-map-bookinfo-adding-default-sidecar-after-specific, config: adding-default-sidecar-after-specific: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app in (productpage,ratings)] dst_ns: [default] dst_pods: [details-v1] conn: All connections +src_ns: [default] src_pods: [app!=reviews] dst_ns: [default] dst_pods: [details-v1] conn: All connections src_ns: [default] src_pods: [app=reviews] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-bookinfo-adding-default-sidecar-after-specific, config: adding-default-sidecar-after-specific: diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_default_sidecar.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_default_sidecar.txt index df45348ae..206e49d4f 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_default_sidecar.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_default_sidecar.txt @@ -1,11 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-map-default-sidecar-1, config: bookinfo-default-sidecar-1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [details-v1] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [reviews-v1] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [reviews-v2] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [reviews-v3] conn: All connections +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [details-v1, ratings-v1, reviews-v1, reviews-v2, reviews-v3] conn: All connections src_ns: [default] src_pods: [productpage-v1] dst_ns: [default] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-default-sidecar-1, config: bookinfo-default-sidecar-1: diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_multiple_sidecar_overrides.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_multiple_sidecar_overrides.txt index e2d27ed59..ca9d06836 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_multiple_sidecar_overrides.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_multiple_sidecar_overrides.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-map-bookinfo-multiple-sidecar-overrides, config: multiple-sidecar-overrides: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app in (ratings,reviews)] dst_ns: [default] dst_pods: [details-v1] conn: All connections +src_ns: [default] src_pods: [app!=productpage] dst_ns: [default] dst_pods: [details-v1] conn: All connections src_ns: [default] src_pods: [productpage-v1] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-bookinfo-multiple-sidecar-overrides, config: multiple-sidecar-overrides: diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt index d5331012a..64d3c6beb 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt @@ -2,9 +2,8 @@ For connections of type TCP, final fw rules for query: connectivity-map-bookinfo src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections -src_ns: [default] src_pods: [app in (details,ratings)] dst_ns: [default] dst_pods: [app=reviews] conn: All connections +src_ns: [default] src_pods: [app in (details,ratings)] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections src_ns: [default] src_pods: [productpage-v1] dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [ratings-v1] dst_ns: [default] dst_pods: [details-v1] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-bookinfo-specific-sidecar-overrides-default-sidecar, config: sidecar-with-workload-selector-overrides-default-sidecar: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt index b6600f2a4..29b13fe9a 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt @@ -1,8 +1,8 @@ For connections of type TCP, final fw rules for query: connectivity-map-bookinfo-two-different-sidecars-override-default-sidecar, config: two-different-sidecars-override-default-sidecar: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections +src_ns: [default] src_pods: [app in (details,ratings)] dst_ns: [default] dst_pods: [details-v1] conn: All connections src_ns: [default] src_pods: [app in (productpage,reviews)] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections -src_ns: [default] src_pods: [ratings-v1] dst_ns: [default] dst_pods: [details-v1] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-map-bookinfo-two-different-sidecars-override-default-sidecar, config: two-different-sidecars-override-default-sidecar: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt index e1397dca2..eeab7d57a 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt @@ -1,6 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-map-of-onlineboutique-with-istio-gateways, config: onlineboutique-resources-with-istio-gateways: src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [onlineboutique] src_pods: [*] dst: connected-with-mesh.example.com conn: All connections src_ns: [onlineboutique] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} diff --git a/tests/istio_testcases/expected_output/connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt b/tests/istio_testcases/expected_output/connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt index e02208b4f..de0cb05d6 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt @@ -2,7 +2,6 @@ For connections of type TCP, final fw rules for query: frontend_w_no_egress_conn src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress] src_pods: [*] dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: All connections src_ns: [default] src_pods: [app!=frontend] dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: frontend_w_no_egress_connectivity_map, config: sidecar_disable_egress: diff --git a/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_contains_service_entry_hosts.txt b/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_contains_service_entry_hosts.txt index 74c397b35..4bef80652 100644 --- a/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_contains_service_entry_hosts.txt +++ b/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_contains_service_entry_hosts.txt @@ -2,7 +2,6 @@ For connections of type TCP, final fw rules for query: connectivity-sidecar-host src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [*] dst: api.facebook.com conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.newrelic.com conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.slack.com conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.wikipedia.org conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_does_not_contain_se_hosts.txt b/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_does_not_contain_se_hosts.txt index 51989b343..796918365 100644 --- a/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_does_not_contain_se_hosts.txt +++ b/tests/istio_testcases/expected_output/connectivity_sidecar_host_name_does_not_contain_se_hosts.txt @@ -1,7 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-sidecar-host-name-does-not-contain-service-entry-hosts, config: sidecar-w-specific-host-name: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [ratings-v1] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.newrelic.com conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.slack.com conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: *.wikipedia.org conn: All connections diff --git a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt index 2f80a3316..8ad32ce46 100644 --- a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt @@ -1,12 +1,9 @@ For connections of type TCP, final fw rules for query: connectivity, config: fly-istio-ingress-test: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api] conn: TCP {'dst_ports': '8761', 'paths': '/flights(/*)?'} -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api] conn: TCP {'dst_ports': '8762', 'paths': '/horas(/*)?'} -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [istio-ingressgateway] conn: All connections -src_ns: [default] src_pods: [fly-api] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [fly-api] dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [hora-api] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [hora-api] dst_ns: [default] dst_pods: [*] conn: All connections +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api, istio-ingressgateway] conn: TCP {'dst_ports': '8761', 'paths': '/flights(/*)?'} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api, istio-ingressgateway] conn: TCP {'dst_ports': '8762', 'paths': '/horas(/*)?'} +src_ns: [default] src_pods: [fly-api, hora-api] dst: 0.0.0.0/0 conn: All connections +src_ns: [default] src_pods: [fly-api, hora-api] dst_ns: [default] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity, config: fly-istio-ingress-test: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt index 4c6d64d82..2dd1584c9 100644 --- a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt @@ -5,7 +5,6 @@ src_ns: [default,prod,qa] src_pods: [*] dst: connected_with_mesh.example.com con src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity, config: istio-egress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt index 001bbf712..b4b269ee0 100644 --- a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt @@ -1,8 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity, config: istio-ingress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections -src_ns: [default,istio-system,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections +src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [details-v1-5f449bdbb9] conn: TCP {'dst_ports': '5555', 'hosts': 'mongosvr.prod.svc.cluster.local'} src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [ratings-v1-857bb87c57] conn: TCP {'dst_ports': '9080', 'hosts': 'eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local', 'paths': '/reviews(/*)?'} src_ns: [istio-system] src_pods: [*] dst_ns: [qa] dst_pods: [*] conn: TCP {'dst_ports': '7777', 'hosts': 'eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local'} diff --git a/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt b/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt index 1d2ef9ac8..668db7aef 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt @@ -2,10 +2,9 @@ For connections of type TCP, final fw rules for query: new_online_boutique_conne src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections +src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections -src_ns: [asm-ingress] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} -src_ns: [default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP {'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt index 815c1c10b..69807048e 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt @@ -4,13 +4,13 @@ src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 For connections of type non-TCP, final fw rules for query: new_online_boutique_synth_res_connectivity_map, config: new_online_boutique_synthesis_res: diff --git a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt index 38eb83acb..ca07f5d08 100644 --- a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt +++ b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt @@ -11,7 +11,6 @@ src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [app not in ( src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: All connections src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: All connections src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections For connections of type non-TCP, final fw rules for query: onlineboutique-sidecars-connectivity, config: onlineboutique-sidecars-and-gateways: src: 0.0.0.0/0 dst_ns: [asm-ingress,default,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt b/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt index e8e1482ff..4d86cece0 100644 --- a/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt +++ b/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt @@ -131,13 +131,7 @@ 172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections default/cognetive-agents-agent[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections @@ -152,13 +146,7 @@ default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node[DaemonSet] default/cognetive-agents-agent[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections @@ -173,13 +161,7 @@ default/cognetive-agents-analyzer[DaemonSet] => kube-system/calico-node[DaemonSe default/cognetive-agents-analyzer[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -default/cognetive-agents[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +default/cognetive-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections default/cognetive-agents[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections default/cognetive-agents[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections default/cognetive-agents[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections @@ -194,13 +176,7 @@ default/cognetive-agents[DaemonSet] => kube-system/calico-node[DaemonSet] : All default/cognetive-agents[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections default/cognetive-agents[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections default/cognetive-agents[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -215,13 +191,7 @@ default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/calico-no default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -236,13 +206,7 @@ ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-sys ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -257,13 +221,7 @@ ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-sy ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -278,13 +236,7 @@ kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ku kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -299,13 +251,7 @@ kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -320,13 +266,7 @@ kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-s kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -341,13 +281,7 @@ kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube- kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -362,13 +296,7 @@ kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -384,13 +312,7 @@ kube-system/calico-node-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : kube-system/calico-node-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/calico-node[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/calico-node[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/calico-node[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/calico-node[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/calico-node[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -405,13 +327,7 @@ kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b8 kube-system/calico-node[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/calico-node[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/calico-node[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -426,13 +342,7 @@ kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/publi kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -448,13 +358,7 @@ kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/calico-node[Da kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -469,13 +373,7 @@ kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-i kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -491,13 +389,7 @@ kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/calico-node[DaemonS kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -513,13 +405,7 @@ kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/calico-node[Dae kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -534,13 +420,7 @@ kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/public-cr kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -556,13 +436,7 @@ kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/calico-nod kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -578,13 +452,7 @@ kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/calico-node[Daem kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-9.255.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 10.0.0.0-10.255.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 11.0.0.0-172.20.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 172.21.0.0-172.21.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 172.22.0.0-172.29.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 172.30.0.0-172.30.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 172.31.0.0-255.255.255.255 : All Connections +kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections @@ -599,4 +467,4 @@ kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/public-cre kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections \ No newline at end of file +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections diff --git a/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt b/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt index 52562f12e..ac683a3d7 100644 --- a/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt @@ -1,6 +1,5 @@ final fw rules for query: connectivity, config: test-ingress: src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [default,ingress-nginx,istio-system] src_pods: [*] dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections src_ns: [default,istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,istio-system] src_pods: [*] dst_ns: [default,istio-system] dst_pods: [*] conn: All connections +src_ns: [default,istio-system] src_pods: [*] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'hosts': 'demo.localdev.me', 'paths': '/details(/*)?'} diff --git a/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt b/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt index 50f5ce659..04d20d5e0 100644 --- a/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt @@ -4,11 +4,11 @@ src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 diff --git a/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt b/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt index 085de9d95..a7094a55a 100644 --- a/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt @@ -2,14 +2,14 @@ final fw rules for query: new_online_boutique_synthesis_res_connectivity_map, co src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt b/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt index 99ffe09a8..36bffcc45 100644 --- a/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt @@ -4,14 +4,14 @@ src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 src_ns: [kube-system] src_pods: [*] dst: *.googleapis.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections From c11a3aea888460605292ca1432652563d1ec6409 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 9 Apr 2024 16:35:57 +0300 Subject: [PATCH 59/89] Changed optimized semantic diff query implementation according to the optimized fw-rules minimization algorithm. Fixed get_connection_set_and_peers_from_cube. Changed some of the expected results of semantic diff tests. Signed-off-by: Tanya --- nca/FWRules/MinimizeBasic.py | 3 +- nca/NetworkConfig/NetworkConfigQuery.py | 201 +++++-- ..._diff_a_to_b_with_ipBlock_query_output.csv | 11 +- ...c_diff_a_to_b_with_ipBlock_query_output.md | 11 +- ..._diff_a_to_b_with_ipBlock_query_output.txt | 11 +- ...diff_a_to_b_with_ipBlock_query_output.yaml | 51 +- ...ic_diff_ipblocks__np1_np4_query_output.csv | 20 +- ...tic_diff_ipblocks__np1_np4_query_output.md | 20 +- ...ic_diff_ipblocks__np1_np4_query_output.txt | 20 +- ...c_diff_ipblocks__np1_np4_query_output.yaml | 146 +----- ...diff_ipblocks_equivalence_query_output.csv | 21 +- ..._diff_ipblocks_equivalence_query_output.md | 21 +- ...diff_ipblocks_equivalence_query_output.txt | 20 +- ...iff_ipblocks_equivalence_query_output.yaml | 140 +---- ...tic_diff_ipblocks_np1_np2_query_output.csv | 10 +- ...ntic_diff_ipblocks_np1_np2_query_output.md | 10 +- ...tic_diff_ipblocks_np1_np2_query_output.txt | 10 +- ...ic_diff_ipblocks_np1_np2_query_output.yaml | 70 +-- ...ports_np1_and_np2_by_pods_query_output.txt | 6 +- .../semantic_diff_np1_np2_query_output.csv | 10 +- .../semantic_diff_np1_np2_query_output.md | 10 +- .../semantic_diff_np1_np2_query_output.txt | 10 +- .../semantic_diff_np1_np2_query_output.yaml | 70 +-- .../semantic_diff_poc-scheme_output.csv | 8 +- .../semantic_diff_poc-scheme_output.md | 8 +- .../semantic_diff_poc-scheme_output.txt | 6 +- .../semantic_diff_poc-scheme_output.yaml | 31 +- ...diff_with_different_topologies-scheme.yaml | 494 +++++++++--------- 28 files changed, 519 insertions(+), 930 deletions(-) diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 9fe042af7..72de6a6d0 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -125,8 +125,7 @@ def get_connection_set_and_peers_from_cube(the_cube, peer_container, conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) else: if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): - conns.add_connections(protocol, - ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container)) + conns.add_connections(protocol, ConnectivityProperties.make_all_props()) else: conns.add_connections(protocol, True) return conns, src_peers, dst_peers diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 60c4ce3e1..8046f37db 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -8,6 +8,7 @@ from abc import abstractmethod from collections import defaultdict from enum import Enum +from dataclasses import dataclass from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.Peer import PeerSet, IpBlock, Pod, Peer, DNSEntry, BasePeerSet @@ -27,6 +28,7 @@ PoliciesWithCommonPods, PeersAndConnections, ComputedExplanation from .NetworkLayer import NetworkLayerName from nca.Utils.ExplTracker import ExplTracker +from nca.NetworkConfig import PeerContainer class QueryType(Enum): @@ -1394,6 +1396,14 @@ class SemanticDiffQuery(TwoNetworkConfigsQuery): Produces a report of changed connections (also for the case of two configurations of different network topologies) """ + @dataclass + class PropsAndExplanationData: + props: ConnectivityProperties + cluster_info: ClusterInfo + output_config: OutputConfiguration + peer_container: PeerContainer + + @staticmethod def get_query_type(): return QueryType.PairComparisonQuery @@ -1496,18 +1506,93 @@ def get_results_for_computed_fw_rules(self, keys_list, conn_graph_removed_per_ke return res, explanation + def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_connectivity_result): + """ + computes the explanation for given key and conn_graph with description and fw-rules results + prepares the description and explanation + description text is written for txt, yaml and json formats + other formats description already included in the conn_graph data + :param str key: the key describing the changes + :param bool is_added: a bool flag indicating if connections are added or removed + :param PropsAndExplanationData props_data: a ConnectivityProperties with added/removed connections + :param bool is_first_connectivity_result: flag indicating if this is the first connectivity fw-rules computation + for the current semantic-diff query + :return the computedExplanation of the current key and conn_graph considering the outputFormat, + and fw_rules from which the explanation was computed + :rtype: ComputedExplanation, Union[None, MinimizeFWRules] + """ + updated_key = self._get_updated_key(key, is_added) + topology_config_name = self.name2 if is_added else self.name1 + connectivity_changes_header = f'{updated_key} (based on topology from config: {topology_config_name}) :' + fw_rules = None + if self.output_config.outputFormat == 'txt_no_fw_rules': + conn_graph = ConnectivityGraph(props_data.cluster_info.all_peers, props_data.cluster_info.allowed_labels, + props_data.output_config) + conn_graph.add_props_to_graph(props_data.props, props_data.peer_container) + conn_graph_explanation = conn_graph.get_connections_without_fw_rules_txt_format( + connectivity_changes_header, exclude_self_loop_conns=False) + '\n' + else: + fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props_data.props, props_data.cluster_info, + props_data.output_config, + props_data.peer_container, None) + self.compare_fw_rules_to_conn_props(fw_rules, props_data.props, props_data.peer_container) # Tanya: debug + conn_graph_explanation = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) + + if self.output_config.outputFormat in ['json', 'yaml']: + explanation_dict = {'description': updated_key} + explanation_dict.update(conn_graph_explanation) + key_explanation = ComputedExplanation(dict_explanation=explanation_dict) + else: + str_explanation = f'\n{connectivity_changes_header}\n' if self.output_config.outputFormat == 'txt' else '' + str_explanation += conn_graph_explanation + key_explanation = ComputedExplanation(str_explanation=str_explanation) + + return key_explanation, fw_rules + + def get_results_for_computed_fw_rules_opt(self, keys_list, removed_props_per_key, added_props_per_key): + """ + Compute accumulated explanation and res for all keys of changed connections categories + :param keys_list: the list of keys + :param removed_props_per_key: map from key to PropsAndExplanationData of removed connections + :param added_props_per_key: map from key to PropsAndExplanationData of added connections + :return: + res (int): number of categories with diffs + explanation (list): list of ComputedExplanation, the diffs' explanations, one for each category + :rtype: int, list[ComputedExplanation] + """ + explanation = [] + add_explanation = self.output_config.outputFormat in SemanticDiffQuery.get_supported_output_formats() + res = 0 + for key in keys_list: + added_props = added_props_per_key[key] + removed_props = removed_props_per_key[key] + is_added = added_props is not None and added_props.props + is_removed = removed_props is not None and removed_props.props + if is_added: + if add_explanation: + key_explanation, _ = self.compute_explanation_for_key_opt(key, True, added_props, res == 0) + explanation.append(key_explanation) + res += 1 + + if is_removed: + if add_explanation: + key_explanation, _ = self.compute_explanation_for_key_opt(key, False, removed_props, res == 0) + explanation.append(key_explanation) + res += 1 + + return res, explanation + def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key, - opt_conn_graph_removed_per_key, - opt_conn_graph_added_per_key): + removed_props_per_key, added_props_per_key): """ Compute accumulated explanation and res for all keys of changed connections categories. Also, compare original and optimized results. :param keys_list: the list of keys :param orig_conn_graph_removed_per_key: map from key to ConnectivityGraph of original removed connections :param orig_conn_graph_added_per_key: map from key to ConnectivityGraph of original added connections - :param opt_conn_graph_removed_per_key: map from key to ConnectivityGraph of optimized removed connections - :param opt_conn_graph_added_per_key: map from key to ConnectivityGraph of optimized added connections + :param removed_props_per_key: map from key to PropsAndExplanationData of optimized removed connections + :param added_props_per_key: map from key to PropsAndExplanationData of optimized added connections :return: res (int): number of categories with diffs explanation (list): list of ComputedExplanation, the diffs' explanations, one for each category @@ -1527,9 +1612,11 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o key, True, orig_conn_graph_added_conns, res == 0) if not orig_fw_rules: orig_fw_rules = orig_conn_graph_added_conns.get_minimized_firewall_rules() - opt_conn_graph_added_conns = opt_conn_graph_added_per_key[key] - assert opt_conn_graph_added_conns and opt_conn_graph_added_conns.conn_graph_has_fw_rules() - opt_fw_rules = opt_conn_graph_added_conns.get_minimized_firewall_rules() + added_props_data = added_props_per_key[key] + assert added_props_per_key + opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( + added_props_data.props, added_props_data.cluster_info, added_props_data.output_config, + added_props_data.peer_container, None) self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, self._get_updated_key(key, True) + f'between {self.config1.name} and {self.config2.name}') @@ -1542,9 +1629,11 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o key, False, orig_conn_graph_removed_conns, res == 0) if not orig_fw_rules: orig_fw_rules = orig_conn_graph_removed_conns.get_minimized_firewall_rules() - opt_conn_graph_removed_conns = opt_conn_graph_removed_per_key[key] - assert opt_conn_graph_removed_conns and opt_conn_graph_removed_conns.conn_graph_has_fw_rules() - opt_fw_rules = opt_conn_graph_removed_conns.get_minimized_firewall_rules() + removed_props_data = removed_props_per_key[key] + assert removed_props_data + opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( + removed_props_data.props, removed_props_data.cluster_info, removed_props_data.output_config, + removed_props_data.peer_container, None) self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, self._get_updated_key(key, False) + f'between {self.config1.name} and {self.config2.name}') @@ -1745,7 +1834,31 @@ def compute_diff_original(self): # noqa: C901 return keys_list, conn_graph_removed_per_key, conn_graph_added_per_key - # TODO - rewrite this function using new optimized fw-rules creation + def get_changed_props_expl_data(self, key, ip_blocks, is_added, props, peer_container): + """ + create a ConnectivityGraph for changed (added/removed) connections per given key + :param key: the key (category) of changed connections + :param ip_blocks: a PeerSet of ip-blocks to be added for the topology peers + :param is_added: a bool flag indicating if connections are added or removed + :param ConnectivityProperties props: the explanation + :param PeerContainer peer_container: a relevant peer container + :return: a PropsAndExplanationData object + """ + old_peers = self.config1.peer_container.get_all_peers_group(include_dns_entries=True) + new_peers = self.config2.peer_container.get_all_peers_group(include_dns_entries=True) + allowed_labels = (self.config1.get_allowed_labels()).union(self.config2.get_allowed_labels()) + topology_peers = new_peers | ip_blocks if is_added else old_peers | ip_blocks + # following query_name update is for adding query line descriptions for csv and md formats + updated_key = self._get_updated_key(key, is_added) + if self.output_config.queryName: + query_name = f'semantic_diff, config1: {self.config1.name}, config2: {self.config2.name}, key: {updated_key}' + else: + # omit the query name prefix if self.output_config.queryName is empty (single query from command line) + query_name = updated_key + output_config = OutputConfiguration(self.output_config, query_name) + return SemanticDiffQuery.PropsAndExplanationData(props, ClusterInfo(topology_peers, allowed_labels), + output_config, peer_container) + def compute_diff_optimized(self): # noqa: C901 """ Compute changed connections (by optimized implementation) as following: @@ -1788,8 +1901,8 @@ def compute_diff_optimized(self): # noqa: C901 IpBlock.get_all_ips_block_peer_set(exclude_ipv6), exclude_ipv6) - conn_graph_removed_per_key = dict() - conn_graph_added_per_key = dict() + removed_props_per_key = dict() + added_props_per_key = dict() keys_list = [] res_conns_filter = PolicyConnectionsFilter.only_all_allowed_connections() old_conns = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter) @@ -1800,44 +1913,42 @@ def compute_diff_optimized(self): # noqa: C901 # 1.1. lost connections between removed peers key = 'Lost connections between removed peers' keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = None props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": removed_peers, "dst_peers": removed_peers}) props &= old_props props = props.props_without_auto_conns() - conn_graph_removed_per_key[key].add_props_to_graph(props, self.config1.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, props, + self.config1.peer_container) + added_props_per_key[key] = None # 1.2. lost connections between removed peers and ipBlocks key = 'Lost connections between removed peers and ipBlocks' keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, old_ip_blocks, False) - conn_graph_added_per_key[key] = None props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": removed_peers, "dst_peers": old_ip_blocks}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": old_ip_blocks, "dst_peers": removed_peers}) props &= old_props - conn_graph_removed_per_key[key].add_props_to_graph(props, self.config1.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, old_ip_blocks, False, props, + self.config1.peer_container) + added_props_per_key[key] = None # 2.1. lost connections between removed peers and intersected peers key = 'Lost connections between removed peers and persistent peers' keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = None props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": removed_peers, "dst_peers": intersected_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": intersected_peers, "dst_peers": removed_peers}) props &= old_props props = props.props_without_auto_conns() - conn_graph_removed_per_key[key].add_props_to_graph(props, self.config1.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, props, + self.config1.peer_container) + added_props_per_key[key] = None # 3.1. lost/new connections between intersected peers due to changes in policies and labels of pods/namespaces key = 'Changed connections between persistent peers' keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": captured_pods, "dst_peers": intersected_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": intersected_peers, @@ -1846,61 +1957,63 @@ def compute_diff_optimized(self): # noqa: C901 props1 = props1.props_without_auto_conns() props2 = new_props & props props2 = props2.props_without_auto_conns() - conn_graph_removed_per_key[key].add_props_to_graph(props1 - props2, self.config1.peer_container) - conn_graph_added_per_key[key].add_props_to_graph(props2 - props1, self.config2.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, props1 - props2, + self.config1.peer_container) + added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, props2 - props1, + self.config2.peer_container) # 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels key = 'Changed connections between persistent peers and ipBlocks' disjoint_ip_blocks = IpBlock.disjoint_ip_blocks(old_ip_blocks, new_ip_blocks, exclude_ipv6) keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, disjoint_ip_blocks, False) - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, disjoint_ip_blocks, True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": captured_pods, "dst_peers": disjoint_ip_blocks}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": disjoint_ip_blocks, "dst_peers": captured_pods}) props1 = old_props & props props2 = new_props & props - conn_graph_removed_per_key[key].add_props_to_graph(props1 - props2, self.config1.peer_container) - conn_graph_added_per_key[key].add_props_to_graph(props2 - props1, self.config2.peer_container) + removed_props_per_key[key] = self.get_changed_props_expl_data(key, disjoint_ip_blocks, False, props1 - props2, + self.config1.peer_container) + added_props_per_key[key] = self.get_changed_props_expl_data(key, disjoint_ip_blocks, True, props2 - props1, + self.config2.peer_container) # 4.1. new connections between intersected peers and added peers key = 'New connections between persistent peers and added peers' keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": intersected_peers, "dst_peers": added_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": added_peers, "dst_peers": intersected_peers}) props &= new_props props = props.props_without_auto_conns() - conn_graph_added_per_key[key].add_props_to_graph(props, self.config2.peer_container) + removed_props_per_key[key] = None + added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, props, + self.config2.peer_container) # 5.1. new connections between added peers key = 'New connections between added peers' keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": added_peers, "dst_peers": added_peers}) props &= new_props props = props.props_without_auto_conns() - conn_graph_added_per_key[key].add_props_to_graph(props, self.config2.peer_container) + removed_props_per_key[key] = None + added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, props, + self.config2.peer_container) # 5.2. new connections between added peers and ipBlocks key = 'New connections between added peers and ipBlocks' keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, new_ip_blocks, True) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": added_peers, "dst_peers": new_ip_blocks}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": new_ip_blocks, "dst_peers": added_peers}) props &= new_props - conn_graph_added_per_key[key].add_props_to_graph(props, self.config2.peer_container) + removed_props_per_key[key] = None + added_props_per_key[key] = self.get_changed_props_expl_data(key, new_ip_blocks, True, props, + self.config2.peer_container) - return keys_list, conn_graph_removed_per_key, conn_graph_added_per_key + return keys_list, removed_props_per_key, added_props_per_key def exec(self, cmd_line_flag): self.output_config.fullExplanation = True # assign true for this query - it is always ok to compare its results @@ -1917,14 +2030,14 @@ def exec(self, cmd_line_flag): res, explanation = self.get_results_for_computed_fw_rules(keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key) if self.config1.optimized_run != 'false': - keys_list, opt_conn_graph_removed_per_key, opt_conn_graph_added_per_key = self.compute_diff_optimized() + keys_list, removed_props_per_key, added_props_per_key = self.compute_diff_optimized() if self.config1.optimized_run == 'true': - res, explanation = self.get_results_for_computed_fw_rules(keys_list, opt_conn_graph_removed_per_key, - opt_conn_graph_added_per_key) + res, explanation = self.get_results_for_computed_fw_rules_opt(keys_list, removed_props_per_key, + added_props_per_key) else: res, explanation = self.get_results_for_computed_fw_rules_and_compare_orig_to_opt( keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key, - opt_conn_graph_removed_per_key, opt_conn_graph_added_per_key) + removed_props_per_key, added_props_per_key) if res > 0: return QueryAnswer(bool_result=False, diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv index 250c7d81b..94aeeff6f 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv @@ -13,15 +13,10 @@ "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers","","","","","", "","[default]","[app=app-0]","[default]","[app=app-2]","All connections", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[default]","[app=app-1]","All connections", -"","","10.10.0.0/16","[default]","[app=app-1]","All connections", -"","","11.0.0.0-255.255.255.255","[default]","[app=app-1]","All connections", +"","","0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255","[default]","[app=app-1]","All connections", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","10.0.0.0-10.10.255.255","[default]","[app=app-2]","All but UDP 53", -"","","10.12.0.0-10.255.255.255","[default]","[app=app-2]","All but UDP 53", -"","","0.0.0.0-9.255.255.255","[default]","[app=app-2]","All connections", -"","","10.11.0.0/16","[default]","[app=app-2]","All connections", -"","","11.0.0.0-255.255.255.255","[default]","[app=app-2]","All connections", +"","","0.0.0.0/0","[default]","[app=app-2]","All but UDP 53", +"","","0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255","[default]","[app=app-2]","All connections", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: New connections between persistent peers and added peers","","","","","", "","[default]","[app in (app-5,app-6)]","[default]","[app in (app-0,app-1)]","All connections", "","[default]","[app not in (app-5,app-6)]","[default]","[app in (app-5,app-6)]","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md index 01a30e28a..79aed5d87 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md @@ -14,15 +14,10 @@ |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers|||||| ||[default]|[app=app-0]|[default]|[app=app-2]|All connections| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[default]|[app=app-1]|All connections| -|||10.10.0.0/16|[default]|[app=app-1]|All connections| -|||11.0.0.0-255.255.255.255|[default]|[app=app-1]|All connections| +|||0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255|[default]|[app=app-1]|All connections| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers and ipBlocks|||||| -|||10.0.0.0-10.10.255.255|[default]|[app=app-2]|All but UDP 53| -|||10.12.0.0-10.255.255.255|[default]|[app=app-2]|All but UDP 53| -|||0.0.0.0-9.255.255.255|[default]|[app=app-2]|All connections| -|||10.11.0.0/16|[default]|[app=app-2]|All connections| -|||11.0.0.0-255.255.255.255|[default]|[app=app-2]|All connections| +|||0.0.0.0/0|[default]|[app=app-2]|All but UDP 53| +|||0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255|[default]|[app=app-2]|All connections| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: New connections between persistent peers and added peers|||||| ||[default]|[app in (app-5,app-6)]|[default]|[app in (app-0,app-1)]|All connections| ||[default]|[app not in (app-5,app-6)]|[default]|[app in (app-5,app-6)]|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt index 6cef15323..1176223ce 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt @@ -19,16 +19,11 @@ Removed connections between persistent peers (based on topology from config: con src_ns: [default] src_pods: [app=app-0] dst_ns: [default] dst_pods: [app=app-2] conn: All connections Added connections between persistent peers and ipBlocks (based on topology from config: config_b_with_ipBlock) : -src: 0.0.0.0-9.255.255.255 dst_ns: [default] dst_pods: [app=app-1] conn: All connections -src: 10.10.0.0/16 dst_ns: [default] dst_pods: [app=app-1] conn: All connections -src: 11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-1] conn: All connections +src: 0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-1] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: config_a_with_ipBlock) : -src: 0.0.0.0-9.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All connections -src: 10.0.0.0-10.10.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All but UDP 53 -src: 10.11.0.0/16 dst_ns: [default] dst_pods: [app=app-2] conn: All connections -src: 10.12.0.0-10.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All but UDP 53 -src: 11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All connections +src: 0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All connections +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=app-2] conn: All but UDP 53 New connections between persistent peers and added peers (based on topology from config: config_b_with_ipBlock) : src_ns: [default] src_pods: [app in (app-5,app-6)] dst_ns: [default] dst_pods: [app in (app-0,app-1)] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml index 3099cc8ff..262c06561 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml @@ -96,28 +96,14 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - default - dst_pods: - - app=app-1 - connection: - - All connections - - src_ip_block: - 10.10.0.0/16 - dst_ns: - - default - dst_pods: - - app=app-1 - connection: - - All connections - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/1 - 16.0.0.0/4 - 32.0.0.0/3 - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - default dst_pods: @@ -127,24 +113,7 @@ - description: Removed connections between persistent peers and ipBlocks rules: - src_ip_block: - - 10.0.0.0/13 - - 10.10.0.0/16 - - 10.8.0.0/15 - dst_ns: - - default - dst_pods: - - app=app-2 - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 10.12.0.0/14 - - 10.128.0.0/9 - - 10.16.0.0/12 - - 10.32.0.0/11 - - 10.64.0.0/10 + - 0.0.0.0/0 dst_ns: - default dst_pods: @@ -156,28 +125,14 @@ - 53 - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - default - dst_pods: - - app=app-2 - connection: - - All connections - - src_ip_block: - 10.11.0.0/16 - dst_ns: - - default - dst_pods: - - app=app-2 - connection: - - All connections - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/1 - 16.0.0.0/4 - 32.0.0.0/3 - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - default dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv index b2ec85845..8ce3bc054 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv @@ -6,21 +6,7 @@ "","[kube-system]","[tier=frontend]","[default,kube-system-dummy-to-ignore,vendor-system]","[*]","All connections", "","[kube-system]","[tier=frontend]","[kube-system]","[!has(tier) or tier=not_frontend_for_demo]","All connections", "semantic_diff, config1: np1, config2: np4, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","All but UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","All but UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","All but UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","All but UDP 53", -"","","10.0.0.0/8","[kube-system]","[tier=frontend]","All connections", -"","","172.21.0.0/16","[kube-system]","[tier=frontend]","All connections", -"","","172.30.0.0/16","[kube-system]","[tier=frontend]","All connections", +"","","0.0.0.0/0","[kube-system]","[tier=frontend]","All but UDP 53", +"","","10.0.0.0/8,172.21.0.0/16,172.30.0.0/16","[kube-system]","[tier=frontend]","All connections", "semantic_diff, config1: np1, config2: np4, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","[kube-system]","[tier=frontend]","","0.0.0.0-49.49.255.255","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.1/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.11/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.13/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.15/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.17-255.255.255.255","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.3/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.5/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.7/32","All connections", -"","[kube-system]","[tier=frontend]","","49.50.0.9/32","All connections", +"","[kube-system]","[tier=frontend]","","0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md index dc33b6245..2931c20de 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md @@ -7,21 +7,7 @@ ||[kube-system]|[tier=frontend]|[default,kube-system-dummy-to-ignore,vendor-system]|[*]|All connections| ||[kube-system]|[tier=frontend]|[kube-system]|[!has(tier) or tier=not_frontend_for_demo]|All connections| |semantic_diff, config1: np1, config2: np4, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|All but UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|All but UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|All but UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|All but UDP 53| -|||10.0.0.0/8|[kube-system]|[tier=frontend]|All connections| -|||172.21.0.0/16|[kube-system]|[tier=frontend]|All connections| -|||172.30.0.0/16|[kube-system]|[tier=frontend]|All connections| +|||0.0.0.0/0|[kube-system]|[tier=frontend]|All but UDP 53| +|||10.0.0.0/8,172.21.0.0/16,172.30.0.0/16|[kube-system]|[tier=frontend]|All connections| |semantic_diff, config1: np1, config2: np4, key: Removed connections between persistent peers and ipBlocks|||||| -||[kube-system]|[tier=frontend]||0.0.0.0-49.49.255.255|All connections| -||[kube-system]|[tier=frontend]||49.50.0.1/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.11/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.13/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.15/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.17-255.255.255.255|All connections| -||[kube-system]|[tier=frontend]||49.50.0.3/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.5/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.7/32|All connections| -||[kube-system]|[tier=frontend]||49.50.0.9/32|All connections| +||[kube-system]|[tier=frontend]||0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt index 8ac650461..efd603fbc 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt @@ -9,22 +9,8 @@ src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [default,kube-system-dum src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections Added connections between persistent peers and ipBlocks (based on topology from config: np4) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 -src: 10.0.0.0/8 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 -src: 172.21.0.0/16 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 -src: 172.30.0.0/16 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 +src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 +src: 10.0.0.0/8,172.21.0.0/16,172.30.0.0/16 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src_ns: [kube-system] src_pods: [tier=frontend] dst: 0.0.0.0-49.49.255.255 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.1/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.11/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.13/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.15/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.17-255.255.255.255 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.3/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.5/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.7/32 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst: 49.50.0.9/32 conn: All connections +src_ns: [kube-system] src_pods: [tier=frontend] dst: 0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml index 1dfd1dea7..9626fbdad 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml @@ -56,60 +56,7 @@ - description: Added connections between persistent peers and ipBlocks rules: - src_ip_block: - - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 11.0.0.0/8 - - 12.0.0.0/6 - - 128.0.0.0/3 - - 16.0.0.0/4 - - 160.0.0.0/5 - - 168.0.0.0/6 - - 172.0.0.0/12 - - 172.16.0.0/14 - - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.22.0.0/15 - - 172.24.0.0/14 - - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - - 172.31.0.0/16 - - 172.32.0.0/11 - - 172.64.0.0/10 - - 173.0.0.0/8 - - 174.0.0.0/7 - - 176.0.0.0/4 - - 192.0.0.0/2 + - 0.0.0.0/0 dst_ns: - kube-system dst_pods: @@ -121,21 +68,7 @@ - 53 - src_ip_block: - 10.0.0.0/8 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All connections - - src_ip_block: - 172.21.0.0/16 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - All connections - - src_ip_block: - 172.30.0.0/16 dst_ns: - kube-system @@ -151,59 +84,28 @@ - tier=frontend dst_ip_block: - 0.0.0.0/3 + - 128.0.0.0/1 - 32.0.0.0/4 - 48.0.0.0/8 - 49.0.0.0/11 + - 49.128.0.0/9 - 49.32.0.0/12 - 49.48.0.0/15 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - 49.50.0.1/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - 49.50.0.11/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: + - 49.50.0.128/25 - 49.50.0.13/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - 49.50.0.15/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 128.0.0.0/1 - - 49.128.0.0/9 - - 49.50.0.128/25 - 49.50.0.17/32 - 49.50.0.18/31 - 49.50.0.20/30 - 49.50.0.24/29 + - 49.50.0.3/32 - 49.50.0.32/27 + - 49.50.0.5/32 - 49.50.0.64/26 + - 49.50.0.7/32 + - 49.50.0.9/32 - 49.50.1.0/24 - 49.50.128.0/17 - 49.50.16.0/20 @@ -222,35 +124,3 @@ - 64.0.0.0/2 connection: - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 49.50.0.3/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 49.50.0.5/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 49.50.0.7/32 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - tier=frontend - dst_ip_block: - - 49.50.0.9/32 - connection: - - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv index 37d31db23..84331132b 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv @@ -1,24 +1,11 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np3, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", "semantic_diff, config1: np1, config2: np3, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", - +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md index a25b9f4a4..63545d5f7 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md @@ -1,26 +1,13 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np3, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| |semantic_diff, config1: np1, config2: np3, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| - +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt index 55edf8420..04a3da137 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt @@ -1,29 +1,17 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 np1 and np3 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np3) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 np2 and np3 have the same network topology and the same set of policies. diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml index e9a858463..3b83e224d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml @@ -9,16 +9,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -26,32 +16,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -59,6 +29,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -71,16 +44,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -88,32 +51,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -121,6 +64,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -140,16 +86,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -157,32 +93,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -190,6 +106,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -202,16 +121,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -219,32 +128,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -252,6 +141,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv index 632e48049..9f4722825 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv @@ -1,11 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md index 80b630383..c1815eaac 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md @@ -1,12 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt index 9c8f53500..30b4d61b6 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt @@ -1,13 +1,7 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml index d0422e206..2b637846a 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml @@ -9,16 +9,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -26,32 +16,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -59,6 +29,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -71,16 +44,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -88,32 +51,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -121,6 +64,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt index 401c47f35..0c47b208d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt @@ -1,9 +1,7 @@ np1_named_ports and np2_named_ports are not semantically equivalent. Added connections between persistent peers (based on topology from config: np2_named_ports) : -src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486] conn: TCP 10054 -src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 +src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 Added connections between persistent peers and ipBlocks (based on topology from config: np2_named_ports) : -src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486] conn: TCP 10054 -src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 +src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.csv index 632e48049..9f4722825 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.csv @@ -1,11 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","TCP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","11.0.0.0-172.20.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.22.0.0-172.29.255.255","[kube-system]","[tier=frontend]","UDP 53", -"","","172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.md index 80b630383..c1815eaac 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.md @@ -1,12 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|TCP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||11.0.0.0-172.20.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.22.0.0-172.29.255.255|[kube-system]|[tier=frontend]|UDP 53| -|||172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.txt index 9c8f53500..30b4d61b6 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.txt @@ -1,13 +1,7 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 11.0.0.0-172.20.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.22.0.0-172.29.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 -src: 172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.yaml index af72b3b5e..f0c2053dd 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_np1_np2_query_output.yaml @@ -9,16 +9,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -26,32 +16,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: TCP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -59,6 +29,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: @@ -71,16 +44,6 @@ rules: - src_ip_block: - 0.0.0.0/5 - - 8.0.0.0/7 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 11.0.0.0/8 - 12.0.0.0/6 - 128.0.0.0/3 @@ -88,32 +51,12 @@ - 160.0.0.0/5 - 168.0.0.0/6 - 172.0.0.0/12 + - 172.128.0.0/9 - 172.16.0.0/14 - 172.20.0.0/16 - - 32.0.0.0/3 - - 64.0.0.0/2 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - 172.22.0.0/15 - 172.24.0.0/14 - 172.28.0.0/15 - dst_ns: - - kube-system - dst_pods: - - tier=frontend - connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 172.128.0.0/9 - 172.31.0.0/16 - 172.32.0.0/11 - 172.64.0.0/10 @@ -121,6 +64,9 @@ - 174.0.0.0/7 - 176.0.0.0/4 - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 dst_ns: - kube-system dst_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv index 3d2f0a68e..0ba4d2d49 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv @@ -1,6 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers","","","","","", -"","[default]","[*]","[kube-system]","[*]","All but UDP 53", "","[default]","[*]","[default]","[productcatalogservice]","All but TCP 3550", "","[default]","[recommendationservice]","[default]","[*]","All but TCP 3550", "","[default]","[*]","[default]","[app in (paymentservice,shippingservice)]","All but TCP 50051", @@ -8,11 +7,12 @@ "","[default]","[cartservice]","[default]","[*]","All but TCP 6379", "","[default]","[*]","[default]","[currencyservice]","All but TCP 7000", "","[default]","[*]","[default]","[cartservice]","All but TCP 7070", -"","[default]","[*]","[default]","[app in (emailservice,recommendationservice)]","All but TCP 8080", +"","[default]","[*]","[default]","[app in (emailservice,frontend,loadgenerator,recommendationservice)]","All but TCP 8080", "","[default]","[loadgenerator]","[default]","[*]","All but TCP 8080", "","[kube-system]","[*]","[default]","[*]","All but TCP 8080", "","[default]","[*]","[default]","[adservice]","All but TCP 9555", -"","[default]","[*]","[default]","[loadgenerator]","All connections", +"","[default]","[*]","[kube-system]","[*]","All but UDP 53", +"","[default,kube-system]","[*]","[default]","[loadgenerator]","All connections", "","[default]","[*]","[kube-system]","[etcd-operator]","All connections", "","[default]","[app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)]","[default,kube-system]","[*]","All connections", "","[default]","[cartservice]","[default]","[app not in (cartservice,loadgenerator,redis-cart)]","All connections", @@ -20,7 +20,7 @@ "","[default]","[frontend]","[default]","[app in (emailservice,paymentservice,redis-cart)]","All connections", "","[default]","[loadgenerator]","[default]","[app not in (frontend,loadgenerator)]","All connections", "","[default]","[recommendationservice]","[default]","[app not in (loadgenerator,productcatalogservice,recommendationservice)]","All connections", -"","[kube-system]","[*]","[default]","[app!=frontend]","All connections", +"","[kube-system]","[*]","[default]","[app not in (frontend,loadgenerator)]","All connections", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks","","","","","", "","","0.0.0.0/0","[default]","[*]","All but TCP 8080", "","","0.0.0.0/0","[default]","[app!=frontend]","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md index d846bea80..68266e251 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md @@ -1,7 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers|||||| -||[default]|[*]|[kube-system]|[*]|All but UDP 53| ||[default]|[*]|[default]|[productcatalogservice]|All but TCP 3550| ||[default]|[recommendationservice]|[default]|[*]|All but TCP 3550| ||[default]|[*]|[default]|[app in (paymentservice,shippingservice)]|All but TCP 50051| @@ -9,11 +8,12 @@ ||[default]|[cartservice]|[default]|[*]|All but TCP 6379| ||[default]|[*]|[default]|[currencyservice]|All but TCP 7000| ||[default]|[*]|[default]|[cartservice]|All but TCP 7070| -||[default]|[*]|[default]|[app in (emailservice,recommendationservice)]|All but TCP 8080| +||[default]|[*]|[default]|[app in (emailservice,frontend,loadgenerator,recommendationservice)]|All but TCP 8080| ||[default]|[loadgenerator]|[default]|[*]|All but TCP 8080| ||[kube-system]|[*]|[default]|[*]|All but TCP 8080| ||[default]|[*]|[default]|[adservice]|All but TCP 9555| -||[default]|[*]|[default]|[loadgenerator]|All connections| +||[default]|[*]|[kube-system]|[*]|All but UDP 53| +||[default,kube-system]|[*]|[default]|[loadgenerator]|All connections| ||[default]|[*]|[kube-system]|[etcd-operator]|All connections| ||[default]|[app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)]|[default,kube-system]|[*]|All connections| ||[default]|[cartservice]|[default]|[app not in (cartservice,loadgenerator,redis-cart)]|All connections| @@ -21,7 +21,7 @@ ||[default]|[frontend]|[default]|[app in (emailservice,paymentservice,redis-cart)]|All connections| ||[default]|[loadgenerator]|[default]|[app not in (frontend,loadgenerator)]|All connections| ||[default]|[recommendationservice]|[default]|[app not in (loadgenerator,productcatalogservice,recommendationservice)]|All connections| -||[kube-system]|[*]|[default]|[app!=frontend]|All connections| +||[kube-system]|[*]|[default]|[app not in (frontend,loadgenerator)]|All connections| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks|||||| |||0.0.0.0/0|[default]|[*]|All but TCP 8080| |||0.0.0.0/0|[default]|[app!=frontend]|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt index 1852687c7..820c26aeb 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt @@ -1,13 +1,13 @@ allow_all and poc3 are not semantically equivalent. Removed connections between persistent peers (based on topology from config: allow_all) : +src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [adservice] conn: All but TCP 9555 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (emailservice,recommendationservice)] conn: All but TCP 8080 +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (emailservice,frontend,loadgenerator,recommendationservice)] conn: All but TCP 8080 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: All but TCP 50051 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [cartservice] conn: All but TCP 7070 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [checkoutservice] conn: All but TCP 5050 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [currencyservice] conn: All but TCP 7000 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productcatalogservice] conn: All but TCP 3550 src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but UDP 53 src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [etcd-operator] conn: All connections @@ -21,7 +21,7 @@ src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [app not src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [*] conn: All but TCP 3550 src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [app not in (loadgenerator,productcatalogservice,recommendationservice)] conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app!=frontend] conn: All connections +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app not in (frontend,loadgenerator)] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: allow_all) : src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml index dec69f9f9..2f74607e9 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml @@ -7,19 +7,6 @@ explanation: - description: Removed connections between persistent peers rules: - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - src_ns: - default src_pods: @@ -118,7 +105,7 @@ dst_ns: - default dst_pods: - - app in (emailservice,recommendationservice) + - app in (emailservice,frontend,loadgenerator,recommendationservice) connection: - All but: - Protocol: TCP @@ -168,6 +155,20 @@ src_pods: - '*' dst_ns: + - kube-system + dst_pods: + - '*' + connection: + - All but: + - Protocol: UDP + Ports: + - 53 + - src_ns: + - default + - kube-system + src_pods: + - '*' + dst_ns: - default dst_pods: - loadgenerator @@ -251,7 +252,7 @@ dst_ns: - default dst_pods: - - app!=frontend + - app not in (frontend,loadgenerator) connection: - All connections - description: Removed connections between persistent peers and ipBlocks diff --git a/tests/fw_rules_tests/policies/semantic_diff_with_different_topologies-scheme.yaml b/tests/fw_rules_tests/policies/semantic_diff_with_different_topologies-scheme.yaml index 40117f432..79531bd14 100644 --- a/tests/fw_rules_tests/policies/semantic_diff_with_different_topologies-scheme.yaml +++ b/tests/fw_rules_tests/policies/semantic_diff_with_different_topologies-scheme.yaml @@ -48,253 +48,253 @@ networkConfigList: - policy_b_ipBlock.yaml expectedWarnings: 0 queries: -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_identical_query_output.txt -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_identical_query_output.yaml -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_identical_query_output.md -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: dot - outputPath: null - expectedNotExecuted: 1 # dot is not supported for semanticDiff - expectedOutput: expected_output/semantic_diff_identical_query_output.dot -- name: semantic_diff_identical - semanticDiff: - - no_policy - - policy - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_identical_query_output.csv - -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.txt -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.yaml -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.md -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: dot - outputPath: null - expectedNotExecuted: 1 # dot is not supported for semanticDiff - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.dot -- name: semantic_diff_a_to_b - semanticDiff: - - config_a - - config_b - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_a_to_b_query_output.csv - -- name: semantic_diff_b_to_a - semanticDiff: - - config_b - - config_a - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_b_to_a_query_output.txt -- name: semantic_diff_b_to_a - semanticDiff: - - config_b - - config_a - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_b_to_a_query_output.yaml -- name: semantic_diff_b_to_a - semanticDiff: - - config_b - - config_a - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_b_to_a_query_output.md -- name: semantic_diff_b_to_a - semanticDiff: - - config_b - - config_a - expected: 10 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_b_to_a_query_output.csv - -- name: semantic_diff_disjoint_old1_config_a - semanticDiff: - - old1 - - config_a - expected: 4 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.txt -- name: semantic_diff_disjoint_old1_config_a - semanticDiff: - - old1 - - config_a - expected: 4 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.yaml -- name: semantic_diff_disjoint_old1_config_a - semanticDiff: - - old1 - - config_a - expected: 4 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.md -- name: semantic_diff_disjoint_old1_config_a - semanticDiff: - - old1 - - config_a - expected: 4 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.csv - -- name: semantic_diff_np1_np2 - semanticDiff: - - np1 - - np2 - expected: 2 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: txt - outputPath: null - expectedOutput: expected_output/semantic_diff_np1_np2_query_output.txt -- name: semantic_diff_np1_np2 - semanticDiff: - - np1 - - np2 - expected: 2 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: yaml - outputPath: null - expectedOutput: expected_output/semantic_diff_np1_np2_query_output.yaml -- name: semantic_diff_np1_np2 - semanticDiff: - - np1 - - np2 - expected: 2 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: md - outputPath: null - expectedOutput: expected_output/semantic_diff_np1_np2_query_output.md -- name: semantic_diff_np1_np2 - semanticDiff: - - np1 - - np2 - expected: 2 - outputConfiguration: - fwRulesRunInTestMode: false - fwRulesGroupByLabelSinglePod: true - outputFormat: csv - outputPath: null - expectedOutput: expected_output/semantic_diff_np1_np2_query_output.csv +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_identical_query_output.txt +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_identical_query_output.yaml +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_identical_query_output.md +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: dot +# outputPath: null +# expectedNotExecuted: 1 # dot is not supported for semanticDiff +# expectedOutput: expected_output/semantic_diff_identical_query_output.dot +#- name: semantic_diff_identical +# semanticDiff: +# - no_policy +# - policy +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_identical_query_output.csv +# +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.txt +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.yaml +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.md +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: dot +# outputPath: null +# expectedNotExecuted: 1 # dot is not supported for semanticDiff +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.dot +#- name: semantic_diff_a_to_b +# semanticDiff: +# - config_a +# - config_b +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_a_to_b_query_output.csv +# +#- name: semantic_diff_b_to_a +# semanticDiff: +# - config_b +# - config_a +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_b_to_a_query_output.txt +#- name: semantic_diff_b_to_a +# semanticDiff: +# - config_b +# - config_a +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_b_to_a_query_output.yaml +#- name: semantic_diff_b_to_a +# semanticDiff: +# - config_b +# - config_a +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_b_to_a_query_output.md +#- name: semantic_diff_b_to_a +# semanticDiff: +# - config_b +# - config_a +# expected: 10 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_b_to_a_query_output.csv +# +#- name: semantic_diff_disjoint_old1_config_a +# semanticDiff: +# - old1 +# - config_a +# expected: 4 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.txt +#- name: semantic_diff_disjoint_old1_config_a +# semanticDiff: +# - old1 +# - config_a +# expected: 4 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.yaml +#- name: semantic_diff_disjoint_old1_config_a +# semanticDiff: +# - old1 +# - config_a +# expected: 4 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.md +#- name: semantic_diff_disjoint_old1_config_a +# semanticDiff: +# - old1 +# - config_a +# expected: 4 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_disjoint_old1_config_a_query_output.csv +# +#- name: semantic_diff_np1_np2 +# semanticDiff: +# - np1 +# - np2 +# expected: 2 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: txt +# outputPath: null +# expectedOutput: expected_output/semantic_diff_np1_np2_query_output.txt +#- name: semantic_diff_np1_np2 +# semanticDiff: +# - np1 +# - np2 +# expected: 2 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: yaml +# outputPath: null +# expectedOutput: expected_output/semantic_diff_np1_np2_query_output.yaml +#- name: semantic_diff_np1_np2 +# semanticDiff: +# - np1 +# - np2 +# expected: 2 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: md +# outputPath: null +# expectedOutput: expected_output/semantic_diff_np1_np2_query_output.md +#- name: semantic_diff_np1_np2 +# semanticDiff: +# - np1 +# - np2 +# expected: 2 +# outputConfiguration: +# fwRulesRunInTestMode: false +# fwRulesGroupByLabelSinglePod: true +# outputFormat: csv +# outputPath: null +# expectedOutput: expected_output/semantic_diff_np1_np2_query_output.csv - name: semantic_diff_a_to_b_with_ipBlock semanticDiff: From f591e4f6aa7b91d0cf02b4ac67318b9004476cd8 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 9 Apr 2024 17:22:25 +0300 Subject: [PATCH 60/89] Keeping every dns entry separate in minimization of fw rules. Updated more semantic diff expected results. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 4 ++-- ...-semanticDiff-config-1-calico-ingress-config-allow-all.txt | 2 +- .../semantic_diff_online_boutique_new_vs_synthesized_new.txt | 1 - 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 7a0426e63..678965400 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -247,8 +247,8 @@ def _compute_full_ipblock_and_dns_grouping(self, is_src_ns): self._add_to_map_if_covered(dim_name, ipblock.get_peer_set(), other_dim_name, other_dim_peers, ipblock_dnsentry_to_peer_set) dns_entries = dim_peers.get_dns_entries() - if dns_entries: - self._add_to_map_if_covered(dim_name, dns_entries, other_dim_name, other_dim_peers, + for dns_entry in dns_entries: + self._add_to_map_if_covered(dim_name, PeerSet({dns_entry}), other_dim_name, other_dim_peers, ipblock_dnsentry_to_peer_set) for curr_peers, other_dim_peers in ipblock_dnsentry_to_peer_set.items(): curr_peers = PeerSet(set(curr_peers)) # peel off the frozenset diff --git a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt index da7d0e380..e2906fca9 100644 --- a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt +++ b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt @@ -4,9 +4,9 @@ Added connections between persistent peers (based on topology from config: allow src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All but TCP,UDP src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections -src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [app in (ratings,reviews)] conn: All connections +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections Added connections between persistent peers and ipBlocks (based on topology from config: allow-all-config) : src: 0.0.0.0/0 dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections diff --git a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt index 227846fc8..ed9f13cf3 100644 --- a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt +++ b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt @@ -13,4 +13,3 @@ src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,reco New connections between added peers and ipBlocks (based on topology from config: new_online_synthesis_res) : src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections From 5e5b1a4b1bfc9cfbcbb118b433a0af3638666e37 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 12:37:04 +0300 Subject: [PATCH 61/89] Updated containment, permits, forbids expected results. Signed-off-by: Tanya --- ...uiv_configs_w_sidecars_different_hosts.txt | 2 +- ...nfigs_w_sidecars_different_hosts_types.txt | 6 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- ...-empty-impl-default-spec-all-examples.json | 59 +--- ...s-empty-impl-default-spec-all-examples.txt | 13 +- ...-empty-impl-default-spec-all-examples.yaml | 39 +-- ...no-strong-equivalence-all-peers-pairs.json | 310 +----------------- .../no-strong-equivalence-all-peers-pairs.txt | 53 +-- ...no-strong-equivalence-all-peers-pairs.yaml | 215 +----------- ...ult-impl-default-spec-print-all-pairs.json | 48 +-- ...ault-impl-default-spec-print-all-pairs.txt | 12 +- ...ult-impl-default-spec-print-all-pairs.yaml | 33 +- 14 files changed, 35 insertions(+), 761 deletions(-) diff --git a/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt b/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt index b118b0a9a..2460f5ac4 100644 --- a/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt +++ b/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt @@ -1,3 +1,3 @@ sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts are not semantically equivalent. Connections allowed in sidecar-with-local-hosts-only which are different in sidecar-with-local-and-dns-hosts: -src: default/ratings-v1-1, dst: www.slack.com, description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. \ No newline at end of file +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. diff --git a/tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt index e6831d062..0eead1938 100644 --- a/tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt @@ -1,7 +1,3 @@ sidecar-with-local-and-dns-hosts does not forbid connections specified in sidecar-with-local-hosts-only Both sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts allow the following connection(s): -src: default/ratings-v1-1, dst: 0.0.0.0-255.255.255.255, conn: All connections -src: default/ratings-v1-1, dst: default/details-v1-1, conn: All connections -src: default/ratings-v1-1, dst: default/reviews-v1-1, conn: All connections -src: default/ratings-v1-1, dst: default/reviews-v2-1, conn: All connections -src: default/ratings-v1-1, dst: default/reviews-v3-1, conn: All connections +src: ['default/ratings-v1-1'], dst: ['0.0.0.0-255.255.255.255', 'default/details-v1-1', 'default/reviews-v1-1', 'default/reviews-v2-1', 'default/reviews-v3-1'], conn: All connections diff --git a/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt index a0fd05db2..37146a98f 100644 --- a/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt @@ -1,3 +1,3 @@ sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: -src: default/ratings-v1-1, dst: www.slack.com, description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. diff --git a/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt index 65196a97a..b8949af59 100644 --- a/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt @@ -1,5 +1,5 @@ sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: -src: default/ratings-v1-1, dst: www.slack.com, description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. sidecar-with-local-hosts-only does not interfere with sidecar-with-local-and-dns-hosts diff --git a/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt index 952dc4d24..c1a3f3b8b 100644 --- a/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt @@ -1,3 +1,3 @@ Network configuration sidecar-with-local-hosts-only is a proper subset of sidecar-with-local-and-dns-hosts but sidecar-with-local-and-dns-hosts is not contained in sidecar-with-local-hosts-only Connections allowed in sidecar-with-local-and-dns-hosts which are not a subset of those in sidecar-with-local-hosts-only: -src: default/ratings-v1-1, dst: www.slack.com, conn: Protocol: TCP +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], conn: Protocol: TCP diff --git a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.json b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.json index 070b4be76..9a808aa41 100644 --- a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.json +++ b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.json @@ -12,63 +12,8 @@ "description": "Both np-within-default and np-empty allow the following connection(s)", "connections": [ { - "src": "default/cog-agents-d54st", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "default/cog-agents-qr8gp", - "conn": "All connections" - }, - { - "src": "default/cog-agents-d54st", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-agents-qr8gp", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-qr8gp", + "src": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", + "dst": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "conn": "All connections" } ] diff --git a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt index 7a1eb6259..5fee0d60e 100644 --- a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt +++ b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt @@ -1,14 +1,3 @@ np-empty does not forbid connections specified in np-within-default Both np-within-default and np-empty allow the following connection(s): -src: default/cog-agents-d54st, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-agents-d54st, dst: default/cog-agents-qr8gp, conn: All connections -src: default/cog-agents-d54st, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-agents-qr8gp, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-qr8gp, conn: All connections +src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], conn: All connections diff --git a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.yaml b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.yaml index a81fd7a5a..4d9cb712b 100644 --- a/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.yaml +++ b/tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.yaml @@ -7,39 +7,8 @@ explanation: - description: Both np-within-default and np-empty allow the following connection(s) connections: - - src: default/cog-agents-d54st - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-agents-d54st - dst: default/cog-agents-qr8gp - conn: All connections - - src: default/cog-agents-d54st - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-agents-qr8gp - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-qr8gp + - src: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' + dst: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' conn: All connections diff --git a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.json b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.json index 59b868d37..5b22fd4e7 100644 --- a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.json +++ b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.json @@ -12,314 +12,8 @@ "description": "Connections allowed in nt_notin/kube-system/allow-ingress-app-notin-predefined which are different in nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined", "connections": [ { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/calico-node-ns8kw", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/calico-node-ptdgj", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/heapster-7df8cb8c66-zxkk2", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/kube-fluentd-2qw2g", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/kube-fluentd-qmp4w", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-mgdlr", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/calico-node-ptdgj", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/heapster-7df8cb8c66-zxkk2", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/kube-fluentd-2qw2g", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/kube-fluentd-qmp4w", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ns8kw", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/calico-node-ns8kw", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/heapster-7df8cb8c66-zxkk2", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/kube-fluentd-2qw2g", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/kube-fluentd-qmp4w", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/calico-node-ptdgj", - "dst": "kube-system/vpn-858f6d9777-2bw5m", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/calico-node-mgdlr", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/calico-node-ns8kw", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/calico-node-ptdgj", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/file-plugin-7bfb8b69bf-p86gk", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/keepalived-watcher-57ghx", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/keepalived-watcher-gzdfm", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/keepalived-watcher-wczq8", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/kube-fluentd-2qw2g", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/kube-fluentd-h6rjg", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/kube-fluentd-qmp4w", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/storage-watcher-8494b4b8bb-f8csd", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/tiller-deploy-5c45c9966b-nqwz6", - "conns_config1": "All connections", - "conns_config2": "No connections" - }, - { - "src": "kube-system/heapster-7df8cb8c66-zxkk2", - "dst": "kube-system/vpn-858f6d9777-2bw5m", + "src": "['kube-system/calico-node-mgdlr', 'kube-system/calico-node-ns8kw', 'kube-system/calico-node-ptdgj', 'kube-system/heapster-7df8cb8c66-zxkk2']", + "dst": "['kube-system/calico-node-mgdlr', 'kube-system/calico-node-ns8kw', 'kube-system/calico-node-ptdgj', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/heapster-7df8cb8c66-zxkk2', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-2qw2g', 'kube-system/kube-fluentd-h6rjg', 'kube-system/kube-fluentd-qmp4w', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", "conns_config1": "All connections", "conns_config2": "No connections" } diff --git a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.txt b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.txt index fa4b6650d..a1849b0d1 100644 --- a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.txt +++ b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.txt @@ -1,54 +1,3 @@ NetworkPolicy kube-system/allow-ingress-app-notin-predefined is not equivalent in nt_notin and in nt_notinwithexists Connections allowed in nt_notin/kube-system/allow-ingress-app-notin-predefined which are different in nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined: -src: kube-system/calico-node-mgdlr, dst: kube-system/calico-node-ns8kw, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/calico-node-ptdgj, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/heapster-7df8cb8c66-zxkk2, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/keepalived-watcher-57ghx, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/keepalived-watcher-gzdfm, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/keepalived-watcher-wczq8, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/kube-fluentd-2qw2g, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/kube-fluentd-h6rjg, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/kube-fluentd-qmp4w, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-mgdlr, dst: kube-system/vpn-858f6d9777-2bw5m, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/calico-node-mgdlr, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/calico-node-ptdgj, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/heapster-7df8cb8c66-zxkk2, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/keepalived-watcher-57ghx, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/keepalived-watcher-gzdfm, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/keepalived-watcher-wczq8, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/kube-fluentd-2qw2g, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/kube-fluentd-h6rjg, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/kube-fluentd-qmp4w, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ns8kw, dst: kube-system/vpn-858f6d9777-2bw5m, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/calico-node-mgdlr, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/calico-node-ns8kw, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/heapster-7df8cb8c66-zxkk2, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/keepalived-watcher-57ghx, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/keepalived-watcher-gzdfm, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/keepalived-watcher-wczq8, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/kube-fluentd-2qw2g, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/kube-fluentd-h6rjg, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/kube-fluentd-qmp4w, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/calico-node-ptdgj, dst: kube-system/vpn-858f6d9777-2bw5m, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/calico-node-mgdlr, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/calico-node-ns8kw, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/calico-node-ptdgj, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/file-plugin-7bfb8b69bf-p86gk, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/keepalived-watcher-57ghx, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/keepalived-watcher-gzdfm, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/keepalived-watcher-wczq8, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/kube-fluentd-2qw2g, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/kube-fluentd-h6rjg, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/kube-fluentd-qmp4w, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/storage-watcher-8494b4b8bb-f8csd, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/tiller-deploy-5c45c9966b-nqwz6, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. -src: kube-system/heapster-7df8cb8c66-zxkk2, dst: kube-system/vpn-858f6d9777-2bw5m, description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. +src: ['kube-system/calico-node-mgdlr', 'kube-system/calico-node-ns8kw', 'kube-system/calico-node-ptdgj', 'kube-system/heapster-7df8cb8c66-zxkk2'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/calico-node-ns8kw', 'kube-system/calico-node-ptdgj', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/heapster-7df8cb8c66-zxkk2', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-2qw2g', 'kube-system/kube-fluentd-h6rjg', 'kube-system/kube-fluentd-qmp4w', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: nt_notin/kube-system/allow-ingress-app-notin-predefined allows all connections while nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined does not. diff --git a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.yaml b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.yaml index 345bb5e81..b09d540f1 100644 --- a/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.yaml +++ b/tests/k8s_testcases/expected_output/no-strong-equivalence-all-peers-pairs.yaml @@ -9,211 +9,14 @@ - description: Connections allowed in nt_notin/kube-system/allow-ingress-app-notin-predefined which are different in nt_notinwithexists/kube-system/allow-ingress-app-notin-predefined connections: - - src: kube-system/calico-node-mgdlr - dst: kube-system/calico-node-ns8kw - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/calico-node-ptdgj - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/heapster-7df8cb8c66-zxkk2 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/keepalived-watcher-57ghx - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/kube-fluentd-2qw2g - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/kube-fluentd-h6rjg - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/kube-fluentd-qmp4w - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-mgdlr - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/calico-node-mgdlr - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/calico-node-ptdgj - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/heapster-7df8cb8c66-zxkk2 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/keepalived-watcher-57ghx - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/kube-fluentd-2qw2g - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/kube-fluentd-h6rjg - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/kube-fluentd-qmp4w - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ns8kw - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/calico-node-mgdlr - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/calico-node-ns8kw - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/heapster-7df8cb8c66-zxkk2 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/keepalived-watcher-57ghx - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/kube-fluentd-2qw2g - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/kube-fluentd-h6rjg - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/kube-fluentd-qmp4w - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/calico-node-ptdgj - dst: kube-system/vpn-858f6d9777-2bw5m - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/calico-node-mgdlr - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/calico-node-ns8kw - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/calico-node-ptdgj - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/file-plugin-7bfb8b69bf-p86gk - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/keepalived-watcher-57ghx - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/keepalived-watcher-gzdfm - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/keepalived-watcher-wczq8 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/kube-fluentd-2qw2g - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/kube-fluentd-h6rjg - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/kube-fluentd-qmp4w - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/storage-watcher-8494b4b8bb-f8csd - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/tiller-deploy-5c45c9966b-nqwz6 - conns_config1: All connections - conns_config2: No connections - - src: kube-system/heapster-7df8cb8c66-zxkk2 - dst: kube-system/vpn-858f6d9777-2bw5m + - src: '[''kube-system/calico-node-mgdlr'', ''kube-system/calico-node-ns8kw'', + ''kube-system/calico-node-ptdgj'', ''kube-system/heapster-7df8cb8c66-zxkk2'']' + dst: '[''kube-system/calico-node-mgdlr'', ''kube-system/calico-node-ns8kw'', + ''kube-system/calico-node-ptdgj'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', + ''kube-system/heapster-7df8cb8c66-zxkk2'', ''kube-system/keepalived-watcher-57ghx'', + ''kube-system/keepalived-watcher-gzdfm'', ''kube-system/keepalived-watcher-wczq8'', + ''kube-system/kube-fluentd-2qw2g'', ''kube-system/kube-fluentd-h6rjg'', ''kube-system/kube-fluentd-qmp4w'', + ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', + ''kube-system/vpn-858f6d9777-2bw5m'']' conns_config1: All connections conns_config2: No connections diff --git a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.json b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.json index 9037773b6..b986b4129 100644 --- a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.json +++ b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.json @@ -12,53 +12,13 @@ "description": "Connections allowed in np-within-default which are not a subset of those in np-partly-within-default", "connections": [ { - "src": "default/cog-agents-d54st", - "dst": "default/cog-agents-qr8gp", + "src": "['default/cog-agents-d54st', 'default/cog-agents-js4qc']", + "dst": "['default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "conn": "All connections" }, { - "src": "default/cog-agents-d54st", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-agents-qr8gp", - "conn": "All connections" - }, - { - "src": "default/cog-agents-js4qc", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-agents-qr8gp", - "dst": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-d54st", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-js4qc", - "conn": "All connections" - }, - { - "src": "default/cog-local-analyzer-7d77fb55cc-bs8rc", - "dst": "default/cog-agents-qr8gp", + "src": "['default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", + "dst": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "conn": "All connections" } ] diff --git a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.txt b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.txt index 51ff4b6fb..94c102db9 100644 --- a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.txt +++ b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.txt @@ -1,12 +1,4 @@ np-partly-within-default does not permit connections specified in np-within-default Connections allowed in np-within-default which are not a subset of those in np-partly-within-default: -src: default/cog-agents-d54st, dst: default/cog-agents-qr8gp, conn: All connections -src: default/cog-agents-d54st, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-agents-qr8gp, conn: All connections -src: default/cog-agents-js4qc, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-agents-qr8gp, dst: default/cog-local-analyzer-7d77fb55cc-bs8rc, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-d54st, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-js4qc, conn: All connections -src: default/cog-local-analyzer-7d77fb55cc-bs8rc, dst: default/cog-agents-qr8gp, conn: All connections +src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc'], dst: ['default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], conn: All connections +src: ['default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], conn: All connections diff --git a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.yaml b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.yaml index 2f617131a..d3ea3b0eb 100644 --- a/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.yaml +++ b/tests/k8s_testcases/expected_output/permits-partly-default-impl-default-spec-print-all-pairs.yaml @@ -9,33 +9,10 @@ - description: Connections allowed in np-within-default which are not a subset of those in np-partly-within-default connections: - - src: default/cog-agents-d54st - dst: default/cog-agents-qr8gp + - src: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'']' + dst: '[''default/cog-agents-qr8gp'', ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' conn: All connections - - src: default/cog-agents-d54st - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-agents-qr8gp - conn: All connections - - src: default/cog-agents-js4qc - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-agents-qr8gp - dst: default/cog-local-analyzer-7d77fb55cc-bs8rc - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-d54st - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-js4qc - conn: All connections - - src: default/cog-local-analyzer-7d77fb55cc-bs8rc - dst: default/cog-agents-qr8gp + - src: '[''default/cog-agents-qr8gp'', ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' + dst: '[''default/cog-agents-d54st'', ''default/cog-agents-js4qc'', ''default/cog-agents-qr8gp'', + ''default/cog-local-analyzer-7d77fb55cc-bs8rc'']' conn: All connections From 5817b2286902c132112620248cc9ec422563fd4a Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 13:15:55 +0300 Subject: [PATCH 62/89] Cleaning up unused code and refactoring accordingly. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 191 ++-------------------------- 1 file changed, 10 insertions(+), 181 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 678965400..c9fe6e7b7 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -80,12 +80,14 @@ def _create_fw_rules(self): :return: None """ # partition peer_props to ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr - self._compute_basic_namespace_grouping() + self._compute_basic_grouping() - # add all fw-rules: - self._add_all_fw_rules() + # Creating fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) + self.minimized_fw_rules.extend(self._create_fw_rules_from_base_elements_list(self.ns_set_pairs)) + self.minimized_fw_rules.extend(self._create_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) + self.minimized_fw_rules.extend(self._create_fw_rules_from_base_elements_list(self.base_elem_pairs)) - def _compute_basic_namespace_grouping(self): + def _compute_basic_grouping(self): """ computation of peer sets with possible grouping by namespaces. Results are at: ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr @@ -265,7 +267,7 @@ def _add_to_map_if_covered(self, dim_name, dim_peers, other_dim_name, other_dim_ :param PeerSet dim_peers: a set of peers for the first dimension :param str other_dim_name: the second dimension name :param PeerSet other_dim_peers: a set of peers for the second dimension - :param dict peer_to_peer_map: the map from first dimention peers to second dimention peers + :param dict peers_to_peers_map: the map from first dimention peers to second dimension peers """ curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: dim_peers, other_dim_name: other_dim_peers}) @@ -349,7 +351,7 @@ def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_se res.append(fw_rule) return res - def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): + def _create_fw_rules_from_base_elements_list(self, base_elems_pairs): """ creating initial fw-rules from base elements :param base_elems_pairs: a set of pairs (src,dst) , each of type: Pod/K8sNamespace/IpBlock @@ -362,7 +364,7 @@ def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): self.output_config)) return res - def _create_initial_fw_rules_from_peer_props(self, peer_props): + def _create_fw_rules_from_peer_props(self, peer_props): res = [] # first, try to group peers paired with src/dst ipblocks ipblock = IpBlock.get_all_ips_block_peer_set() @@ -444,186 +446,13 @@ def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_ # unknown base-elem type return None - def _create_all_initial_fw_rules(self): - """ - Creating initial fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) - :return: a list of initial fw-rules of type FWRule - :rtype list[FWRule] - """ - - initial_fw_rules = [] - initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_set_pairs)) - initial_fw_rules.extend(self._create_initial_fw_rules_from_peer_props(self.peer_props_without_ns_expr)) - initial_fw_rules.extend( - self._create_initial_fw_rules_from_base_elements_list(self.base_elem_pairs)) - return initial_fw_rules - - def _add_all_fw_rules(self): - """ - Computation of fw-rules, following the ns-grouping of peer_pairs. - Results are at: self.minimized_rules_set - :return: None - """ - # create initial fw-rules from ns_set_pairs, base_elem_pairs, peer_props_without_ns_expr - initial_fw_rules = self._create_all_initial_fw_rules() - self.minimized_fw_rules = initial_fw_rules - return # Tanya: temp - # TODO - remove the code below after checking and updating all expected results - - # option1 - start computation when src is fixed at first iteration, and merge applies to dst - option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) - # option2 - start computation when dst is fixed at first iteration, and merge applies to src - option2, convergence_iteration_2 = self._create_merged_rules_set(False, initial_fw_rules) - - # self.post_processing_fw_rules(option1) - # self.post_processing_fw_rules(option2) - - if self.output_config.fwRulesRunInTestMode: - # add info for documentation about computation results - self.results_info_per_option['option1_len'] = len(option1) - self.results_info_per_option['option2_len'] = len(option2) - self.results_info_per_option['convergence_iteration_1'] = convergence_iteration_1 - self.results_info_per_option['convergence_iteration_2'] = convergence_iteration_2 - - if self.output_config.fwRulesDebug: - print('option 1 rules:') - self._print_firewall_rules(option1) - print('option 2 rules: ') - self._print_firewall_rules(option2) - - # choose the option with less fw-rules - if len(option1) < len(option2): - self.minimized_fw_rules = option1 - return - self.minimized_fw_rules = option2 - - def _get_grouping_result(self, fixed_elem, set_for_grouping_elems, src_first): - """ - Apply grouping for a set of elements to create grouped fw-rules - :param fixed_elem: the fixed elements from the original fw-rules - :param set_for_grouping_elems: the set of elements to be grouped - :param src_first: a bool flag to indicate if fixed_elem is src or dst - :return: A list of fw-rules after possible grouping operations - """ - res = [] - # partition set_for_grouping_elems into: (1) ns_elems, (2) pod_and_pod_labels_elems, (3) ip_block_elems - peer_set_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, PeerSetElement)) - pod_and_pod_labels_elems = set(elem for elem in set_for_grouping_elems if - isinstance(elem, (PodElement, PodLabelsElement))) - ip_block_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, IPBlockElement)) - dns_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, DNSElement)) - ns_elems = set_for_grouping_elems - (peer_set_elems | pod_and_pod_labels_elems | ip_block_elems | dns_elems) - - if ns_elems: - # grouping of ns elements is straight-forward - ns_set = set.union(*(f.ns_info for f in ns_elems)) - res.extend(self.get_ns_fw_rules_grouped_by_common_elem(src_first, ns_set, fixed_elem)) - - for peer_set_elem in peer_set_elems: - res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, peer_set_elem.get_pods_set(), - fixed_elem, set(), True)) - - # fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) if src_first else \ - # FWRule(peer_set_elem, fixed_elem, self.connections) - # res.append(fw_rule) - - if pod_and_pod_labels_elems: - # grouping of pod and pod-labels elements - # TODO: currently adding this due to example in test24: a single pod-labels elem is replaced by another grouping - if len(pod_and_pod_labels_elems) == 1 and isinstance(list(pod_and_pod_labels_elems)[0], PodLabelsElement): - elem = list(pod_and_pod_labels_elems)[0] - fw_rule = FWRule(fixed_elem, elem, self.connections) if src_first else FWRule(elem, fixed_elem, - self.connections) - res.append(fw_rule) - else: - # set_for_grouping_pods is the set of all pods originated in pods and pod-labels elements, to be grouped - set_for_grouping_pods = set() - for e in pod_and_pod_labels_elems: - set_for_grouping_pods |= e.get_pods_set() - - # allow borrowing pods for labels-grouping from covered_peer_props - fixed_elem_pods = fixed_elem.get_pods_set() - # extra_pods_list is a list of pods sets that are paired with pods in fixed_elem_pods within - # covered_peer_props - extra_pods_list = [] - for p in fixed_elem_pods: - pods_to_add = self._get_peers_paired_with_given_peer(p, src_first) - extra_pods_list.append(pods_to_add) - # extra_pods_list_common is a set of pods that are paired with all pods in fixed_elem_pods within - # covered_peer_props - extra_pods_list_common = set() - if extra_pods_list: - extra_pods_list_common = set.intersection(*extra_pods_list) - - res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, set_for_grouping_pods, - fixed_elem, extra_pods_list_common)) - - if ip_block_elems: - # currently no grouping for ip blocks - for elem in ip_block_elems: - if src_first: - res.append(FWRule(fixed_elem, elem, self.connections)) - else: - res.append(FWRule(elem, fixed_elem, self.connections)) - - if dns_elems: - for elem in dns_elems: - if src_first: # do we need both if else? , dns_elem may be a dst always - res.append(FWRule(fixed_elem, elem, self.connections)) - else: - res.append(FWRule(elem, fixed_elem, self.connections)) - - return res - def _get_peers_paired_with_given_peer(self, peer, is_src_peer): this_dim = "src_peers" if is_src_peer else "dst_peers" other_dim = "dst_peers" if is_src_peer else "src_peers" props = self.covered_peer_props & ConnectivityProperties.make_conn_props_from_dict({this_dim: PeerSet({peer})}) return props.project_on_one_dimension(other_dim) - def _create_merged_rules_set(self, is_src_first, fw_rules): - """ - Computing a minimized set of fw-rules by merging src/dst elements iteratively - :param is_src_first: a bool flag to indicate if merge process starts with src or dest - :param fw_rules: a list of initial fw-rules - :return: a list of minimized fw-rules after merge process - """ - initial_fw_rules = fw_rules.copy() - if not initial_fw_rules: - return [], 0 - count_fw_rules = dict() # map number of fw-rules per iteration number - max_iter = self.output_config.fwRulesMaxIter - convergence_iteration = max_iter - for i in range(0, max_iter): - fw_rules_after_merge = [] - count_fw_rules[i] = len(initial_fw_rules) - if i > 1 and count_fw_rules[i] == count_fw_rules[i - 1]: - convergence_iteration = i - break - if i > 1 and self.output_config.fwRulesRunInTestMode: - assert count_fw_rules[i - 1] > count_fw_rules[i], "Expecting fewer fw_rules after each merge iteration." - # change the grouping target (src/dst) on each iteration - src_first = (i % 2 == 0) if is_src_first else (i % 2 == 1) - first_elem_set = set(f.src for f in initial_fw_rules) if src_first else set(f.dst for f in initial_fw_rules) - for elem in first_elem_set: - if src_first: - # TODO: equals or contained in? - # set_for_grouping_elems = set(f.dst for f in initial_fw_rules if elem <= f.src) - set_for_grouping_elems = set(f.dst for f in initial_fw_rules if elem == f.src) - else: - # set_for_grouping_elems = set(f.src for f in initial_fw_rules if elem <= f.dst) - set_for_grouping_elems = set(f.src for f in initial_fw_rules if elem == f.dst) - res = self._get_grouping_result(elem, set_for_grouping_elems, src_first) - fw_rules_after_merge.extend(res) - # prepare for next iteration - initial_fw_rules = fw_rules_after_merge - if self.output_config.fwRulesDebug: - print('fw rules after iteration: ' + str(i)) - self._print_firewall_rules(initial_fw_rules) - - return initial_fw_rules, convergence_iteration - - # --------------------------------------------------------------------------------------------------------- + # --------------------------------------------------------------------------------------------------------- # below functions are for debugging : def _print_results_info(self): From 1379379e6a39b3e0ae56089acbdc7b9234bcfa5e Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 13:19:35 +0300 Subject: [PATCH 63/89] Fixed lint error. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index c9fe6e7b7..5865cb20b 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -452,7 +452,7 @@ def _get_peers_paired_with_given_peer(self, peer, is_src_peer): props = self.covered_peer_props & ConnectivityProperties.make_conn_props_from_dict({this_dim: PeerSet({peer})}) return props.project_on_one_dimension(other_dim) - # --------------------------------------------------------------------------------------------------------- + # --------------------------------------------------------------------------------------------------------- # below functions are for debugging : def _print_results_info(self): From 8a0d7f2152e55eb0c8bfd95346a6f52a401dbee4 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 14:26:28 +0300 Subject: [PATCH 64/89] Changed default to be the optimized run. Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 27 +++++++++---------------- nca/SchemeRunner.py | 2 +- nca/nca_cli.py | 4 ++-- tests/run_all_tests.py | 2 +- 4 files changed, 14 insertions(+), 21 deletions(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 8046f37db..b4264b34e 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -895,6 +895,11 @@ def exec(self): self.compute_connectivity_output_optimized() opt_end = time.time() print(f'Opt time: {(opt_end - opt_start):6.2f} seconds') + # the same result for opt == 'true'/'debug' + if self.output_config.outputFormat in ['json', 'yaml']: + res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] + else: + res.output_explanation = [ComputedExplanation(str_explanation=output_res)] if self.config.optimized_run == 'debug': if fw_rules and opt_fw_rules: self.compare_fw_rules(fw_rules, opt_fw_rules, self.config.peer_container, @@ -905,11 +910,6 @@ def exec(self): if fw_rules_non_tcp and opt_fw_rules_non_tcp: self.compare_fw_rules(fw_rules_non_tcp, opt_fw_rules_non_tcp, self.config.peer_container, f"connectivity - non-tcp only of {self.config.name}") - else: # self.config.optimized_run == 'true': - if self.output_config.outputFormat in ['json', 'yaml']: - res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] - else: - res.output_explanation = [ComputedExplanation(str_explanation=output_res)] return res def get_connectivity_output_full(self, connections, peers, peers_to_compare): @@ -1277,18 +1277,11 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, self.config1.peer_container) conns1 = conns if props_based_on_config1 else no_conns conns2 = no_conns if props_based_on_config1 else conns - if self.output_config.fullExplanation: - if self.config1.optimized_run == 'true': - src_peers_str_sorted = str(sorted([str(peer) for peer in src_peers])) - dst_peers_str_sorted = str(sorted([str(peer) for peer in dst_peers])) - different_conns_list.append(PeersAndConnections(src_peers_str_sorted, dst_peers_str_sorted, - conns1, conns2)) - else: # 'debug': produce the same output format as in the original implementation (per peer pairs) - for src_peer in src_peers: - for dst_peer in dst_peers: - if src_peer != dst_peer: - different_conns_list.append(PeersAndConnections(str(src_peer), str(dst_peer), - conns1, conns2)) + if self.output_config.fullExplanation: # the same result for opt == 'true'/'debug' + src_peers_str_sorted = str(sorted([str(peer) for peer in src_peers])) + dst_peers_str_sorted = str(sorted([str(peer) for peer in dst_peers])) + different_conns_list.append(PeersAndConnections(src_peers_str_sorted, dst_peers_str_sorted, + conns1, conns2)) else: different_conns_list.append(PeersAndConnections(src_peers.rep(), dst_peers.rep(), conns1, conns2)) return diff --git a/nca/SchemeRunner.py b/nca/SchemeRunner.py index 37fc1d27c..f936345d1 100644 --- a/nca/SchemeRunner.py +++ b/nca/SchemeRunner.py @@ -22,7 +22,7 @@ class SchemeRunner(GenericYamlParser): 'containment', 'twoWayContainment', 'permits', 'interferes', 'pairwiseInterferes', 'forbids', 'emptiness', 'disjointness', 'allCaptured', 'sanity', 'semanticDiff'} - def __init__(self, scheme_file_name, output_format=None, output_path=None, optimized_run='false'): + def __init__(self, scheme_file_name, output_format=None, output_path=None, optimized_run='true'): GenericYamlParser.__init__(self, scheme_file_name) self.network_configs = {} self.global_res = 0 diff --git a/nca/nca_cli.py b/nca/nca_cli.py index e8476b1a8..53cc558f4 100644 --- a/nca/nca_cli.py +++ b/nca/nca_cli.py @@ -343,8 +343,8 @@ def nca_main(argv=None): parser.add_argument('--output_endpoints', choices=['pods', 'deployments'], help='Choose endpoints type in output (pods/deployments)', default='deployments') parser.add_argument('--optimized_run', '-opt', type=str, - help='Whether to run optimized run (-opt=true), original run (-opt=false) - the default ' - 'or the comparison of the both (debug)', default='false') + help='Whether to run optimized run (-opt=true) - the default, original run (-opt=false) ' + 'or the comparison of the both (debug)', default='true') parser.add_argument('--print_ipv6', action='store_true', help='Display IPv6 addresses connections too. ' 'If the policy reference IPv6 addresses, ' 'their connections will be printed anyway') diff --git a/tests/run_all_tests.py b/tests/run_all_tests.py index f1aab3eb5..1cf34efca 100644 --- a/tests/run_all_tests.py +++ b/tests/run_all_tests.py @@ -416,7 +416,7 @@ def main(argv=None): default='general') parser.add_argument('--hc_opt', choices=['false', 'true', 'debug'], help='Choose non-optimized/optimized/comparison run', - default='false') + default='true') parser.add_argument('--category', choices=['k8s', 'calico', 'istio'], help='Choose category of tests', default='') parser.add_argument('--create_expected_output_files', action='store_true', help='Add missing expected output files') From 91a629842310b70a2c56d415f73b949de55f8738 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 16:21:33 +0300 Subject: [PATCH 65/89] In opt='debug' the result explanation should ne according to the optimized run. Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 33 ++++++++++++++----------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index b4264b34e..9447cc675 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1396,7 +1396,6 @@ class PropsAndExplanationData: output_config: OutputConfiguration peer_container: PeerContainer - @staticmethod def get_query_type(): return QueryType.PairComparisonQuery @@ -1605,15 +1604,18 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o key, True, orig_conn_graph_added_conns, res == 0) if not orig_fw_rules: orig_fw_rules = orig_conn_graph_added_conns.get_minimized_firewall_rules() - added_props_data = added_props_per_key[key] - assert added_props_per_key - opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( - added_props_data.props, added_props_data.cluster_info, added_props_data.output_config, - added_props_data.peer_container, None) + added_props = added_props_per_key[key] + assert added_props + opt_key_explanation, opt_fw_rules = self.compute_explanation_for_key_opt( + key, True, added_props, res == 0) + if not opt_fw_rules: + opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( + added_props.props, added_props.cluster_info, added_props.output_config, + added_props.peer_container, None) self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, self._get_updated_key(key, True) + f'between {self.config1.name} and {self.config2.name}') - explanation.append(key_explanation) + explanation.append(opt_key_explanation) res += 1 if is_removed: @@ -1622,15 +1624,18 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o key, False, orig_conn_graph_removed_conns, res == 0) if not orig_fw_rules: orig_fw_rules = orig_conn_graph_removed_conns.get_minimized_firewall_rules() - removed_props_data = removed_props_per_key[key] - assert removed_props_data - opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( - removed_props_data.props, removed_props_data.cluster_info, removed_props_data.output_config, - removed_props_data.peer_container, None) + removed_props = removed_props_per_key[key] + assert removed_props + opt_key_explanation, opt_fw_rules = self.compute_explanation_for_key_opt( + key, False, removed_props, res == 0) + if not opt_fw_rules: + opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( + removed_props.props, removed_props.cluster_info, removed_props.output_config, + removed_props.peer_container, None) self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, self._get_updated_key(key, False) + f'between {self.config1.name} and {self.config2.name}') - explanation.append(key_explanation) + explanation.append(opt_key_explanation) res += 1 return res, explanation @@ -2026,7 +2031,7 @@ def exec(self, cmd_line_flag): keys_list, removed_props_per_key, added_props_per_key = self.compute_diff_optimized() if self.config1.optimized_run == 'true': res, explanation = self.get_results_for_computed_fw_rules_opt(keys_list, removed_props_per_key, - added_props_per_key) + added_props_per_key) else: res, explanation = self.get_results_for_computed_fw_rules_and_compare_orig_to_opt( keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key, From 7aaa0baabf7eb71cc2aad48b10d264ce81a0a00f Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 16:30:16 +0300 Subject: [PATCH 66/89] Restoring resource in scheme, changed by mistake. Signed-off-by: Tanya --- .../sidecars-disable-egress-scheme.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml b/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml index ddcd6e3d2..4da44d216 100644 --- a/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml +++ b/tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecars-disable-egress-scheme.yaml @@ -1,6 +1,5 @@ resourceList: -# - ../../online_boutique/new_online_boutique_manifests_istio/all_deployments.yaml - - ../all_deployments.yaml + - ../../online_boutique/new_online_boutique_manifests_istio/all_deployments.yaml - ../onlineboutique-services.yaml networkConfigList: From f7cc4209e6f9488a4914cf65e4a36bcb52ea223b Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 14 Apr 2024 16:50:58 +0300 Subject: [PATCH 67/89] Updating more expected results. Signed-off-by: Tanya --- .../expected_cmdline_output_files/helm_test_multi_chart.txt | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/expected_cmdline_output_files/helm_test_multi_chart.txt b/tests/expected_cmdline_output_files/helm_test_multi_chart.txt index 69ec3f281..bff16a3e8 100644 --- a/tests/expected_cmdline_output_files/helm_test_multi_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_multi_chart.txt @@ -1,12 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: TCP 3000 src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] conn: TCP 3000 src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: UDP 53 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: UDP 53 src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [!has(app.kubernetes.io/instance) and !has(app.kubernetes.io/name)] conn: All connections src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: TCP 3000 src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 -src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=grafana}] dst_ns: [default] dst_pods: [nca-extract-kube-state-metrics] conn: All connections +src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: All connections From 43bb6f40e646033229c0c877608ee5d0f7caec9f Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 16 Apr 2024 13:03:43 +0300 Subject: [PATCH 68/89] Small optimizations. Signed-off-by: Tanya --- nca/CoreDS/CanonicalHyperCubeSet.py | 18 +++++++++++------ nca/CoreDS/ConnectivityCube.py | 27 ++++++++++--------------- nca/CoreDS/ConnectivityProperties.py | 13 ++++++------ nca/FWRules/MinimizeBasic.py | 18 +++++++++++------ nca/FWRules/MinimizeCsFWRulesOpt.py | 21 ++++++++++--------- nca/NetworkConfig/NetworkConfigQuery.py | 22 +++++++++++--------- 6 files changed, 66 insertions(+), 53 deletions(-) diff --git a/nca/CoreDS/CanonicalHyperCubeSet.py b/nca/CoreDS/CanonicalHyperCubeSet.py index a64c8b812..5f9ba1330 100644 --- a/nca/CoreDS/CanonicalHyperCubeSet.py +++ b/nca/CoreDS/CanonicalHyperCubeSet.py @@ -41,7 +41,6 @@ class CanonicalHyperCubeSet: def __init__(self, dimensions, allow_all=False): self.layers = dict() # layers are w.r.t active dimensions self.all_dimensions_list = dimensions # ordered list of all dimensions - self.all_dim_types = [DimensionsManager().get_dimension_type_by_name(dim_name) for dim_name in dimensions] # init ordered list of active dimensions: if allow_all: self.active_dimensions = [] # names (for non-active dimensions everything is allowed) @@ -172,8 +171,9 @@ def _get_entire_space_cube(self, dimensions_list_restriction=None): dimensions_list_restriction = self.all_dimensions_list dimensions_list_ordered = self._get_dimensions_subset_by_order(dimensions_list_restriction) cube_res = [] + dimensions_manager = DimensionsManager() for dim_name in dimensions_list_ordered: - cube_res.append(DimensionsManager().get_dimension_domain_by_name(dim_name, True)) + cube_res.append(dimensions_manager.get_dimension_domain_by_name(dim_name, True)) return cube_res def __len__(self): @@ -228,7 +228,10 @@ def __contains__(self, item): """ if len(item) < len(self.all_dimensions_list): raise Exception("input item len mismatch") - for index, dim_type in enumerate(self.all_dim_types): + dimensions_manager = DimensionsManager() + all_dim_types = [dimensions_manager.get_dimension_type_by_name(dim_name) + for dim_name in self.all_dimensions_list] + for index, dim_type in enumerate(all_dim_types): if dim_type == DimensionsManager.DimensionType.DFA: assert (isinstance(item[index], str)) else: @@ -604,9 +607,10 @@ def get_cube_str(self, cube): :return: str representation for cube's values """ res = "" + dimensions_manager = DimensionsManager() for dim_index, dim_values in enumerate(cube): dim_name = self.active_dimensions[dim_index] - res += DimensionsManager().get_dim_values_str(dim_values, dim_name) + ", " + res += dimensions_manager.get_dim_values_str(dim_values, dim_name) + ", " return f"({res})" def _is_last_dimension(self): @@ -666,11 +670,12 @@ def _get_aligned_cube_by_new_active_dimensions(cube, current_active_dimensions, for index, dim_name in enumerate(current_active_dimensions): current_active_dimensions_dict[dim_name] = index aligned_cube_values = [] + dimensions_manager = DimensionsManager() for active_dim_name in new_active_dimensions: if active_dim_name in current_active_dimensions_dict: aligned_cube_values.append(cube[current_active_dimensions_dict[active_dim_name]]) else: - aligned_cube_values.append(DimensionsManager().get_dimension_domain_by_name(active_dim_name, True)) + aligned_cube_values.append(dimensions_manager.get_dimension_domain_by_name(active_dim_name, True)) return aligned_cube_values def _set_active_dimensions(self, dim_names_set): @@ -828,8 +833,9 @@ def reduce_active_dimensions(self): # reduce by searching for active dimensions on which entire domain is allowed for all the cubes dimensions_to_reduce = [] values_per_dimension = self._get_values_sets_per_active_dimension() + dimensions_manager = DimensionsManager() for dim_name, values_set in values_per_dimension.items(): - dim_domain = DimensionsManager().get_dimension_domain_by_name(dim_name) + dim_domain = dimensions_manager.get_dimension_domain_by_name(dim_name) if {dim_domain} == values_set: dimensions_to_reduce.append(dim_name) dimensions_to_reduce = self._get_dimensions_subset_by_order(dimensions_to_reduce) diff --git a/nca/CoreDS/ConnectivityCube.py b/nca/CoreDS/ConnectivityCube.py index 4279ffdc1..c44892f63 100644 --- a/nca/CoreDS/ConnectivityCube.py +++ b/nca/CoreDS/ConnectivityCube.py @@ -29,8 +29,9 @@ def __init__(self, dimensions_list=None): self.dimensions_list = dimensions_list if dimensions_list else self.all_dimensions_list self.named_ports = set() # used only in the original solution self.excluded_named_ports = set() # used only in the original solution + dimensions_manager = DimensionsManager() for dim in self.dimensions_list: - dim_value = DimensionsManager().get_dimension_domain_by_name(dim, True) + dim_value = dimensions_manager.get_dimension_domain_by_name(dim, True) self.set_dim_directly(dim, dim_value) def copy(self): @@ -46,17 +47,6 @@ def copy(self): res.set_dim_directly(dim_name, dim_value.copy()) return res - def is_empty_dim(self, dim_name): - """ - Returns True iff a given dimension is empty - :param str dim_name: the given dimension name - """ - if self.get_dim_directly(dim_name) != DimensionsManager().get_empty_dimension_by_name(dim_name): - return False - - # for "dst_ports" can have named ports in original solution - return not self.named_ports and not self.excluded_named_ports if dim_name == "dst_ports" else True - def is_full_dim(self, dim_name): """ Returns True iff a given dimension is full @@ -171,8 +161,9 @@ def has_active_dim(self): """ Returns True iff the cube has at least one active dimension. Otherwise, returns False. """ + dimensions_manager = DimensionsManager() for dim in self.dimensions_list: - if self.get_dim_directly(dim) != DimensionsManager().get_dimension_domain_by_name(dim): + if self.get_dim_directly(dim) != dimensions_manager.get_dimension_domain_by_name(dim): return True return False @@ -180,9 +171,12 @@ def is_empty(self): """ Returns True iff the cube has at least one empty dimension. Otherwise, returns False. """ + dimensions_manger = DimensionsManager() for dim in self.dimensions_list: - if self.is_empty_dim(dim): - return True + if self.get_dim_directly(dim) == dimensions_manger.get_empty_dimension_by_name(dim): + # for "dst_ports" can have named ports in original solution + if dim != "dst_ports" or (not self.named_ports and not self.excluded_named_ports): + return True return False def get_ordered_cube_and_active_dims(self): @@ -192,10 +186,11 @@ def get_ordered_cube_and_active_dims(self): """ cube = [] active_dims = [] + dimensions_manager = DimensionsManager() # add values to cube by required order of dimensions for dim in self.dimensions_list: dim_value = self.get_dim_directly(dim) - if dim_value != DimensionsManager().get_dimension_domain_by_name(dim): + if dim_value != dimensions_manager.get_dimension_domain_by_name(dim): if isinstance(dim_value, MinDFA): cube.append(dim_value) else: diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index b0e9d36dd..330a042b2 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -149,10 +149,11 @@ def get_cube_dict(self, cube, is_txt=False): :rtype: dict """ cube_dict = {} + dimensions_manager = DimensionsManager() for i, dim in enumerate(self.active_dimensions): dim_values = cube[i] - dim_type = DimensionsManager().get_dimension_type_by_name(dim) - dim_domain = DimensionsManager().get_dimension_domain_by_name(dim) + dim_type = dimensions_manager.get_dimension_type_by_name(dim) + dim_domain = dimensions_manager.get_dimension_domain_by_name(dim) if dim_domain == dim_values: continue # skip dimensions with all values allowed in a cube if dim in ['protocols', 'methods']: @@ -167,7 +168,7 @@ def get_cube_dict(self, cube, is_txt=False): values_list = ','.join(str(interval) for interval in values_list) else: # TODO: should be a list of words for a finite len DFA? - values_list = DimensionsManager().get_dim_values_str(dim_values, dim) + values_list = dimensions_manager.get_dim_values_str(dim_values, dim) cube_dict[dim] = values_list return cube_dict @@ -452,9 +453,9 @@ def get_all_conns_props_per_domain_peers(): This is a compact way to represent all peers connections, but it is an over-approximation also containing IpBlock->IpBlock connections. Those redundant connections will be eventually filtered out. """ - src_peers = BasePeerSet().get_peer_set_by_indices(DimensionsManager().get_dimension_domain_by_name("src_peers")) - dst_peers = BasePeerSet().get_peer_set_by_indices(DimensionsManager().get_dimension_domain_by_name("dst_peers")) - return ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, "dst_peers": dst_peers}) + # optimization: src_peers and dst_peers have the same domain + peers = BasePeerSet().get_peer_set_by_indices(DimensionsManager().get_dimension_domain_by_name("src_peers")) + return ConnectivityProperties.make_conn_props_from_dict({"src_peers": peers, "dst_peers": peers}) @staticmethod def make_empty_props(): diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 72de6a6d0..81362ee24 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -108,24 +108,30 @@ def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): @staticmethod def get_connection_set_and_peers_from_cube(the_cube, peer_container, relevant_protocols=ProtocolSet(True)): + all_peers = peer_container.get_all_peers_group(True) conn_cube = the_cube.copy() - src_peers = conn_cube["src_peers"] or peer_container.get_all_peers_group(True) + src_peers = conn_cube["src_peers"] or all_peers conn_cube.unset_dim("src_peers") - dst_peers = conn_cube["dst_peers"] or peer_container.get_all_peers_group(True) + dst_peers = conn_cube["dst_peers"] or all_peers conn_cube.unset_dim("dst_peers") protocols = conn_cube["protocols"] conn_cube.unset_dim("protocols") - if not conn_cube.has_active_dim() and (protocols.is_whole_range() or protocols == relevant_protocols): + has_active_dim = conn_cube.has_active_dim() + if not has_active_dim and (protocols == relevant_protocols or protocols.is_whole_range()): conns = ConnectionSet(True) else: conns = ConnectionSet() protocol_names = ProtocolSet.get_protocol_names_from_interval_set(protocols) + if has_active_dim: + props = ConnectivityProperties.make_conn_props(conn_cube) + else: + props = ConnectivityProperties.make_all_props() for protocol in protocol_names: - if conn_cube.has_active_dim(): - conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) + if has_active_dim: + conns.add_connections(protocol, props) else: if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): - conns.add_connections(protocol, ConnectivityProperties.make_all_props()) + conns.add_connections(protocol, props) else: conns.add_connections(protocol, True) return conns, src_peers, dst_peers diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 5865cb20b..6b7d488bf 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -193,14 +193,13 @@ def _compute_partial_ns_grouping(self, ns_set, is_src_ns): dim_peers = conn_cube[dim_name] other_dim_peers = conn_cube[other_dim_name].canonical_form() curr_ns_set = set() - curr_ns_peers = PeerSet() for ns in ns_set: ns_peers = PeerSet(self.cluster_info.ns_dict[ns]) - curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ns_peers, - other_dim_name: other_dim_peers}) - if ns_peers.issubset(dim_peers) and (curr_covered & self.peer_props_without_ns_expr): - curr_ns_set.add(ns) - curr_ns_peers |= ns_peers + if ns_peers.issubset(dim_peers): + curr_covered = ConnectivityProperties.make_conn_props_from_dict({dim_name: ns_peers, + other_dim_name: other_dim_peers}) + if curr_covered & self.peer_props_without_ns_expr: + curr_ns_set.add(ns) if curr_ns_set: ns_set_to_peer_set[frozenset(curr_ns_set)] |= other_dim_peers for curr_ns_set, other_dim_peers in ns_set_to_peer_set.items(): @@ -216,12 +215,14 @@ def _compute_partial_ns_grouping(self, ns_set, is_src_ns): # ensure that the found pairs (with and without IpBlocks) are at least partially included # in the current connections' properties (rather than being wholly contained # in containing connections' properties) - if self.peer_props_without_ns_expr & curr_covered_without_ip_block: - self.peer_props_without_ns_expr -= curr_covered_without_ip_block + peer_props_without_ns_expr_updated = self.peer_props_without_ns_expr - curr_covered_without_ip_block + if self.peer_props_without_ns_expr != peer_props_without_ns_expr_updated: + self.peer_props_without_ns_expr = peer_props_without_ns_expr_updated self.base_elem_pairs.add((curr_ns_set, other_dim_peers_without_ip_block) if is_src_ns else (other_dim_peers_without_ip_block, curr_ns_set)) - if self.peer_props_without_ns_expr & curr_covered_ip_block: - self.peer_props_without_ns_expr -= curr_covered_ip_block + peer_props_without_ns_expr_updated = self.peer_props_without_ns_expr - curr_covered_ip_block + if self.peer_props_without_ns_expr != peer_props_without_ns_expr_updated: + self.peer_props_without_ns_expr = peer_props_without_ns_expr_updated self.base_elem_pairs.add((curr_ns_set, other_dim_peers_ip_block) if is_src_ns else (other_dim_peers_ip_block, curr_ns_set)) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 9447cc675..2aae664e1 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1129,8 +1129,9 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props, cluster_info, self.output_config, self.config.peer_container, connectivity_restriction) - self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, - connectivity_restriction=connectivity_restriction) # Tanya: debug + if self.config.optimized_run == 'debug': + self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, + connectivity_restriction=connectivity_restriction) formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) return formatted_rules, fw_rules @@ -1527,7 +1528,8 @@ def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_co fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props_data.props, props_data.cluster_info, props_data.output_config, props_data.peer_container, None) - self.compare_fw_rules_to_conn_props(fw_rules, props_data.props, props_data.peer_container) # Tanya: debug + if self.config1.optimized_run == 'debug': + self.compare_fw_rules_to_conn_props(fw_rules, props_data.props, props_data.peer_container) conn_graph_explanation = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) if self.output_config.outputFormat in ['json', 'yaml']: @@ -1612,9 +1614,10 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( added_props.props, added_props.cluster_info, added_props.output_config, added_props.peer_container, None) - self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, - self._get_updated_key(key, True) + - f'between {self.config1.name} and {self.config2.name}') + if self.config1.optimized_run == 'debug': + self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, + self._get_updated_key(key, True) + + f'between {self.config1.name} and {self.config2.name}') explanation.append(opt_key_explanation) res += 1 @@ -1632,9 +1635,10 @@ def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, o opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( removed_props.props, removed_props.cluster_info, removed_props.output_config, removed_props.peer_container, None) - self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, - self._get_updated_key(key, False) + - f'between {self.config1.name} and {self.config2.name}') + if self.config1.optimized_run == 'debug': + self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, + self._get_updated_key(key, False) + + f'between {self.config1.name} and {self.config2.name}') explanation.append(opt_key_explanation) res += 1 From d71e51f7155498bb049e9b3fe0162f5e69453675 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 16 Apr 2024 13:54:29 +0300 Subject: [PATCH 69/89] Small optimizations. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 6b7d488bf..92e968f6e 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -41,7 +41,7 @@ def compute_minimized_fw_rules_per_connection(self, connections, peer_props, """ The main function for creating the minimized set of fw-rules for a given connection set - :param connections: the allowed connections for the given peer pairs, of type ConnectionSet + :param ConnectionSet connections: the allowed connections for the given peer pairs, of type ConnectionSet :param ConnectivityProperties peer_props: peers (src,dst) for which communication is allowed over the given connections :param ConnectivityProperties peer_props_in_containing_connections: peers in connections that contain the current connection set From e788779743da56819c6d89dcd58f1abac312e437 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 16 Apr 2024 17:01:00 +0300 Subject: [PATCH 70/89] Removed disjoint_ip_blocks from optimized solution Signed-off-by: Tanya --- nca/NetworkConfig/NetworkConfigQuery.py | 28 ++++++++++--------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 2aae664e1..c6e6903f0 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -1896,12 +1896,7 @@ def compute_diff_optimized(self): # noqa: C901 captured_pods = (self.config1.get_captured_pods() | self.config2.get_captured_pods()) & intersected_peers exclude_ipv6 = self.config1.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) and \ self.config2.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) - old_ip_blocks = IpBlock.disjoint_ip_blocks(self.config1.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), - exclude_ipv6) - new_ip_blocks = IpBlock.disjoint_ip_blocks(self.config2.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), - exclude_ipv6) + all_ip_blocks = IpBlock.get_all_ips_block_peer_set(exclude_ipv6) removed_props_per_key = dict() added_props_per_key = dict() @@ -1927,11 +1922,11 @@ def compute_diff_optimized(self): # noqa: C901 key = 'Lost connections between removed peers and ipBlocks' keys_list.append(key) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": removed_peers, - "dst_peers": old_ip_blocks}) | \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": old_ip_blocks, + "dst_peers": all_ip_blocks}) | \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_ip_blocks, "dst_peers": removed_peers}) props &= old_props - removed_props_per_key[key] = self.get_changed_props_expl_data(key, old_ip_blocks, False, props, + removed_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, False, props, self.config1.peer_container) added_props_per_key[key] = None @@ -1966,17 +1961,16 @@ def compute_diff_optimized(self): # noqa: C901 # 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels key = 'Changed connections between persistent peers and ipBlocks' - disjoint_ip_blocks = IpBlock.disjoint_ip_blocks(old_ip_blocks, new_ip_blocks, exclude_ipv6) keys_list.append(key) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": captured_pods, - "dst_peers": disjoint_ip_blocks}) | \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": disjoint_ip_blocks, + "dst_peers": all_ip_blocks}) | \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_ip_blocks, "dst_peers": captured_pods}) props1 = old_props & props props2 = new_props & props - removed_props_per_key[key] = self.get_changed_props_expl_data(key, disjoint_ip_blocks, False, props1 - props2, + removed_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, False, props1 - props2, self.config1.peer_container) - added_props_per_key[key] = self.get_changed_props_expl_data(key, disjoint_ip_blocks, True, props2 - props1, + added_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, True, props2 - props1, self.config2.peer_container) # 4.1. new connections between intersected peers and added peers @@ -2007,12 +2001,12 @@ def compute_diff_optimized(self): # noqa: C901 key = 'New connections between added peers and ipBlocks' keys_list.append(key) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": added_peers, - "dst_peers": new_ip_blocks}) | \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": new_ip_blocks, + "dst_peers": all_ip_blocks}) | \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_ip_blocks, "dst_peers": added_peers}) props &= new_props removed_props_per_key[key] = None - added_props_per_key[key] = self.get_changed_props_expl_data(key, new_ip_blocks, True, props, + added_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, True, props, self.config2.peer_container) return keys_list, removed_props_per_key, added_props_per_key From 15d2c653875604154be37b609f7a1cf485b2213f Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 30 Apr 2024 17:44:10 +0300 Subject: [PATCH 71/89] Optimization: adding auto-connections to covered_peer_props (in fw-rules minimization) only if the number of peers is not too high, to avoid long run of these auto-connections calculation. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRulesOpt.py | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 92e968f6e..24270eaa7 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -126,10 +126,13 @@ def _compute_covered_peer_props(self): """ covered_peer_props = self.peer_props | self.peer_props_in_containing_connections all_peers_set = self.peer_props.get_all_peers() - for pod in all_peers_set: - if isinstance(pod, ClusterEP): - covered_peer_props |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({pod}), - "dst_peers": PeerSet({pod})}) + if len(all_peers_set) < 500: + # optimization - add auto-connections only if not too many peers, + # otherwise the calculation below is very heavy + for pod in all_peers_set: + if isinstance(pod, ClusterEP): + covered_peer_props |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({pod}), + "dst_peers": PeerSet({pod})}) self.covered_peer_props = covered_peer_props def _compute_full_ns_grouping(self, all_src_ns_set, all_dst_ns_set): From a26b179667867d15b0be26033353bacb97cc9cef Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 5 May 2024 12:19:09 +0300 Subject: [PATCH 72/89] Optimization: adding resources to global resource/namespace/pod list in test schemes (instead of putting them only in configurations), to avoid trying to load resources from live cluster, which is time-consuming. Signed-off-by: Tanya --- .../bookinfo-test-sidecar-connectivity-scheme.yaml | 2 ++ ...nity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml | 2 ++ .../example_policies/demo_short/demo2-scheme.yaml | 5 +++-- .../example_policies/ipblockstest/test-scheme.yaml | 7 ++++--- .../test-no-fw-rules-scheme.yaml | 3 ++- 5 files changed, 13 insertions(+), 6 deletions(-) diff --git a/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-test-sidecar-connectivity-scheme.yaml b/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-test-sidecar-connectivity-scheme.yaml index dd9571875..96a3c2cc5 100644 --- a/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-test-sidecar-connectivity-scheme.yaml +++ b/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-test-sidecar-connectivity-scheme.yaml @@ -1,3 +1,5 @@ +resourceList: + - bookinfo-topology networkConfigList: - name: mixed-sidecar diff --git a/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml b/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml index bd6639cb1..a4215322c 100644 --- a/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml +++ b/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml @@ -1,3 +1,5 @@ +resourceList: + - bookinfo-topology networkConfigList: - name: mixed-sidecar diff --git a/tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml b/tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml index 847120a01..327955cda 100644 --- a/tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml +++ b/tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml @@ -1,7 +1,8 @@ +namespaceList: ../../example_podlist/ns_list.json +podList: ../../example_podlist/pods_list.json + networkConfigList: - name: sanity_np2 - namespaceList: ../../example_podlist/ns_list.json - podList: ../../example_podlist/pods_list.json networkPolicyList: - sanity2-networkpolicy.yaml expectedWarnings: 0 diff --git a/tests/k8s_testcases/example_policies/ipblockstest/test-scheme.yaml b/tests/k8s_testcases/example_policies/ipblockstest/test-scheme.yaml index fab804305..530e80790 100644 --- a/tests/k8s_testcases/example_policies/ipblockstest/test-scheme.yaml +++ b/tests/k8s_testcases/example_policies/ipblockstest/test-scheme.yaml @@ -1,8 +1,9 @@ +namespaceList: ./ns.yaml +podList: ./pods.yaml + networkConfigList: - name: ipblockstest-config - resourceList: - - ./ns.yaml - - ./pods.yaml + networkPolicyList: - ./netpols.yaml expectedWarnings: 0 diff --git a/tests/k8s_testcases/example_policies/onlineboutique-test-connectivity-wo-fw-rules/test-no-fw-rules-scheme.yaml b/tests/k8s_testcases/example_policies/onlineboutique-test-connectivity-wo-fw-rules/test-no-fw-rules-scheme.yaml index 669ff4522..5ac5be2c5 100644 --- a/tests/k8s_testcases/example_policies/onlineboutique-test-connectivity-wo-fw-rules/test-no-fw-rules-scheme.yaml +++ b/tests/k8s_testcases/example_policies/onlineboutique-test-connectivity-wo-fw-rules/test-no-fw-rules-scheme.yaml @@ -1,7 +1,8 @@ +namespaceList: ./ns.yaml + networkConfigList: - name: onlineboutique-config resourceList: - - ./ns.yaml - ./kubernetes-manifests.yaml - ./netpols.yaml expectedWarnings: 0 From cc432e3500442ad14e5b95b4a5e6216ad7836ea3 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 7 May 2024 15:47:23 +0300 Subject: [PATCH 73/89] Deleted unused original implementation code. Changed number of expected warnings (see Issue https://github.com/IBM/network-config-analyzer/issues/724 Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 61 +- nca/CoreDS/DimensionsManager.py | 2 +- nca/CoreDS/Peer.py | 34 - nca/CoreDS/ProtocolSet.py | 26 + nca/FWRules/MinimizeBasic.py | 2 +- nca/NetworkConfig/NetworkConfig.py | 97 +-- nca/NetworkConfig/NetworkConfigQuery.py | 794 ++---------------- nca/NetworkConfig/NetworkLayer.py | 149 +--- nca/Parsers/CalicoPolicyYamlParser.py | 107 +-- nca/Parsers/GenericGatewayYamlParser.py | 8 +- nca/Parsers/IstioGatewayPolicyGenerator.py | 9 +- nca/Parsers/IstioPolicyYamlParser.py | 15 +- nca/Parsers/K8sPolicyYamlParser.py | 53 +- .../PolicyResources/CalicoNetworkPolicy.py | 127 +-- .../PolicyResources/GatewayPolicy.py | 81 +- .../PolicyResources/IstioNetworkPolicy.py | 91 +- nca/Resources/PolicyResources/IstioSidecar.py | 82 +- .../PolicyResources/K8sNetworkPolicy.py | 87 +- .../PolicyResources/NetworkPolicy.py | 155 ++-- nca/Utils/ExplTracker.py | 4 +- .../testcase15-ports/testcase15-scheme.yaml | 2 +- .../testcase15-with-ingress-scheme.yaml | 2 +- .../semantic_diff_namedPorts-scheme.yaml | 2 +- .../namedPorts/namedPorts-scheme.yaml | 2 +- .../namedPorts-scheme.yaml | 2 +- 25 files changed, 389 insertions(+), 1605 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 330a042b2..9384a418b 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -21,29 +21,19 @@ class ConnectivityProperties(CanonicalHyperCubeSet): for TCP, it may be any of the dimensions from dimensions_list, except for icmp_type and icmp_code, for icmp data the actual used dimensions are only [src_peers, dst_peers, icmp_type, icmp_code]. - The usage of this class in the original solution: - In the original solution ConnectivityProperties do not hold src_peers, dst_peers and protocols dimensions. - First, ConnectivityProperties are built at parse time. Since peers are not a part of ConnectivityProperties, - the named ports cannot be resolved at parse time, and so are kept in named_ports and excluded_named_ports, - as explained below. - Second, at the query time, ConnectivityProperties is calculated for every pair of peers, and the named ports - are resolved. The pairs of peers and the protocols are kept in ConnectionSet class, together with - the resulting ConnectivityProperties. - - The usage of this class in the optimized solution: - In the optimized solution ConnectivityProperties potentially hold all the dimensions, including sets - of source peers and destination peers. The connectivity properties are built at the parse time for every policy. - The named ports are resolved during the construction, therefore in the optimized solution named_ports and - excluded_named_ports fields are not used. - - The src_peers and dst_peers dimensions are special dimensions, they do not have constant domain. Their domain - depends on the current set of peers in the system (as appears in BasePeerSet singleton). This set grows when - adding more configurations. Thus, there is no unique 'all values' representation. In particular, those - dimensions are never reduced to inactive. - This might be a problem in comparison and inclusion operators of ConnectivityProperties. The possible solution - may be to keep 'reference full domain value' for these dimensions (as another member in the BasePeerSet), - and to set it to relevant values per query, and to make a special treatment of these dimensions - in the above operators. + ConnectivityProperties potentially hold all the dimensions, including sets of source peers and destination peers. + The connectivity properties are built at the parse time for every policy. + The named ports are resolved during the construction, therefore in the optimized solution named_ports and + excluded_named_ports fields are not used. + + The src_peers and dst_peers dimensions are special dimensions, they do not have constant domain. Their domain + depends on the current set of peers in the system (as appears in BasePeerSet singleton). This set grows when + adding more configurations. Thus, there is no unique 'all values' representation. In particular, those + dimensions are never reduced to inactive. + This might be a problem in comparison and inclusion operators of ConnectivityProperties. The possible solution + may be to keep 'reference full domain value' for these dimensions (as another member in the BasePeerSet), + and to set it to relevant values per query, and to make a special treatment of these dimensions + in the above operators. Also, including support for (included and excluded) named ports (relevant for dest ports only). @@ -366,7 +356,7 @@ def project_on_one_dimension(self, dim_name): return res @staticmethod - def _resolve_named_ports(named_ports, peer, protocols): + def _resolve_named_ports(named_ports, peer, protocols, used_named_ports): peer_named_ports = peer.get_named_ports() real_ports = PortSet() for named_port in named_ports: @@ -379,6 +369,7 @@ def _resolve_named_ports(named_ports, peer, protocols): f'of the pod {peer}. Ignoring the pod') continue real_ports.add_port(real_port[0]) + used_named_ports.add(named_port) return real_ports @staticmethod @@ -389,11 +380,8 @@ def make_conn_props(conn_cube): If possible (i.e., in the optimized solution, when dst_peers are supported in the given cube), the named ports will be resolved. - In the optimized solution, the resulting ConnectivityProperties should not contain named ports: + The resulting ConnectivityProperties should not contain named ports: they are substituted with corresponding port numbers, per peer - In the original solution, the resulting ConnectivityProperties may contain named ports; - they cannot yet be resolved, since dst peers are not provided at this stage the original solution; - they will be resolved by convert_named_ports call during query runs. :param ConnectivityCube conn_cube: the input connectivity cube including all dimension values, whereas missing dimensions are represented by their default values (representing all possible values). @@ -402,11 +390,12 @@ def make_conn_props(conn_cube): src_ports = conn_cube["src_ports"] dst_ports = conn_cube["dst_ports"] assert not src_ports.named_ports and not src_ports.excluded_named_ports - if (not dst_ports.named_ports and not dst_ports.excluded_named_ports) or \ - not conn_cube.is_active_dim("dst_peers"): - # Should not resolve named ports + if not dst_ports.named_ports and not dst_ports.excluded_named_ports: + # No named ports return ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube) + # Should resolve named ports + assert conn_cube.is_active_dim("dst_peers") # Initialize conn_properties if dst_ports.port_set: dst_ports_no_named_ports = PortSet() @@ -419,15 +408,21 @@ def make_conn_props(conn_cube): # Resolving dst named ports protocols = conn_cube["protocols"] dst_peers = conn_cube["dst_peers"] + used_named_ports = set() for peer in dst_peers: - real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.named_ports, peer, protocols) + real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.named_ports, peer, protocols, + used_named_ports) if real_ports: conn_cube.update({"dst_ports": real_ports, "dst_peers": PeerSet({peer})}) conn_properties |= ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube) - excluded_real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.excluded_named_ports, peer, protocols) + excluded_real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.excluded_named_ports, peer, + protocols, used_named_ports) if excluded_real_ports: conn_cube.update({"dst_ports": excluded_real_ports, "dst_peers": PeerSet({peer})}) conn_properties -= ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube) + unresolved_named_ports = (dst_ports.named_ports.union(dst_ports.excluded_named_ports)).difference(used_named_ports) + if unresolved_named_ports: + print(f'Warning: Named ports {unresolved_named_ports} are not defined in any pod') return conn_properties @staticmethod diff --git a/nca/CoreDS/DimensionsManager.py b/nca/CoreDS/DimensionsManager.py index 20213e12e..26529a192 100644 --- a/nca/CoreDS/DimensionsManager.py +++ b/nca/CoreDS/DimensionsManager.py @@ -13,7 +13,7 @@ class DimensionsManager: """ A singleton class to manage dimensions names and their association to type and domain. - The dimensions are related to certain protocol's properties in ConnectionSet / ConnectivityProperties. + The dimensions are related to certain protocol's properties in ConnectivityProperties. They are used for allowed connection representation, as protocols properties, within CanonicalHyperCubeSet objects. The src_peers and dst_peers are special dimensions, they do not have constant domain. diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 40b1efce3..cc68d1af5 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -2,7 +2,6 @@ # Copyright 2020- IBM Inc. All rights reserved # SPDX-License-Identifier: Apache2.0 # -import copy import ipaddress import re from ipaddress import ip_network @@ -425,39 +424,6 @@ def _add_interval_to_list(interval, non_overlapping_interval_list): non_overlapping_interval_list += interval.split() non_overlapping_interval_list += to_add - @staticmethod - def disjoint_ip_blocks(ip_blocks1, ip_blocks2, exclude_ipv6=False): - """ - Takes all (atomic) ip-ranges in both ip-blocks and returns a new set of ip-ranges where - each ip-range is: - 1. a subset of an ip-range in either ip-blocks AND - 2. cannot be partially intersected by an ip-range in either ip-blocks AND - 3. is maximal (extending the range to either side will violate either 1 or 2) - :param ip_blocks1: A set of ip blocks - :param ip_blocks2: A set of ip blocks - :param bool exclude_ipv6: indicates if to exclude the IPv6 addresses in case the result is all_ips_block - :return: A set of ip ranges as specified above - :rtype: PeerSet - """ - # deepcopy is required since add_interval_to_list() changes the 'interval' argument - ip_blocks_set = copy.deepcopy(ip_blocks1) - ip_blocks_set |= copy.deepcopy(ip_blocks2) - ip_blocks = sorted(ip_blocks_set, key=IpBlock.ip_count) - - # making sure the resulting list does not contain overlapping ipBlocks - blocks_with_no_overlap = [] - for interval in ip_blocks: - IpBlock._add_interval_to_list(interval, blocks_with_no_overlap) - - res = PeerSet() - for ip_block in blocks_with_no_overlap: - res.add(ip_block) - - if not res: - res.add(IpBlock.get_all_ips_block(exclude_ipv6)) - - return res - def is_ipv4_block(self): """ checks whether self IpBlock includes only IPv4 addresses diff --git a/nca/CoreDS/ProtocolSet.py b/nca/CoreDS/ProtocolSet.py index 99006018b..d4ff4dbbe 100644 --- a/nca/CoreDS/ProtocolSet.py +++ b/nca/CoreDS/ProtocolSet.py @@ -13,6 +13,8 @@ class ProtocolSet(CanonicalIntervalSet): """ min_protocol_num = 0 max_protocol_num = 255 + port_supporting_protocols = {6, 17, 132} + icmp_protocols = {1, 58} def __init__(self, all_protocols=False): """ @@ -148,3 +150,27 @@ def copy(self): for interval in self.interval_set: new_copy.interval_set.append(interval.copy()) return new_copy + + @staticmethod + def protocol_supports_ports(protocol): + """ + :param protocol: Protocol number or name + :return: Whether the given protocol has ports + :rtype: bool + """ + prot = protocol + if isinstance(protocol, str): + prot = ProtocolNameResolver.get_protocol_number(protocol) + return prot in ProtocolSet.port_supporting_protocols + + @staticmethod + def protocol_is_icmp(protocol): + """ + :param protocol: Protocol number or name + :return: Whether the protocol is icmp or icmpv6 + :rtype: bool + """ + prot = protocol + if isinstance(protocol, str): + prot = ProtocolNameResolver.get_protocol_number(protocol) + return prot in ProtocolSet.icmp_protocols diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 81362ee24..64d5b862b 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -130,7 +130,7 @@ def get_connection_set_and_peers_from_cube(the_cube, peer_container, if has_active_dim: conns.add_connections(protocol, props) else: - if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): + if ProtocolSet.protocol_supports_ports(protocol) or ProtocolSet.protocol_is_icmp(protocol): conns.add_connections(protocol, props) else: conns.add_connections(protocol, True) diff --git a/nca/NetworkConfig/NetworkConfig.py b/nca/NetworkConfig/NetworkConfig.py index 534223ca7..84227741b 100644 --- a/nca/NetworkConfig/NetworkConfig.py +++ b/nca/NetworkConfig/NetworkConfig.py @@ -5,9 +5,8 @@ from dataclasses import dataclass, field, replace from nca.CoreDS import Peer -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.Resources.PolicyResources.NetworkPolicy import NetworkPolicy, OptimizedPolicyConnections, PolicyConnectionsFilter +from nca.Resources.PolicyResources.NetworkPolicy import NetworkPolicy, PolicyConnections, PolicyConnectionsFilter from .NetworkLayer import NetworkLayersContainer, NetworkLayerName from nca.Utils.ExplTracker import ExplTracker @@ -59,7 +58,6 @@ def __init__(self, name, peer_container, policies_container, optimized_run='fals self.policies_container = policies_container self.optimized_run = optimized_run self.allowed_labels = None - self.referenced_ip_blocks = None def __eq__(self, other): if not isinstance(other, NetworkConfig): @@ -193,22 +191,6 @@ def check_for_excluding_ipv6_addresses(self, exclude_ipv6): return False return True # getting here means all policies didn't reference ipv6, it is safe to exclude ipv6 addresses - def get_referenced_ip_blocks(self, exclude_non_ref_ipv6=False): - """ - :param bool exclude_non_ref_ipv6: indicates if to exclude non-referenced ipv_6 addresses from the result - :return: All ip ranges, referenced in any of the policies' rules - :rtype: Peer.PeerSet - """ - if self.referenced_ip_blocks is not None: - return self.referenced_ip_blocks - - exclude_non_ref_ipv6_from_policies = self.check_for_excluding_ipv6_addresses(exclude_non_ref_ipv6) - self.referenced_ip_blocks = Peer.PeerSet() - for policy in self.policies_container.policies.values(): - self.referenced_ip_blocks |= policy.referenced_ip_blocks(exclude_non_ref_ipv6_from_policies) - - return self.referenced_ip_blocks - def get_allowed_labels(self): if self.allowed_labels is not None: return self.allowed_labels @@ -217,76 +199,24 @@ def get_allowed_labels(self): self.allowed_labels |= policy.referenced_labels return self.allowed_labels - # return the allowed connections considering all layers in the config - def allowed_connections(self, from_peer, to_peer, layer_name=None): - """ - This is the core of the whole application - computes the set of allowed connections from one peer to another. - In our connectivity model, this function computes the labels for the edges in our directed graph. - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param NetworkLayerName layer_name: The name of the layer to use, if requested to use a specific layer only - :return: a 4-tuple with: - - allowed_conns: all allowed connections (captured/non-captured) - - captured_flag: flag to indicate if any of the policies captured one of the peers (src/dst) - - allowed_captured_conns: allowed captured connections (can be used only if the captured flag is True) - - denied_conns: connections denied by the policies (captured) - :rtype: ConnectionSet, bool, ConnectionSet, ConnectionSet - """ - if layer_name is not None: - if layer_name not in self.policies_container.layers: - return self.policies_container.layers.empty_layer_allowed_connections(layer_name, from_peer, to_peer) - return self.policies_container.layers[layer_name].allowed_connections(from_peer, to_peer) - - # connectivity of hostEndpoints is only determined by calico layer - if isinstance(from_peer, Peer.HostEP) or isinstance(to_peer, Peer.HostEP): - # maintain K8s_Calico layer as active if peer container has hostEndpoint - if NetworkLayerName.K8s_Calico not in self.policies_container.layers: - return self.policies_container.layers.empty_layer_allowed_connections(NetworkLayerName.K8s_Calico, - from_peer, to_peer) - return self.policies_container.layers[NetworkLayerName.K8s_Calico].allowed_connections(from_peer, to_peer) - - allowed_conns_res = ConnectionSet(True) - allowed_captured_conns_res = ConnectionSet() - captured_flag_res = False - denied_conns_res = ConnectionSet() - - for layer, layer_obj in self.policies_container.layers.items(): - allowed_conns_per_layer, captured_flag_per_layer, allowed_captured_conns_per_layer, \ - denied_conns_per_layer = layer_obj.allowed_connections(from_peer, to_peer) - - # all allowed connections: intersection of all allowed connections from all layers - allowed_conns_res &= allowed_conns_per_layer - - # all allowed captured connections: should be captured by at least one layer - allowed_captured_conns_res |= allowed_captured_conns_per_layer - captured_flag_res |= captured_flag_per_layer - - # denied conns: should be denied by at least one layer - denied_conns_res |= denied_conns_per_layer - - # an allowed captured conn (by at least one layer) has to be allowed by all layers (either implicitly or explicitly) - allowed_captured_conns_res &= allowed_conns_res - - return allowed_conns_res, captured_flag_res, allowed_captured_conns_res, denied_conns_res - - def allowed_connections_optimized(self, layer_name=None, res_conns_filter=PolicyConnectionsFilter()): + def allowed_connections(self, layer_name=None, res_conns_filter=PolicyConnectionsFilter()): """ Computes the set of allowed connections between any relevant peers. :param NetworkLayerName layer_name: The name of the layer to use, if requested to use a specific layer only :param PolicyConnectionsFilter res_conns_filter: filter of the required resulting connections (connections with False value will not be calculated) :return: allowed_conns: all allowed connections for relevant peers. - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ if ExplTracker().is_active(): ExplTracker().set_peers(self.peer_container.peer_set) if layer_name is not None: if layer_name not in self.policies_container.layers: - return self.policies_container.layers.empty_layer_allowed_connections_optimized(self.peer_container, - layer_name, - res_conns_filter) - return self.policies_container.layers[layer_name].allowed_connections_optimized(self.peer_container, - res_conns_filter) + return self.policies_container.layers.empty_layer_allowed_connections(self.peer_container, + layer_name, + res_conns_filter) + return self.policies_container.layers[layer_name].allowed_connections(self.peer_container, + res_conns_filter) all_peers = self.peer_container.get_all_peers_group() host_eps = Peer.PeerSet(set([peer for peer in all_peers if isinstance(peer, Peer.HostEP)])) @@ -296,16 +226,16 @@ def allowed_connections_optimized(self, layer_name=None, res_conns_filter=Policy if host_eps and NetworkLayerName.K8s_Calico not in self.policies_container.layers: # maintain K8s_Calico layer as active if peer container has hostEndpoint conns_res = \ - self.policies_container.layers.empty_layer_allowed_connections_optimized(self.peer_container, - NetworkLayerName.K8s_Calico, - res_conns_filter) + self.policies_container.layers.empty_layer_allowed_connections(self.peer_container, + NetworkLayerName.K8s_Calico, + res_conns_filter) conns_res.and_by_filter(conn_hep, replace(res_conns_filter, calc_all_allowed=False)) else: - conns_res = OptimizedPolicyConnections() + conns_res = PolicyConnections() if res_conns_filter.calc_all_allowed: conns_res.all_allowed_conns = ConnectivityProperties.get_all_conns_props_per_config_peers(self.peer_container) for layer, layer_obj in self.policies_container.layers.items(): - conns_per_layer = layer_obj.allowed_connections_optimized(self.peer_container, res_conns_filter) + conns_per_layer = layer_obj.allowed_connections(self.peer_container, res_conns_filter) # only K8s_Calico layer handles host_eps if layer != NetworkLayerName.K8s_Calico: # connectivity of hostEndpoints is only determined by calico layer @@ -339,7 +269,6 @@ def filter_conns_by_peer_types(self, conns): Filter the given connections by removing several connection kinds that are never allowed (such as IpBlock to IpBlock connections, connections from DNSEntries, and more). :param ConnectivityProperties conns: the given connections. - :param PeerSet all_peers: all peers in the system. :return The resulting connections. :rtype ConnectivityProperties """ diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index c6e6903f0..1ce944c4c 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -2,11 +2,8 @@ # Copyright 2020- IBM Inc. All rights reserved # SPDX-License-Identifier: Apache2.0 # -import itertools import os -import time from abc import abstractmethod -from collections import defaultdict from enum import Enum from dataclasses import dataclass @@ -94,14 +91,14 @@ def execute_and_compute_output_in_required_format(self, cmd_line_flag=False): # according to their updated domains (above) for config in self.get_configs(): for policy in config.policies_container.policies.values(): - policy.reorganize_opt_props_by_new_domains() + policy.reorganize_props_by_new_domains() # run the query query_answer = self.execute(cmd_line_flag) - # restore peers domains and optimized connectivity properties original values + # restore peers domains and connectivity properties original values DimensionsManager.reset() for config in self.get_configs(): for policy in config.policies_container.policies.values(): - policy.restore_opt_props() + policy.restore_props() return query_answer.numerical_result, self._handle_output(query_answer), query_answer.query_not_executed def _handle_output(self, query_answer): @@ -152,18 +149,6 @@ def determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): return False # connectivity between external peers is not relevant either return True - @staticmethod - def compare_fw_rules(fw_rules1, fw_rules2, peer_container, rules_descr=""): - text_prefix = "Original and optimized fw-rules" - if rules_descr: - text_prefix += " for " + rules_descr - if fw_rules1.fw_rules_map == fw_rules2.fw_rules_map: - print(f"{text_prefix} are semantically equivalent") - return - conn_props1 = MinimizeBasic.fw_rules_to_conn_props(fw_rules1, peer_container) - conn_props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules2, peer_container) - BaseNetworkQuery.compare_conn_props(conn_props1, conn_props2, text_prefix) - @staticmethod def compare_conn_props(props1, props2, text_prefix): if props1 == props2: @@ -506,38 +491,15 @@ def other_policy_containing_deny(self, self_policy, config_with_self_policy, lay if not other_policy.has_deny_rules(): continue config_with_other_policy = self.config.clone_with_just_one_policy(other_policy.full_name()) - if self.config.optimized_run == 'false': - res = self.check_deny_containment_original(config_with_self_policy, config_with_other_policy, layer_name) - else: - res = self.check_deny_containment_optimized(config_with_self_policy, config_with_other_policy, layer_name) - if res: + if self.check_deny_containment(config_with_self_policy, config_with_other_policy, layer_name): return other_policy return None - def check_deny_containment_original(self, config_with_self_policy, config_with_other_policy, layer_name): - # calling get_all_peers_group does not require getting dnsEntry peers, since they are not relevant when computing - # deny connections - pods_to_compare = self.config.peer_container.get_all_peers_group() - pods_to_compare |= TwoNetworkConfigsQuery(self.config, config_with_other_policy).disjoint_referenced_ip_blocks() - for pod1 in pods_to_compare: - for pod2 in pods_to_compare: - if isinstance(pod1, IpBlock) and isinstance(pod2, IpBlock): - continue - if pod1 == pod2: - continue # no way to prevent a pod from communicating with itself - _, _, _, self_deny_conns = config_with_self_policy.allowed_connections(pod1, pod2, layer_name) - _, _, _, other_deny_conns = config_with_other_policy.allowed_connections(pod1, pod2, layer_name) - if not self_deny_conns: - continue - if not self_deny_conns.contained_in(other_deny_conns): - return False - return True - @staticmethod - def check_deny_containment_optimized(config_with_self_policy, config_with_other_policy, layer_name): + def check_deny_containment(config_with_self_policy, config_with_other_policy, layer_name): res_conns_filter = PolicyConnectionsFilter.only_denied_connections() - self_props = config_with_self_policy.allowed_connections_optimized(layer_name, res_conns_filter) - other_props = config_with_other_policy.allowed_connections_optimized(layer_name, res_conns_filter) + self_props = config_with_self_policy.allowed_connections(layer_name, res_conns_filter) + other_props = config_with_other_policy.allowed_connections(layer_name, res_conns_filter) return self_props.denied_conns.contained_in(other_props.denied_conns) def other_rule_containing(self, self_policy, self_rule_index, is_ingress, layer_name): @@ -781,135 +743,57 @@ def are_labels_all_included(target_labels, pool_labels): return False return True - def compute_connectivity_output_original(self): - """ - Compute connectivity output with original implementation (running for every pair of peers). - :return: a tuple of output result (in a required format), FwRules, tcp FWRules and non-tcp FWRules. - :rtype ([Union[str, dict], MinimizeFWRules, MinimizeFWRules], MinimizeFWRules) - """ - fw_rules = None - fw_rules_tcp = None - fw_rules_non_tcp = None - exclude_ipv6 = self.config.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) - connections = defaultdict(list) - # if dns entry peers exist but no istio policies are configured, - # then actually istio layer exists implicitly, connections to these peers will be considered with the - # default Istio outbound traffic mode - allow any - peers_to_compare = self.config.peer_container.get_all_peers_group(include_dns_entries=True) - ref_ip_blocks = IpBlock.disjoint_ip_blocks(self.config.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), exclude_ipv6) - peers_to_compare |= ref_ip_blocks - peers = PeerSet() - for peer1 in peers_to_compare: - for peer2 in peers_to_compare: - if self.is_in_subset(peer1): - peers.add(peer1) - elif not self.is_in_subset(peer2): - continue # skipping pairs if none of them are in the given subset - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - if peer1 == peer2: - # cannot restrict pod's connection to itself - connections[ConnectionSet(True)].append((peer1, peer2)) - else: - conns, _, _, _ = self.config.allowed_connections(peer1, peer2) - if conns: - connections[conns].append((peer1, peer2)) - # collect both peers, even if one of them is not in the subset - peers.add(peer1) - peers.add(peer2) - # if Istio is a layer in the network config - produce 2 maps, for TCP and for non-TCP - # because Istio policies can only capture TCP connectivity - if self.config.policies_container.layers.does_contain_istio_layers(): - output_res, fw_rules_tcp, fw_rules_non_tcp = \ - self.get_connectivity_output_split_by_tcp(connections, peers, peers_to_compare) - else: - output_res, fw_rules = self.get_connectivity_output_full(connections, peers, peers_to_compare) - return output_res, fw_rules, fw_rules_tcp, fw_rules_non_tcp - - def compute_connectivity_output_optimized(self): + def compute_connectivity_output(self): """ Compute connectivity output with optimized implementation. - :return: a tuple of output result (in a required format), FwRules, tcp FWRules and non-tcp FWRules. - :rtype: ([Union[str, dict], MinimizeFWRules, MinimizeFWRules, MinimizeFWRules) + :return: output result in a required format + :rtype: Union[str, dict] """ - opt_fw_rules = None - opt_fw_rules_tcp = None - opt_fw_rules_non_tcp = None exclude_ipv6 = self.config.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) res_conns_filter = PolicyConnectionsFilter.only_all_allowed_connections() - opt_conns = self.config.allowed_connections_optimized(res_conns_filter=res_conns_filter) - all_conns_opt = opt_conns.all_allowed_conns - opt_peers_to_compare = self.config.peer_container.get_all_peers_group(include_dns_entries=True) + conns = self.config.allowed_connections(res_conns_filter=res_conns_filter) + all_conns = conns.all_allowed_conns + peers_to_compare = self.config.peer_container.get_all_peers_group(include_dns_entries=True) # add all relevant IpBlocks, used in connections - opt_peers_to_compare |= all_conns_opt.get_all_peers() + peers_to_compare |= all_conns.get_all_peers() if exclude_ipv6: # remove connections where any of src_peers or dst_peers contain automatically-added IPv6 blocks, # while keeping connections with IPv6 blocks directly referenced in policies - opt_peers_to_compare.filter_ip_blocks_by_mask(IpBlock.get_all_ips_block(exclude_ipv6=True)) - all_conns_opt &= ConnectivityProperties.make_conn_props_from_dict({"src_peers": opt_peers_to_compare, - "dst_peers": opt_peers_to_compare}) - base_peers_num = len(opt_peers_to_compare) - subset_peers = self.compute_subset(opt_peers_to_compare) + peers_to_compare.filter_ip_blocks_by_mask(IpBlock.get_all_ips_block(exclude_ipv6=True)) + all_conns &= ConnectivityProperties.make_conn_props_from_dict({"src_peers": peers_to_compare, + "dst_peers": peers_to_compare}) + base_peers_num = len(peers_to_compare) + subset_peers = self.compute_subset(peers_to_compare) all_peers = subset_peers if len(subset_peers) != base_peers_num: # remove connections where both of src_peers and dst_peers are out of the subset subset_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": subset_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"dst_peers": subset_peers}) - all_conns_opt &= subset_conns - src_peers, dst_peers = ExplTracker().extract_peers(all_conns_opt) + all_conns &= subset_conns + src_peers, dst_peers = ExplTracker().extract_peers(all_conns) all_peers = src_peers | dst_peers - all_conns_opt = self.config.filter_conns_by_peer_types(all_conns_opt) - expl_conns = all_conns_opt + all_conns = self.config.filter_conns_by_peer_types(all_conns) + expl_conns = all_conns if self.config.policies_container.layers.does_contain_istio_layers(): - output_res, opt_fw_rules_tcp, opt_fw_rules_non_tcp = \ - self.get_props_output_split_by_tcp(all_conns_opt, opt_peers_to_compare) - expl_conns, _ = self.convert_props_to_split_by_tcp(all_conns_opt) + output_res = self.get_props_output_split_by_tcp(all_conns, peers_to_compare) + expl_conns, _ = self.convert_props_to_split_by_tcp(all_conns) else: - output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare) + output_res = self.get_props_output_full(all_conns, peers_to_compare) if ExplTracker().is_active(): ExplTracker().set_connections_and_peers(expl_conns, all_peers) - return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp + return output_res def exec(self): self.output_config.fullExplanation = True # assign true for this query - it is always ok to compare its results self.output_config.configName = os.path.basename(self.config.name) if self.config.name.startswith('./') else \ self.config.name res = QueryAnswer(True) - fw_rules = None - fw_rules_tcp = None - fw_rules_non_tcp = None - if self.config.optimized_run != 'true': - orig_start = time.time() - output_res, fw_rules, fw_rules_tcp, fw_rules_non_tcp = self.compute_connectivity_output_original() - orig_end = time.time() - print(f'Original loop: time: {(orig_end - orig_start):6.2f} seconds') - if self.output_config.outputFormat in ['json', 'yaml']: - res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] - else: - res.output_explanation = [ComputedExplanation(str_explanation=output_res)] - - if self.config.optimized_run != 'false': - opt_start = time.time() - output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp = \ - self.compute_connectivity_output_optimized() - opt_end = time.time() - print(f'Opt time: {(opt_end - opt_start):6.2f} seconds') - # the same result for opt == 'true'/'debug' - if self.output_config.outputFormat in ['json', 'yaml']: - res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] - else: - res.output_explanation = [ComputedExplanation(str_explanation=output_res)] - if self.config.optimized_run == 'debug': - if fw_rules and opt_fw_rules: - self.compare_fw_rules(fw_rules, opt_fw_rules, self.config.peer_container, - f"connectivity of {self.config.name}") - if fw_rules_tcp and opt_fw_rules_tcp: - self.compare_fw_rules(fw_rules_tcp, opt_fw_rules_tcp, self.config.peer_container, - f"connectivity - tcp only of {self.config.name}") - if fw_rules_non_tcp and opt_fw_rules_non_tcp: - self.compare_fw_rules(fw_rules_non_tcp, opt_fw_rules_non_tcp, self.config.peer_container, - f"connectivity - non-tcp only of {self.config.name}") + + output_res = self.compute_connectivity_output() + if self.output_config.outputFormat in ['json', 'yaml']: + res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] + else: + res.output_explanation = [ComputedExplanation(str_explanation=output_res)] return res def get_connectivity_output_full(self, connections, peers, peers_to_compare): @@ -936,62 +820,18 @@ def get_props_output_full(self, props, all_peers): :param ConnectivityProperties props: properties describing allowed connections :param PeerSet all_peers: the peers to consider for dot/fw-rules output whereas all other values should be filtered out in the output - :rtype ([Union[str, dict], MinimizeFWRules]) + :rtype Union[str, dict] """ peers_to_compare = props.get_all_peers() if self.output_config.outputFormat in ['dot', 'jpg', 'html']: dot_full = self.dot_format_from_props(props, peers_to_compare) - return dot_full, None + return dot_full if self.output_config.outputFormat == 'txt_no_fw_rules': conns_wo_fw_rules = self.txt_no_fw_rules_format_from_props(props, peers_to_compare) - return conns_wo_fw_rules, None + return conns_wo_fw_rules # handle other formats - formatted_rules, fw_rules = self.fw_rules_from_props(props, all_peers) - return formatted_rules, fw_rules - - def get_connectivity_output_split_by_tcp(self, connections, peers, peers_to_compare): - """ - get the connectivity map output as two parts: TCP and non-TCP - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for dot output - :param PeerSet peers_to_compare: the peers to consider for fw-rules output - :rtype (Union[str, dict], MinimizeFWRules, MinimizeFWRules) - """ - connectivity_tcp_str = 'TCP' - connectivity_non_tcp_str = 'non-TCP' - connections_tcp, connections_non_tcp = self.convert_connections_to_split_by_tcp(connections) - if self.output_config.outputFormat in ['dot', 'jpg', 'html']: - dot_tcp = self.dot_format_from_connections_dict(connections_tcp, peers, connectivity_tcp_str) - dot_non_tcp = self.dot_format_from_connections_dict(connections_non_tcp, peers, connectivity_non_tcp_str) - # concatenate the two graphs into one dot file - res_str = dot_tcp + dot_non_tcp - return res_str, None, None - - if self.output_config.outputFormat == 'txt_no_fw_rules': - conns_msg_suffix = ' Connections:' - tcp_conns_wo_fw_rules = \ - self._txt_no_fw_rules_format_from_connections_dict(connections_tcp, peers, - connectivity_tcp_str + conns_msg_suffix) - non_tcp_conns_wo_fw_rules = \ - self._txt_no_fw_rules_format_from_connections_dict(connections_non_tcp, peers, - connectivity_non_tcp_str + conns_msg_suffix) - return tcp_conns_wo_fw_rules + '\n\n' + non_tcp_conns_wo_fw_rules, None, None - # handle formats other than dot and txt_no_fw_rules - formatted_rules_tcp, fw_rules_tcp = \ - self.fw_rules_from_connections_dict(connections_tcp, peers_to_compare, connectivity_tcp_str) - formatted_rules_non_tcp, fw_rules_non_tcp = \ - self.fw_rules_from_connections_dict(connections_non_tcp, peers_to_compare, connectivity_non_tcp_str) - if self.output_config.outputFormat in ['json', 'yaml']: - # get a dict object containing the two maps on different keys (TCP_rules and non-TCP_rules) - rules = formatted_rules_tcp - rules.update(formatted_rules_non_tcp) - return rules, fw_rules_tcp, fw_rules_non_tcp - # remaining formats: txt / csv / md : concatenate the two strings of the conn-maps - if self.output_config.outputFormat == 'txt': - res_str = f'{formatted_rules_tcp}\n{formatted_rules_non_tcp}' - else: - res_str = formatted_rules_tcp + formatted_rules_non_tcp - return res_str, fw_rules_tcp, fw_rules_non_tcp + formatted_rules = self.fw_rules_from_props(props, all_peers) + return formatted_rules def get_props_output_split_by_tcp(self, props, all_peers): """ @@ -999,7 +839,7 @@ def get_props_output_split_by_tcp(self, props, all_peers): :param ConnectivityProperties props: properties describing allowed connections :param PeerSet all_peers: the peers to consider for dot/fw-rules output whereas all other values should be filtered out in the output - :rtype (Union[str, dict], MinimizeFWRules, MinimizeFWRules) + :rtype Union[str, dict] """ peers_to_compare = props.get_all_peers() connectivity_tcp_str = 'TCP' @@ -1010,28 +850,27 @@ def get_props_output_split_by_tcp(self, props, all_peers): dot_non_tcp = self.dot_format_from_props(props_non_tcp, peers_to_compare, connectivity_non_tcp_str) # concatenate the two graphs into one dot file res_str = dot_tcp + dot_non_tcp - return res_str, None, None + return res_str if self.output_config.outputFormat in ['txt_no_fw_rules']: txt_no_fw_rules_tcp = self.txt_no_fw_rules_format_from_props(props_tcp, peers_to_compare, connectivity_tcp_str) txt_no_fw_rules_non_tcp = self.txt_no_fw_rules_format_from_props(props_non_tcp, peers_to_compare, connectivity_non_tcp_str) res_str = txt_no_fw_rules_tcp + '\n\n' + txt_no_fw_rules_non_tcp - return res_str, None, None + return res_str # handle formats other than dot and txt_no_fw_rules - formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, all_peers, connectivity_tcp_str) - formatted_rules_non_tcp, fw_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, all_peers, - connectivity_non_tcp_str) + formatted_rules_tcp = self.fw_rules_from_props(props_tcp, all_peers, connectivity_tcp_str) + formatted_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, all_peers, connectivity_non_tcp_str) if self.output_config.outputFormat in ['json', 'yaml']: # get a dict object containing the two maps on different keys (TCP_rules and non-TCP_rules) rules = formatted_rules_tcp rules.update(formatted_rules_non_tcp) - return rules, fw_rules_tcp, fw_rules_non_tcp + return rules # remaining formats: txt / csv / md : concatenate the two strings of the conn-maps if self.output_config.outputFormat == 'txt': res_str = f'{formatted_rules_tcp}\n{formatted_rules_non_tcp}' else: res_str = formatted_rules_tcp + formatted_rules_non_tcp - return res_str, fw_rules_tcp, fw_rules_non_tcp + return res_str def _get_conn_graph(self, connections, peers): """ @@ -1118,7 +957,7 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP , or not :return the connectivity map in fw-rules, considering connectivity_restriction if required - :rtype: (Union[str, dict], MinimizeFWRules) + :rtype: Union[str, dict] """ if self.output_config.fwRulesOverrideAllowedLabels: allowed_labels = set(label for label in self.output_config.fwRulesOverrideAllowedLabels.split(',')) @@ -1133,41 +972,7 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, connectivity_restriction=connectivity_restriction) formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) - return formatted_rules, fw_rules - - def convert_connections_to_split_by_tcp(self, connections): - """ - given the connections' dict , convert it to two connection maps, one for TCP only, and the other - for non-TCP only. - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :return: a tuple of the two connection maps : first for TCP, second for non-TCP - :rtype: tuple(dict, dict) - """ - connections_tcp = defaultdict(list) - connections_non_tcp = defaultdict(list) - for conn, peers_list in connections.items(): - tcp_conns, non_tcp_conns = self.split_to_tcp_and_non_tcp_conns(conn) - connections_tcp[tcp_conns] += peers_list - connections_non_tcp[non_tcp_conns] += peers_list - - return connections_tcp, connections_non_tcp - - @staticmethod - def split_to_tcp_and_non_tcp_conns(conns): - """ - split a ConnectionSet object to two objects: one within TCP only, the other within non-TCP protocols - :param ConnectionSet conns: a ConnectionSet object - :return: a tuple of the two ConnectionSet objects: first for TCP, second for non-TCP - :rtype: tuple(ConnectionSet, ConnectionSet) - """ - tcp_conns = conns - ConnectionSet.get_non_tcp_connections() - non_tcp_conns = conns - tcp_conns - if non_tcp_conns == ConnectionSet.get_non_tcp_connections(): - non_tcp_conns = ConnectionSet(True) # all connections in terms of non-TCP - if tcp_conns == ConnectionSet.get_all_tcp_connections(): - tcp_conns = ConnectionSet(True) # all connections in terms of TCP - - return tcp_conns, non_tcp_conns + return formatted_rules @staticmethod def convert_props_to_split_by_tcp(props): @@ -1227,19 +1032,6 @@ def is_identical_topologies(self, check_same_policies=False): 'topology and the same set of policies.') return QueryAnswer(True) - def disjoint_referenced_ip_blocks(self): - """ - Returns disjoint ip-blocks in the policies of both configs - :return: A set of disjoint ip-blocks - :rtype: PeerSet - """ - exclude_ipv6 = self.config1.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) and \ - self.config2.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) - # TODO - consider including also non referenced IPBlocks, as in ConnectivityMapQuery - # (see issue https://github.com/IBM/network-config-analyzer/issues/522) - return IpBlock.disjoint_ip_blocks(self.config1.get_referenced_ip_blocks(exclude_ipv6), - self.config2.get_referenced_ip_blocks(exclude_ipv6), exclude_ipv6) - def filter_conns_by_input_or_internal_constraints(self, conns1, conns2): """ Given two allowed connections (in config1 and in config2 respectively), filter those connections @@ -1329,40 +1121,12 @@ def exec(self, cmd_line_flag=False, layer_name=None): if query_answer.output_result: query_answer.numerical_result = not query_answer.bool_result return query_answer - if self.config1.optimized_run == 'false': - return self.check_equivalence_original(layer_name) - else: - return self.check_equivalence_optimized(layer_name) - - def check_equivalence_original(self, layer_name=None): - peers_to_compare = \ - self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - peers_to_compare |= self.disjoint_referenced_ip_blocks() - captured_pods = self.config1.get_captured_pods(layer_name) | self.config2.get_captured_pods(layer_name) - different_conns_list = [] - for peer1 in peers_to_compare: - for peer2 in peers_to_compare if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - conns1, _, _, _ = self.config1.allowed_connections(peer1, peer2, layer_name) - conns2, _, _, _ = self.config2.allowed_connections(peer1, peer2, layer_name) - if conns1 != conns2: - different_conns_list.append(PeersAndConnections(str(peer1), str(peer2), conns1, conns2)) - if not self.output_config.fullExplanation: - return self._query_answer_with_relevant_explanation(different_conns_list) - - if different_conns_list: - return self._query_answer_with_relevant_explanation(sorted(different_conns_list)) + return self.check_equivalence(layer_name) - return QueryAnswer(True, self.name1 + ' and ' + self.name2 + ' are semantically equivalent.', - numerical_result=0) - - def check_equivalence_optimized(self, layer_name=None): + def check_equivalence(self, layer_name=None): res_conns_filter = PolicyConnectionsFilter.only_all_allowed_connections() - conn_props1 = self.config1.allowed_connections_optimized(layer_name, res_conns_filter) - conn_props2 = self.config2.allowed_connections_optimized(layer_name, res_conns_filter) + conn_props1 = self.config1.allowed_connections(layer_name, res_conns_filter) + conn_props2 = self.config2.allowed_connections(layer_name, res_conns_filter) all_conns1, all_conns2 = self.filter_conns_by_input_or_internal_constraints(conn_props1.all_allowed_conns, conn_props2.all_allowed_conns) if all_conns1 == all_conns2: @@ -1430,76 +1194,7 @@ def get_explanation_from_conn_graph(conn_graph, is_first_connectivity_result): fw_rules_output = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) return fw_rules_output, fw_rules - def compute_explanation_for_key(self, key, is_added, conn_graph, is_first_connectivity_result): - """ - computes the explanation for given key and conn_graph with description and fw-rules results - prepares the description and explanation - description text is written for txt, yaml and json formats - other formats description already included in the conn_graph data - :param str key: the key describing the changes - :param bool is_added: a bool flag indicating if connections are added or removed - :param ConnectivityGraph conn_graph: a ConnectivityGraph with added/removed connections - :param bool is_first_connectivity_result: flag indicating if this is the first connectivity fw-rules computation - for the current semantic-diff query - :return the computedExplanation of the current key and conn_graph considering the outputFormat, - and fw_rules from which the explanation was computed - :rtype: ComputedExplanation, Union[None, MinimizeFWRules] - """ - updated_key = self._get_updated_key(key, is_added) - topology_config_name = self.name2 if is_added else self.name1 - connectivity_changes_header = f'{updated_key} (based on topology from config: {topology_config_name}) :' - fw_rules = None - if self.output_config.outputFormat == 'txt_no_fw_rules': - conn_graph_explanation = conn_graph.get_connections_without_fw_rules_txt_format( - connectivity_changes_header, exclude_self_loop_conns=False) + '\n' - else: - conn_graph_explanation, fw_rules = self.get_explanation_from_conn_graph(conn_graph, is_first_connectivity_result) - - if self.output_config.outputFormat in ['json', 'yaml']: - explanation_dict = {'description': updated_key} - explanation_dict.update(conn_graph_explanation) - key_explanation = ComputedExplanation(dict_explanation=explanation_dict) - else: - str_explanation = f'\n{connectivity_changes_header}\n' if self.output_config.outputFormat == 'txt' else '' - str_explanation += conn_graph_explanation - key_explanation = ComputedExplanation(str_explanation=str_explanation) - - return key_explanation, fw_rules - - def get_results_for_computed_fw_rules(self, keys_list, conn_graph_removed_per_key, conn_graph_added_per_key): - """ - Compute accumulated explanation and res for all keys of changed connections categories - :param keys_list: the list of keys - :param conn_graph_removed_per_key: map from key to ConnectivityGraph of removed connections - :param conn_graph_added_per_key: map from key to ConnectivityGraph of added connections - :return: - res (int): number of categories with diffs - explanation (list): list of ComputedExplanation, the diffs' explanations, one for each category - :rtype: int, list[ComputedExplanation] - """ - explanation = [] - add_explanation = self.output_config.outputFormat in SemanticDiffQuery.get_supported_output_formats() - res = 0 - for key in keys_list: - conn_graph_added_conns = conn_graph_added_per_key[key] - conn_graph_removed_conns = conn_graph_removed_per_key[key] - is_added = conn_graph_added_conns is not None and conn_graph_added_conns.conn_graph_has_fw_rules() - is_removed = conn_graph_removed_conns is not None and conn_graph_removed_conns.conn_graph_has_fw_rules() - if is_added: - if add_explanation: - key_explanation, _ = self.compute_explanation_for_key(key, True, conn_graph_added_conns, res == 0) - explanation.append(key_explanation) - res += 1 - - if is_removed: - if add_explanation: - key_explanation, _ = self.compute_explanation_for_key(key, False, conn_graph_removed_conns, res == 0) - explanation.append(key_explanation) - res += 1 - - return res, explanation - - def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_connectivity_result): + def compute_explanation_for_key(self, key, is_added, props_data, is_first_connectivity_result): """ computes the explanation for given key and conn_graph with description and fw-rules results prepares the description and explanation @@ -1543,7 +1238,7 @@ def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_co return key_explanation, fw_rules - def get_results_for_computed_fw_rules_opt(self, keys_list, removed_props_per_key, added_props_per_key): + def get_results_for_computed_fw_rules(self, keys_list, removed_props_per_key, added_props_per_key): """ Compute accumulated explanation and res for all keys of changed connections categories :param keys_list: the list of keys @@ -1564,86 +1259,18 @@ def get_results_for_computed_fw_rules_opt(self, keys_list, removed_props_per_key is_removed = removed_props is not None and removed_props.props if is_added: if add_explanation: - key_explanation, _ = self.compute_explanation_for_key_opt(key, True, added_props, res == 0) + key_explanation, _ = self.compute_explanation_for_key(key, True, added_props, res == 0) explanation.append(key_explanation) res += 1 if is_removed: if add_explanation: - key_explanation, _ = self.compute_explanation_for_key_opt(key, False, removed_props, res == 0) + key_explanation, _ = self.compute_explanation_for_key(key, False, removed_props, res == 0) explanation.append(key_explanation) res += 1 return res, explanation - def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, orig_conn_graph_removed_per_key, - orig_conn_graph_added_per_key, - removed_props_per_key, added_props_per_key): - """ - Compute accumulated explanation and res for all keys of changed connections categories. - Also, compare original and optimized results. - :param keys_list: the list of keys - :param orig_conn_graph_removed_per_key: map from key to ConnectivityGraph of original removed connections - :param orig_conn_graph_added_per_key: map from key to ConnectivityGraph of original added connections - :param removed_props_per_key: map from key to PropsAndExplanationData of optimized removed connections - :param added_props_per_key: map from key to PropsAndExplanationData of optimized added connections - :return: - res (int): number of categories with diffs - explanation (list): list of ComputedExplanation, the diffs' explanations, one for each category - :rtype: int, list[ComputedExplanation] - """ - explanation = [] - add_explanation = self.output_config.outputFormat in SemanticDiffQuery.get_supported_output_formats() - res = 0 - for key in keys_list: - orig_conn_graph_added_conns = orig_conn_graph_added_per_key[key] - orig_conn_graph_removed_conns = orig_conn_graph_removed_per_key[key] - is_added = orig_conn_graph_added_conns is not None and orig_conn_graph_added_conns.conn_graph_has_fw_rules() - is_removed = orig_conn_graph_removed_conns is not None and orig_conn_graph_removed_conns.conn_graph_has_fw_rules() - if is_added: - if add_explanation: - key_explanation, orig_fw_rules = self.compute_explanation_for_key( - key, True, orig_conn_graph_added_conns, res == 0) - if not orig_fw_rules: - orig_fw_rules = orig_conn_graph_added_conns.get_minimized_firewall_rules() - added_props = added_props_per_key[key] - assert added_props - opt_key_explanation, opt_fw_rules = self.compute_explanation_for_key_opt( - key, True, added_props, res == 0) - if not opt_fw_rules: - opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( - added_props.props, added_props.cluster_info, added_props.output_config, - added_props.peer_container, None) - if self.config1.optimized_run == 'debug': - self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, - self._get_updated_key(key, True) + - f'between {self.config1.name} and {self.config2.name}') - explanation.append(opt_key_explanation) - res += 1 - - if is_removed: - if add_explanation: - key_explanation, orig_fw_rules = self.compute_explanation_for_key( - key, False, orig_conn_graph_removed_conns, res == 0) - if not orig_fw_rules: - orig_fw_rules = orig_conn_graph_removed_conns.get_minimized_firewall_rules() - removed_props = removed_props_per_key[key] - assert removed_props - opt_key_explanation, opt_fw_rules = self.compute_explanation_for_key_opt( - key, False, removed_props, res == 0) - if not opt_fw_rules: - opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( - removed_props.props, removed_props.cluster_info, removed_props.output_config, - removed_props.peer_container, None) - if self.config1.optimized_run == 'debug': - self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, - self._get_updated_key(key, False) + - f'between {self.config1.name} and {self.config2.name}') - explanation.append(opt_key_explanation) - res += 1 - - return res, explanation - def get_conn_graph_changed_conns(self, key, ip_blocks, is_added): """ create a ConnectivityGraph for changed (added/removed) connections per given key @@ -1666,176 +1293,6 @@ def get_conn_graph_changed_conns(self, key, ip_blocks, is_added): output_config = OutputConfiguration(self.output_config, query_name) return ConnectivityGraph(topology_peers, allowed_labels, output_config) - def compute_diff_original(self): # noqa: C901 - """ - Compute changed connections as following: - - 1.1. lost connections between removed peers - 1.2. lost connections between removed peers and ipBlocks - - 2.1. lost connections between removed peers and intersected peers - - 3.1. lost/new connections between intersected peers due to changes in policies and labels of pods/namespaces - 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels - - 4.1. new connections between intersected peers and added peers - - 5.1. new connections between added peers - 5.2. new connections between added peers and ipBlocks - - Some sections might be empty and can be dropped. - - :return: - keys_list (list[str]): list of names of connection categories, - being the keys in conn_graph_removed_per_key/conn_graph_added_per_key - conn_graph_removed_per_key (dict): a dictionary of removed connections connectivity graphs per category - conn_graph_added_per_key (dict): a dictionary of added connections connectivity graphs per category - :rtype: list[str], dict, dict - """ - old_peers = self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - new_peers = self.config2.peer_container.get_all_peers_group(include_dns_entries=True) - intersected_peers = old_peers & new_peers - removed_peers = old_peers - intersected_peers - added_peers = new_peers - intersected_peers - captured_pods = (self.config1.get_captured_pods() | self.config2.get_captured_pods()) & intersected_peers - exclude_ipv6 = self.config1.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) and \ - self.config2.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) - old_ip_blocks = IpBlock.disjoint_ip_blocks(self.config1.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), - exclude_ipv6) - new_ip_blocks = IpBlock.disjoint_ip_blocks(self.config2.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), - exclude_ipv6) - - conn_graph_removed_per_key = dict() - conn_graph_added_per_key = dict() - keys_list = [] - - # 1.1. lost connections between removed peers - key = 'Lost connections between removed peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = None - for pair in itertools.permutations(removed_peers, 2): - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - continue - lost_conns, _, _, _ = self.config1.allowed_connections(pair[0], pair[1]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[0], pair[1], lost_conns) - - # 1.2. lost connections between removed peers and ipBlocks - key = 'Lost connections between removed peers and ipBlocks' - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, old_ip_blocks, False) - conn_graph_added_per_key[key] = None - for pair in itertools.product(removed_peers, old_ip_blocks): - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - lost_conns, _, _, _ = self.config1.allowed_connections(pair[0], pair[1]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[0], pair[1], lost_conns) - - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[1], pair[0]): - lost_conns, _, _, _ = self.config1.allowed_connections(pair[1], pair[0]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[1], pair[0], lost_conns) - - # 2.1. lost connections between removed peers and intersected peers - key = 'Lost connections between removed peers and persistent peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = None - for pair in itertools.product(removed_peers, intersected_peers): - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - lost_conns, _, _, _ = self.config1.allowed_connections(pair[0], pair[1]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[0], pair[1], lost_conns) - - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[1], pair[0]): - lost_conns, _, _, _ = self.config1.allowed_connections(pair[1], pair[0]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[1], pair[0], lost_conns) - - # 3.1. lost/new connections between intersected peers due to changes in policies and labels of pods/namespaces - key = 'Changed connections between persistent peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) - for peer1 in intersected_peers: - for peer2 in intersected_peers if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - old_conns, _, _, _ = self.config1.allowed_connections(peer1, peer2) - new_conns, _, _, _ = self.config2.allowed_connections(peer1, peer2) - if new_conns != old_conns: - conn_graph_removed_per_key[key].add_edge(peer1, peer2, old_conns - new_conns) - conn_graph_added_per_key[key].add_edge(peer1, peer2, new_conns - old_conns) - - # 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels - key = 'Changed connections between persistent peers and ipBlocks' - disjoint_ip_blocks = IpBlock.disjoint_ip_blocks(old_ip_blocks, new_ip_blocks, exclude_ipv6) - peers = captured_pods | disjoint_ip_blocks - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, disjoint_ip_blocks, False) - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, disjoint_ip_blocks, True) - for peer1 in peers: - for peer2 in disjoint_ip_blocks if peer1 in captured_pods else captured_pods: - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - old_conns, _, _, _ = self.config1.allowed_connections(peer1, peer2) - new_conns, _, _, _ = self.config2.allowed_connections(peer1, peer2) - if new_conns != old_conns: - conn_graph_removed_per_key[key].add_edge(peer1, peer2, old_conns - new_conns) - conn_graph_added_per_key[key].add_edge(peer1, peer2, new_conns - old_conns) - - # 4.1. new connections between intersected peers and added peers - key = 'New connections between persistent peers and added peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) - for pair in itertools.product(intersected_peers, added_peers): - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - new_conns, _, _, _ = self.config2.allowed_connections(pair[0], pair[1]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[0], pair[1], new_conns) - - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[1], pair[0]): - new_conns, _, _, _ = self.config2.allowed_connections(pair[1], pair[0]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[1], pair[0], new_conns) - - # 5.1. new connections between added peers - key = 'New connections between added peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) - for pair in itertools.permutations(added_peers, 2): - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - continue - new_conns, _, _, _ = self.config2.allowed_connections(pair[0], pair[1]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[0], pair[1], new_conns) - - # 5.2. new connections between added peers and ipBlocks - key = 'New connections between added peers and ipBlocks' - keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, new_ip_blocks, True) - - for pair in itertools.product(added_peers, new_ip_blocks): - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - new_conns, _, _, _ = self.config2.allowed_connections(pair[0], pair[1]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[0], pair[1], new_conns) - - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[1], pair[0]): - new_conns, _, _, _ = self.config2.allowed_connections(pair[1], pair[0]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[1], pair[0], new_conns) - - return keys_list, conn_graph_removed_per_key, conn_graph_added_per_key - def get_changed_props_expl_data(self, key, ip_blocks, is_added, props, peer_container): """ create a ConnectivityGraph for changed (added/removed) connections per given key @@ -1861,7 +1318,7 @@ def get_changed_props_expl_data(self, key, ip_blocks, is_added, props, peer_cont return SemanticDiffQuery.PropsAndExplanationData(props, ClusterInfo(topology_peers, allowed_labels), output_config, peer_container) - def compute_diff_optimized(self): # noqa: C901 + def compute_diff(self): # noqa: C901 """ Compute changed connections (by optimized implementation) as following: @@ -1902,8 +1359,8 @@ def compute_diff_optimized(self): # noqa: C901 added_props_per_key = dict() keys_list = [] res_conns_filter = PolicyConnectionsFilter.only_all_allowed_connections() - old_conns = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter) - new_conns = self.config2.allowed_connections_optimized(res_conns_filter=res_conns_filter) + old_conns = self.config1.allowed_connections(res_conns_filter=res_conns_filter) + new_conns = self.config2.allowed_connections(res_conns_filter=res_conns_filter) old_props, new_props = self.filter_conns_by_input_or_internal_constraints(old_conns.all_allowed_conns, new_conns.all_allowed_conns) @@ -2016,25 +1473,9 @@ def exec(self, cmd_line_flag): query_answer = self.is_identical_topologies(True) if query_answer.bool_result and query_answer.output_result: return query_answer - orig_conn_graph_removed_per_key = dict() - orig_conn_graph_added_per_key = dict() - res = 0 - explanation = "" - if self.config1.optimized_run != 'true': - keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key = self.compute_diff_original() - if self.config1.optimized_run == 'false': - res, explanation = self.get_results_for_computed_fw_rules(keys_list, orig_conn_graph_removed_per_key, - orig_conn_graph_added_per_key) - if self.config1.optimized_run != 'false': - keys_list, removed_props_per_key, added_props_per_key = self.compute_diff_optimized() - if self.config1.optimized_run == 'true': - res, explanation = self.get_results_for_computed_fw_rules_opt(keys_list, removed_props_per_key, - added_props_per_key) - else: - res, explanation = self.get_results_for_computed_fw_rules_and_compare_orig_to_opt( - keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key, - removed_props_per_key, added_props_per_key) - + keys_list, removed_props_per_key, added_props_per_key = self.compute_diff() + res, explanation = self.get_results_for_computed_fw_rules(keys_list, removed_props_per_key, + added_props_per_key) if res > 0: return QueryAnswer(bool_result=False, output_result=f'{self.name1} and {self.name2} are not semantically equivalent.', @@ -2107,44 +1548,16 @@ def exec(self, cmd_line_flag=False, only_captured=False): return QueryAnswer(False, f'{self.name1} is not contained in {self.name2} ', output_explanation=[final_explanation], numerical_result=0 if not cmd_line_flag else 1) - if self.config1.optimized_run == 'false': - return self.check_containment_original(cmd_line_flag, only_captured) - else: - return self.check_containment_optimized(cmd_line_flag, only_captured) - - def check_containment_original(self, cmd_line_flag=False, only_captured=False): - config1_peers = self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - peers_to_compare = config1_peers | self.disjoint_referenced_ip_blocks() - captured_pods = self.config1.get_captured_pods() | self.config2.get_captured_pods() - not_contained_list = [] - for peer1 in peers_to_compare: - for peer2 in peers_to_compare if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - conns1_all, captured1_flag, conns1_captured, _ = self.config1.allowed_connections(peer1, peer2) - if only_captured and not captured1_flag: - continue - conns1 = conns1_captured if only_captured else conns1_all - conns2, _, _, _ = self.config2.allowed_connections(peer1, peer2) - if not conns1.contained_in(conns2): - not_contained_list.append(PeersAndConnections(str(peer1), str(peer2), conns1)) - if not self.output_config.fullExplanation: - return self._query_answer_with_relevant_explanation(not_contained_list, cmd_line_flag) - if not_contained_list: - return self._query_answer_with_relevant_explanation(sorted(not_contained_list), cmd_line_flag) - return QueryAnswer(True, self.name1 + ' is contained in ' + self.name2, - numerical_result=1 if not cmd_line_flag else 0) + return self.check_containment(cmd_line_flag, only_captured) - def check_containment_optimized(self, cmd_line_flag=False, only_captured=False): + def check_containment(self, cmd_line_flag=False, only_captured=False): if only_captured: res_conns_filter1 = PolicyConnectionsFilter.only_allowed_connections() else: res_conns_filter1 = PolicyConnectionsFilter.only_all_allowed_connections() res_conns_filter2 = PolicyConnectionsFilter.only_all_allowed_connections() - conn_props1 = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter1) - conn_props2 = self.config2.allowed_connections_optimized(res_conns_filter=res_conns_filter2) + conn_props1 = self.config1.allowed_connections(res_conns_filter=res_conns_filter1) + conn_props2 = self.config2.allowed_connections(res_conns_filter=res_conns_filter2) conns1, conns2 = self.filter_conns_by_input_or_internal_constraints( conn_props1.allowed_conns if only_captured else conn_props1.all_allowed_conns, conn_props2.all_allowed_conns) @@ -2258,42 +1671,13 @@ def exec(self, cmd_line_flag): else not query_answer.bool_result return query_answer - if self.config1.optimized_run == 'false': - return self.check_interferes_original(cmd_line_flag) - else: - return self.check_interferes_optimized(cmd_line_flag) + return self.check_interferes(cmd_line_flag) - def check_interferes_original(self, cmd_line_flag): - peers_to_compare = \ - self.config2.peer_container.get_all_peers_group(include_dns_entries=True) - peers_to_compare |= self.disjoint_referenced_ip_blocks() - captured_pods = self.config2.get_captured_pods() | self.config1.get_captured_pods() - extended_conns_list = [] - for peer1 in peers_to_compare: - for peer2 in peers_to_compare if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - _, captured2_flag, conns2_captured, _ = self.config2.allowed_connections(peer1, peer2) - if not captured2_flag: - continue - _, captured1_flag, conns1_captured, _ = self.config1.allowed_connections(peer1, peer2) - if captured1_flag and not conns1_captured.contained_in(conns2_captured): - extended_conns_list.append(PeersAndConnections(str(peer1), str(peer2), conns1_captured, - conns2_captured)) - if not self.output_config.fullExplanation: - return self._query_answer_with_relevant_explanation(extended_conns_list, cmd_line_flag) - if extended_conns_list: - return self._query_answer_with_relevant_explanation(sorted(extended_conns_list), cmd_line_flag) - return QueryAnswer(False, self.name1 + ' does not interfere with ' + self.name2, - numerical_result=0 if not cmd_line_flag else 1) - - def check_interferes_optimized(self, cmd_line_flag=False): + def check_interferes(self, cmd_line_flag=False): res_conns_filter = PolicyConnectionsFilter.only_allowed_connections() - conn_props1 = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter) - conn_props2 = self.config2.allowed_connections_optimized(res_conns_filter=res_conns_filter) + conn_props1 = self.config1.allowed_connections(res_conns_filter=res_conns_filter) + conn_props2 = self.config2.allowed_connections(res_conns_filter=res_conns_filter) conns1, conns2 = self.filter_conns_by_input_or_internal_constraints(conn_props1.allowed_conns, conn_props2.allowed_conns) if conns1.contained_in(conns2): @@ -2341,48 +1725,16 @@ def exec(self, cmd_line_flag=False, only_captured=True): if query_answer.output_result: return query_answer - if self.config1.optimized_run == 'false': - return self.check_intersects_original() - else: - return self.check_intersects_optimized() - - def check_intersects_original(self, only_captured=True): - peers_to_compare = \ - self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - peers_to_compare |= self.disjoint_referenced_ip_blocks() - captured_pods = self.config1.get_captured_pods() | self.config2.get_captured_pods() - intersect_connections_list = [] - for peer1 in peers_to_compare: - for peer2 in peers_to_compare if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - conns1_all, captured1_flag, conns1_captured, _ = self.config1.allowed_connections(peer1, peer2) - if only_captured and not captured1_flag: - continue - conns1 = conns1_captured if only_captured else conns1_all - conns2, _, _, _ = self.config2.allowed_connections(peer1, peer2) - conns_in_both = conns2 & conns1 - if bool(conns_in_both): - intersect_connections_list.append(PeersAndConnections(str(peer1), str(peer2), conns_in_both)) - if not self.output_config.fullExplanation: - return self._query_answer_with_relevant_explanation(intersect_connections_list) - - if intersect_connections_list: - return self._query_answer_with_relevant_explanation(sorted(intersect_connections_list)) - - return QueryAnswer(False, f'The connections allowed by {self.name1}' - f' do not intersect the connections allowed by {self.name2}', numerical_result=1) + return self.check_intersects() - def check_intersects_optimized(self, only_captured=True): + def check_intersects(self, only_captured=True): if only_captured: res_conns_filter1 = PolicyConnectionsFilter.only_allowed_connections() else: res_conns_filter1 = PolicyConnectionsFilter.only_all_allowed_connections() res_conns_filter2 = PolicyConnectionsFilter.only_all_allowed_connections() - conn_props1 = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter1) - conn_props2 = self.config2.allowed_connections_optimized(res_conns_filter=res_conns_filter2) + conn_props1 = self.config1.allowed_connections(res_conns_filter=res_conns_filter1) + conn_props2 = self.config2.allowed_connections(res_conns_filter=res_conns_filter2) conns1, conns2 = self.filter_conns_by_input_or_internal_constraints( conn_props1.allowed_conns if only_captured else conn_props1.all_allowed_conns, conn_props2.all_allowed_conns) diff --git a/nca/NetworkConfig/NetworkLayer.py b/nca/NetworkConfig/NetworkLayer.py index affb7d817..7e2c08212 100644 --- a/nca/NetworkConfig/NetworkLayer.py +++ b/nca/NetworkConfig/NetworkLayer.py @@ -12,7 +12,7 @@ from nca.CoreDS.ProtocolSet import ProtocolSet from nca.Resources.PolicyResources.IstioNetworkPolicy import IstioNetworkPolicy from nca.Resources.PolicyResources.GatewayPolicy import GatewayPolicy -from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy, \ +from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, NetworkPolicy, \ PolicyConnectionsFilter from nca.Utils.ExplTracker import ExplTracker @@ -99,30 +99,17 @@ def does_contain_istio_layers(self): return bool({NetworkLayerName.Istio, NetworkLayerName.IstioGateway} & set(self.keys())) @staticmethod - def empty_layer_allowed_connections(layer_name, from_peer, to_peer): - """ - Get allowed connections between two peers for an empty layer (no policies). - :param NetworkLayerName layer_name: The empty layer name - :param Peer.Peer from_peer: the source peer - :param Peer.Peer to_peer: the target peer - :rtype: ConnectionSet, bool, ConnectionSet, ConnectionSet - """ - empty_layer_obj = layer_name.create_network_layer([]) - return empty_layer_obj.allowed_connections(from_peer, to_peer) - - @staticmethod - def empty_layer_allowed_connections_optimized(peer_container, layer_name, - res_conns_filter=PolicyConnectionsFilter()): + def empty_layer_allowed_connections(peer_container, layer_name, res_conns_filter=PolicyConnectionsFilter()): """ Get allowed connections between for all relevant peers for an empty layer (no policies). :param PeerContainer peer_container: holds all the peers :param NetworkLayerName layer_name: The empty layer name :param PolicyConnectionsFilter res_conns_filter: filter of the required resulting connections (connections with None value will not be calculated) - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ empty_layer_obj = layer_name.create_network_layer([]) - return empty_layer_obj.allowed_connections_optimized(peer_container, res_conns_filter) + return empty_layer_obj.allowed_connections(peer_container, res_conns_filter) class NetworkLayer: @@ -144,39 +131,7 @@ def add_policy(self, policy): """ insort(self.policies_list, policy) - def allowed_connections(self, from_peer, to_peer): - """ - Compute per network layer the allowed connections between from_peer and to_peer, considering - all layer's policies (and defaults) - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :return: a 4-tuple with: - - allowed_conns: all allowed connections (captured/non-captured) - - captured_flag: flag to indicate if any of the policies captured one of the peers (src/dst) - - allowed_captured_conns: allowed captured connections (can be used only if the captured flag is True) - - denied_conns: connections denied by the policies (captured) - :rtype: ConnectionSet, bool, ConnectionSet, ConnectionSet - """ - if isinstance(to_peer, IpBlock): - ingress_conns = PolicyConnections(captured=False, all_allowed_conns=ConnectionSet(True)) - else: - ingress_conns = self._allowed_xgress_conns(from_peer, to_peer, True) - - if isinstance(from_peer, IpBlock): - egress_conns = PolicyConnections(captured=False, all_allowed_conns=ConnectionSet(True)) - else: - egress_conns = self._allowed_xgress_conns(from_peer, to_peer, False) - - captured_flag = ingress_conns.captured or egress_conns.captured - denied_conns = ingress_conns.denied_conns | egress_conns.denied_conns - allowed_conns = ingress_conns.all_allowed_conns & egress_conns.all_allowed_conns - # captured connections are where at least one of ingress / egress is captured - allowed_captured_conns = (ingress_conns.allowed_conns & egress_conns.all_allowed_conns) | \ - (egress_conns.allowed_conns & ingress_conns.all_allowed_conns) - - return allowed_conns, captured_flag, allowed_captured_conns, denied_conns - - def allowed_connections_optimized(self, peer_container, res_conns_filter=PolicyConnectionsFilter()): + def allowed_connections(self, peer_container, res_conns_filter=PolicyConnectionsFilter()): """ Compute per network layer the allowed connections between any relevant peers, considering all layer's policies (and defaults) @@ -184,11 +139,11 @@ def allowed_connections_optimized(self, peer_container, res_conns_filter=PolicyC :param PolicyConnectionsFilter res_conns_filter: filter of the required resulting connections (connections with None value will not be calculated) :return: all allowed, denied and captured connections - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ - res_conns = OptimizedPolicyConnections() - ingress_conns = self._allowed_xgress_conns_optimized(True, peer_container, res_conns_filter) - egress_conns = self._allowed_xgress_conns_optimized(False, peer_container, res_conns_filter) + res_conns = PolicyConnections() + ingress_conns = self._allowed_xgress_conns(True, peer_container, res_conns_filter) + egress_conns = self._allowed_xgress_conns(False, peer_container, res_conns_filter) all_pods_peer_set = peer_container.get_all_peers_group() all_ips_peer_set = IpBlock.get_all_ips_block_peer_set() if res_conns_filter.calc_all_allowed: @@ -209,51 +164,13 @@ def allowed_connections_optimized(self, peer_container, res_conns_filter=PolicyC (egress_conns.allowed_conns & ingress_conns.all_allowed_conns) return res_conns - def _allowed_xgress_conns(self, from_peer, to_peer, is_ingress): - """ - Implemented by derived classes to get allowed and denied ingress/egress connections between from_peer and to_pee - """ - return NotImplemented - - def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): + def _allowed_xgress_conns(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): """ Implemented by derived classes to get ingress/egress connections between any relevant peers - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ return NotImplemented - def collect_policies_conns(self, from_peer, to_peer, is_ingress, - captured_func=lambda policy: True): - """ - Collect allowed/denied/pass connections between two peers, considering all layer's policies that capture the - relevant peers. - :param Peer.Peer from_peer: the source peer - :param Peer.Peer to_peer: the dest peer - :param bool is_ingress: indicates whether to return ingress connections or egress connections - :param captured_func: callable that returns True if the policy satisfies additional conditions required for - considering the target pod as captured and not applying the default connections to it. - :return: (allowed_conns, denied_conns, pass_conns, captured_res) - :rtype: (ConnectionSet, ConnectionSet, ConnectionSet, bool) - """ - allowed_conns = ConnectionSet() - denied_conns = ConnectionSet() - pass_conns = ConnectionSet() - captured_res = False - for policy in self.policies_list: - policy_conns = policy.allowed_connections(from_peer, to_peer, is_ingress) - if policy_conns.captured: - captured_res |= captured_func(policy) - policy_conns.denied_conns -= allowed_conns - policy_conns.denied_conns -= pass_conns - policy_conns.allowed_conns -= denied_conns - policy_conns.allowed_conns -= pass_conns - policy_conns.pass_conns -= denied_conns - policy_conns.pass_conns -= allowed_conns - denied_conns |= policy_conns.denied_conns - allowed_conns |= policy_conns.allowed_conns - pass_conns |= policy_conns.pass_conns - return allowed_conns, denied_conns, pass_conns, captured_res - def collect_policies_conns_optimized(self, is_ingress, captured_func=lambda policy: True): """ Collect all connections (between all relevant peers), considering all layer's policies that capture the @@ -262,11 +179,11 @@ def collect_policies_conns_optimized(self, is_ingress, captured_func=lambda poli :param captured_func: callable that returns True if the policy satisfies additional conditions required for considering captured pods instead of applying the default connections. :return: allowed_conns, denied_conns and set of peers to be added to captured peers - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() for policy in self.policies_list: - policy_conns = policy.allowed_connections_optimized(is_ingress) + policy_conns = policy.allowed_connections(is_ingress) if policy_conns.captured: # not empty if captured_func(policy): res_conns.captured |= policy_conns.captured @@ -285,25 +202,7 @@ def collect_policies_conns_optimized(self, is_ingress, captured_func=lambda poli class K8sCalicoNetworkLayer(NetworkLayer): - def _allowed_xgress_conns(self, from_peer, to_peer, is_ingress): - allowed_conns, denied_conns, pass_conns, captured_res = self.collect_policies_conns(from_peer, to_peer, - is_ingress) - - allowed_non_captured_conns = ConnectionSet() - captured_peer_is_host_endpoint = (is_ingress and isinstance(to_peer, HostEP)) or \ - (not is_ingress and isinstance(from_peer, HostEP)) - if not captured_res and not captured_peer_is_host_endpoint: - # default Allow-all in k8s / calico - # (assuming only calico's default profiles for pods with connectivity rules exist) - # assuming host endpoints have no profiles - allowed_non_captured_conns = ConnectionSet(True) - elif pass_conns and not captured_peer_is_host_endpoint: - # assuming only default profiles generated by calico exist, which allow all for pods - allowed_conns |= pass_conns - return PolicyConnections(captured_res, allowed_conns, denied_conns, - all_allowed_conns=allowed_conns | allowed_non_captured_conns) - - def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): + def _allowed_xgress_conns(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): res_conns = self.collect_policies_conns_optimized(is_ingress) # Note: The below computation of non-captured conns cannot be done during the parse stage, # since before computing non-captured conns we should collect all policies conns @@ -356,23 +255,7 @@ def captured_cond_func(policy): return policy.action == GatewayPolicy.ActionType.Allow return True # only for Istio AuthorizationPolicy the captured condition is more refined with 'Allow' policies - def _allowed_xgress_conns(self, from_peer, to_peer, is_ingress): - # in istio applying default-allow if there is no capturing policy with action allow - - allowed_conns, denied_conns, _, captured_res = self.collect_policies_conns(from_peer, to_peer, is_ingress, - IstioNetworkLayer.captured_cond_func) - # for istio initialize non-captured conns with non-TCP connections - allowed_non_captured_conns = ConnectionSet.get_non_tcp_connections() - if not captured_res: # no allow policies for target - # add connections allowed by default that are not captured - allowed_non_captured_conns |= (ConnectionSet(True) - denied_conns) - # exception: update allowed non-captured conns to DNSEntry dst with TCP only - if isinstance(to_peer, DNSEntry): - allowed_non_captured_conns = ConnectionSet.get_all_tcp_connections() - denied_conns - return PolicyConnections(captured_res, allowed_conns, denied_conns, - all_allowed_conns=allowed_conns | allowed_non_captured_conns) - - def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): + def _allowed_xgress_conns(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): res_conns = self.collect_policies_conns_optimized(is_ingress, IstioNetworkLayer.captured_cond_func) if not res_conns_filter.calc_all_allowed: return res_conns diff --git a/nca/Parsers/CalicoPolicyYamlParser.py b/nca/Parsers/CalicoPolicyYamlParser.py index 672db2e47..1eb497b4d 100644 --- a/nca/Parsers/CalicoPolicyYamlParser.py +++ b/nca/Parsers/CalicoPolicyYamlParser.py @@ -11,7 +11,6 @@ from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.DimensionsManager import DimensionsManager -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.Resources.PolicyResources.NetworkPolicy import NetworkPolicy from nca.Resources.PolicyResources.CalicoNetworkPolicy import CalicoNetworkPolicy, CalicoPolicyRule from .GenericYamlParser import GenericYamlParser @@ -380,9 +379,7 @@ def _parse_icmp(self, icmp_data, not_icmp_data, protocol, src_pods, dst_pods): :param: str protocol: the ICMP-like protocol :param PeerSet src_pods: the source pods :param PeerSet dst_pods: the destination pods - :return: a tuple (ConnectivityProperties, ConnectivityProperties), - where the first ConnectivityProperties is an original-format ICMP connections, - and the second ConnectivityProperties is an optimized-format ICMP connections, including src and dst pods. + :return: a ConnectivityProperties, representing ICMP properties, including src and dst pods. :rtype: tuple (ConnectivityProperties, ConnectivityProperties) """ icmp_type = icmp_data.get('type') if icmp_data is not None else None @@ -413,41 +410,25 @@ def _parse_icmp(self, icmp_data, not_icmp_data, protocol, src_pods, dst_pods): not_conn_cube["icmp_type"] = not_icmp_type if not_icmp_code: not_conn_cube["icmp_code"] = not_icmp_code - opt_conn_cube = conn_cube.copy() - opt_not_conn_cube = not_conn_cube.copy() - if self.optimized_run != 'false': - opt_conn_cube.update({"src_peers": src_pods, "dst_peers": dst_pods, "protocols": protocols}) - opt_not_conn_cube.update({"src_peers": src_pods, "dst_peers": dst_pods, "protocols": protocols}) + conn_cube.update({"src_peers": src_pods, "dst_peers": dst_pods, "protocols": protocols}) + not_conn_cube.update({"src_peers": src_pods, "dst_peers": dst_pods, "protocols": protocols}) - opt_props = ConnectivityProperties.make_empty_props() if icmp_data is not None: - res = ConnectivityProperties.make_conn_props(conn_cube) - if self.optimized_run != 'false': - opt_props = ConnectivityProperties.make_conn_props(opt_conn_cube) + res_props = ConnectivityProperties.make_conn_props(conn_cube) if not_icmp_data is not None: if icmp_type == not_icmp_type and icmp_code == not_icmp_code: - res = ConnectivityProperties.make_empty_props() self.warning('icmp and notICMP are conflicting - no traffic will be matched', not_icmp_data) elif icmp_type == not_icmp_type and icmp_code is None: # this is the only case where it makes sense to combine icmp and notICMP - tmp = ConnectivityProperties.make_conn_props(not_conn_cube) - res -= tmp - if self.optimized_run != 'false': - tmp_opt_props = ConnectivityProperties.make_conn_props(opt_not_conn_cube) - opt_props -= tmp_opt_props + res_props -= ConnectivityProperties.make_conn_props(not_conn_cube) else: self.warning('notICMP has no effect', not_icmp_data) elif not_icmp_data is not None: - res = ConnectivityProperties.make_conn_props(conn_cube) - \ - ConnectivityProperties.make_conn_props(not_conn_cube) - if self.optimized_run != 'false': - opt_props = ConnectivityProperties.make_conn_props(opt_conn_cube) - \ - ConnectivityProperties.make_conn_props(opt_not_conn_cube) + res_props = ConnectivityProperties.make_conn_props(conn_cube) - \ + ConnectivityProperties.make_conn_props(not_conn_cube) else: # no icmp_data or no_icmp_data; only protocol - res = ConnectivityProperties.make_conn_props(conn_cube) - if self.optimized_run != 'false': - opt_props = ConnectivityProperties.make_conn_props(opt_conn_cube) - return res, opt_props + res_props = ConnectivityProperties.make_conn_props(conn_cube) + return res_props def _parse_protocol(self, protocol, rule): """ @@ -475,8 +456,8 @@ def _parse_xgress_rule(self, rule, is_ingress, policy_selected_eps, is_profile): :param bool is_ingress: Whether this is an ingress rule :param PeerSet policy_selected_eps: The endpoints the policy captured :param bool is_profile: Whether the parsed policy is a Profile object - :return: A tuple (CalicoPolicyRule, ConnectivityProperties) with the proper PeerSets, ConnectionSets and Action, - where ConnectivityProperties is an optimized rule format with protocols, src_peers and dst_peers in a HyperCubeSet + :return: A tuple (CalicoPolicyRule, ConnectivityProperties) with the proper PeerSets, connectivity properties + and Action :rtype: tuple(CalicoPolicyRule, ConnectivityProperties) """ allowed_keys = {'action': 1, 'protocol': 0, 'notProtocol': 0, 'icmp': 0, 'notICMP': 0, 'ipVersion': 0, @@ -490,7 +471,7 @@ def _parse_xgress_rule(self, rule, is_ingress, policy_selected_eps, is_profile): self.warning('Pass actions in Profile rules will be ignored', rule) protocol = self._parse_protocol(rule.get('protocol'), rule) - protocol_supports_ports = ConnectionSet.protocol_supports_ports(protocol) + protocol_supports_ports = ProtocolSet.protocol_supports_ports(protocol) not_protocol = self._parse_protocol(rule.get('notProtocol'), rule) src_entity_rule = rule.get('source') if src_entity_rule: @@ -511,7 +492,6 @@ def _parse_xgress_rule(self, rule, is_ingress, policy_selected_eps, is_profile): else: src_res_pods &= policy_selected_eps - connections = ConnectionSet() conn_props = ConnectivityProperties.make_empty_props() if protocol is not None: protocols = ProtocolSet.get_protocol_set_with_single_protocol(protocol) @@ -522,68 +502,33 @@ def _parse_xgress_rule(self, rule, is_ingress, policy_selected_eps, is_profile): self.warning('notProtocol field has no effect', rule) else: if protocol_supports_ports: - conn_cube = ConnectivityCube.make_from_dict({"src_ports": src_res_ports, "dst_ports": dst_res_ports}) - connections.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) - if self.optimized_run != 'false': - conn_cube.update({"protocols": protocols, "src_peers": src_res_pods, "dst_peers": dst_res_pods}) - conn_props = ConnectivityProperties.make_conn_props(conn_cube) - elif ConnectionSet.protocol_is_icmp(protocol): - icmp_props, conn_props = self._parse_icmp(rule.get('icmp'), rule.get('notICMP'), - protocol, src_res_pods, dst_res_pods) - connections.add_connections(protocol, icmp_props) + conn_props = ConnectivityProperties.make_conn_props_from_dict( + {"src_ports": src_res_ports, "dst_ports": dst_res_ports, "protocols": protocols, + "src_peers": src_res_pods, "dst_peers": dst_res_pods}) + elif ProtocolSet.protocol_is_icmp(protocol): + conn_props = self._parse_icmp(rule.get('icmp'), rule.get('notICMP'), protocol, + src_res_pods, dst_res_pods) else: - connections.add_connections(protocol, True) - if self.optimized_run != 'false': - conn_props = ConnectivityProperties.make_conn_props_from_dict({"protocols": protocols, - "src_peers": src_res_pods, - "dst_peers": dst_res_pods}) + conn_props = ConnectivityProperties.make_conn_props_from_dict({"protocols": protocols, + "src_peers": src_res_pods, + "dst_peers": dst_res_pods}) elif not_protocol is not None: - connections.add_all_connections() - connections.remove_protocol(not_protocol) - if self.optimized_run != 'false' and src_res_pods and dst_res_pods: + if src_res_pods and dst_res_pods: protocols = ProtocolSet(True) protocols.remove_protocol(not_protocol) conn_props = ConnectivityProperties.make_conn_props_from_dict({"protocols": protocols, "src_peers": src_res_pods, "dst_peers": dst_res_pods}) else: - connections.allow_all = True - if self.optimized_run != 'false': - conn_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_res_pods, - "dst_peers": dst_res_pods}) - self._verify_named_ports(rule, dst_res_pods, connections) + conn_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_res_pods, + "dst_peers": dst_res_pods}) if not src_res_pods and policy_selected_eps and (is_ingress or not is_profile): self.warning('Rule selects no source endpoints', rule) if not dst_res_pods and policy_selected_eps and (not is_ingress or not is_profile): self.warning('Rule selects no destination endpoints', rule) - return CalicoPolicyRule(src_res_pods, dst_res_pods, connections, action, conn_props) - - def _verify_named_ports(self, rule, rule_eps, rule_conns): - """ - Check the validity of named ports in a given rule: whether a relevant ep refers to the named port and whether - the protocol defined in the policy matches the protocol defined by the ep. Issue warnings as required. - :param dict rule: The unparsed rule (for reference in warnings) - :param Peer.PeerSet rule_eps: The set of eps in which the named ports should be defined - :param ConnectionSet rule_conns: The rule-specified connections, possibly containing named ports - :return: None - """ - if not rule_conns.has_named_ports(): - return - named_ports = rule_conns.get_named_ports() - for protocol, rule_ports in named_ports: - for port in rule_ports: - port_used = False - for pod in rule_eps: - pod_named_port = pod.get_named_ports().get(port) - if pod_named_port: - port_used = True - if ProtocolNameResolver.get_protocol_number(pod_named_port[1]) != protocol: - self.warning(f'Protocol mismatch for named port {port} (vs. Pod {pod.full_name()})', rule) - - if not port_used: - self.warning(f'Named port {port} is not defined in any selected pod', rule) + return CalicoPolicyRule(src_res_pods, dst_res_pods, action, conn_props) def _apply_extra_labels(self, policy_spec, is_profile, profile_name): """ @@ -667,7 +612,7 @@ def _get_selected_peers(self, policy_spec, is_profile, policy_name): def parse_policy(self): """ Parses the input object to create a CalicoNetworkPolicy object - :return: a CalicoNetworkPolicy object with proper PeerSets, ConnectionSets and Actions + :return: a CalicoNetworkPolicy object with proper PeerSets, connectivity properties and Actions :rtype: CalicoNetworkPolicy """ policy_name, policy_ns = \ diff --git a/nca/Parsers/GenericGatewayYamlParser.py b/nca/Parsers/GenericGatewayYamlParser.py index 33b354071..85c1c2dd9 100644 --- a/nca/Parsers/GenericGatewayYamlParser.py +++ b/nca/Parsers/GenericGatewayYamlParser.py @@ -10,7 +10,6 @@ from nca.CoreDS.PortSet import PortSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.Resources.PolicyResources.GatewayPolicy import GatewayPolicyRule from .GenericYamlParser import GenericYamlParser @@ -78,8 +77,6 @@ def _make_allow_rules(conn_props, src_peers): :param PeerSet src_peers: the source peers to add to optimized props :return: the list of IngressPolicyRules """ - assert not conn_props.named_ports - assert not conn_props.excluded_named_ports res = [] assert not conn_props.is_active_dimension("src_peers") # extract dst_peers dimension from cubes @@ -91,10 +88,7 @@ def _make_allow_rules(conn_props, src_peers): rule_opt_props = ConnectivityProperties.make_conn_props(conn_cube) dst_peer_set = new_conn_cube["dst_peers"] new_conn_cube.unset_dim("dst_peers") - new_props = ConnectivityProperties.make_conn_props(new_conn_cube) - new_conns = ConnectionSet() - new_conns.add_connections('TCP', new_props) - res.append(GatewayPolicyRule(dst_peer_set, new_conns, rule_opt_props)) + res.append(GatewayPolicyRule(dst_peer_set, rule_opt_props)) return res @staticmethod diff --git a/nca/Parsers/IstioGatewayPolicyGenerator.py b/nca/Parsers/IstioGatewayPolicyGenerator.py index 5579b67db..c9cdd9619 100644 --- a/nca/Parsers/IstioGatewayPolicyGenerator.py +++ b/nca/Parsers/IstioGatewayPolicyGenerator.py @@ -7,7 +7,6 @@ from nca.CoreDS.MinDFA import MinDFA from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.Resources.PolicyResources.GatewayPolicy import GatewayPolicy, GatewayPolicyRule from nca.Resources.PolicyResources.NetworkPolicy import NetworkPolicy @@ -212,14 +211,12 @@ def create_allow_rule(self, source_peers, dest, this_route_conn_cube, is_ingress """ conn_cube = this_route_conn_cube.copy() conn_cube["dst_ports"] = dest.ports - conns = ConnectionSet() - conns.add_connections(self.protocol_name, ConnectivityProperties.make_conn_props(conn_cube)) conn_cube.update({"src_peers": source_peers, "dst_peers": dest.pods, "protocols": self.protocols}) opt_props = ConnectivityProperties.make_conn_props(conn_cube) if is_ingress: - return GatewayPolicyRule(source_peers, conns, opt_props) + return GatewayPolicyRule(source_peers, opt_props) else: - return GatewayPolicyRule(dest.pods, conns, opt_props) + return GatewayPolicyRule(dest.pods, opt_props) @staticmethod def create_deny_rule(source_peers, dst_peers): @@ -229,7 +226,7 @@ def create_deny_rule(source_peers, dst_peers): """ opt_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": source_peers, "dst_peers": dst_peers}) - return GatewayPolicyRule(dst_peers, ConnectionSet(True), opt_props) + return GatewayPolicyRule(dst_peers, opt_props) def create_gtw_to_mesh_and_deny_policies(self, vs, route, route_cnt, gtw_to_hosts, used_gateways): """ diff --git a/nca/Parsers/IstioPolicyYamlParser.py b/nca/Parsers/IstioPolicyYamlParser.py index 9beeb507f..e70302767 100644 --- a/nca/Parsers/IstioPolicyYamlParser.py +++ b/nca/Parsers/IstioPolicyYamlParser.py @@ -7,7 +7,6 @@ from nca.CoreDS.MinDFA import MinDFA from nca.CoreDS.DimensionsManager import DimensionsManager from nca.CoreDS.Peer import IpBlock, PeerSet -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.PortSet import PortSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.MethodSet import MethodSet @@ -465,8 +464,7 @@ def parse_ingress_rule(self, rule, selected_peers): Parse a single ingress rule, producing a IstioPolicyRule. :param dict rule: The dict with the rule fields :param PeerSet selected_peers: The selected peers of the policy - :return: A tuple (IstioPolicyRule, ConnectivityProperties) with the proper PeerSet and ConnectionSet, - where ConnectivityProperties is an optimized rule format in a HyperCubeSet format + :return: A tuple (IstioPolicyRule, ConnectivityProperties) with the proper PeerSet and connectivity properties :rtype: tuple(IstioPolicyRule, ConnectivityProperties) """ if rule is None: @@ -495,11 +493,8 @@ def parse_ingress_rule(self, rule, selected_peers): if to_array is not None: for operation_dict in to_array: conn_props |= self.parse_operation(operation_dict) - connections = ConnectionSet() - connections.add_connections('TCP', conn_props) conn_props &= tcp_props else: # no 'to' in the rule => all connections allowed - connections = ConnectionSet(True) conn_props = ConnectivityProperties.get_all_conns_props_per_config_peers(self.peer_container) # condition possible result value: @@ -507,7 +502,6 @@ def parse_ingress_rule(self, rule, selected_peers): # should update either res_pods or condition_props according to the condition condition_array = rule.get('when') # this array can be empty (unlike 'to' and 'from') # the combined condition ("AND" of all conditions) should be applied - condition_conns = ConnectionSet(True) condition_props = ConnectivityProperties.make_all_props() if condition_array is not None: for condition in condition_array: @@ -516,8 +510,6 @@ def parse_ingress_rule(self, rule, selected_peers): res_peers &= condition_res elif isinstance(condition_res, ConnectivityProperties): condition_props &= condition_res - condition_conns = ConnectionSet() - condition_conns.add_connections('TCP', condition_props) condition_props &= tcp_props if not res_peers: self.warning('Rule selects no pods', rule) @@ -526,9 +518,8 @@ def parse_ingress_rule(self, rule, selected_peers): else: condition_props &= ConnectivityProperties.make_conn_props_from_dict({"src_peers": res_peers, "dst_peers": selected_peers}) - connections &= condition_conns conn_props &= condition_props - return IstioPolicyRule(res_peers, connections, conn_props) + return IstioPolicyRule(res_peers, conn_props) @staticmethod def parse_policy_action(action): @@ -545,7 +536,7 @@ def parse_policy_action(action): def parse_policy(self): """ Parses the input object to create a IstioNetworkPolicy object - :return: a IstioNetworkPolicy object with proper PeerSets and ConnectionSets + :return: a IstioNetworkPolicy object with proper PeerSets and connectivity properties :rtype: IstioNetworkPolicy """ policy_name, policy_ns = self.parse_generic_yaml_objects_fields(self.policy, ['AuthorizationPolicy'], diff --git a/nca/Parsers/K8sPolicyYamlParser.py b/nca/Parsers/K8sPolicyYamlParser.py index 8b4e5737f..563006860 100644 --- a/nca/Parsers/K8sPolicyYamlParser.py +++ b/nca/Parsers/K8sPolicyYamlParser.py @@ -5,7 +5,6 @@ import re from nca.CoreDS import Peer -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.PortSet import PortSet from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties @@ -330,57 +329,27 @@ def parse_ingress_egress_rule(self, rule, peer_array_key, policy_selected_pods): src_pods = policy_selected_pods dst_pods = res_pods - res_opt_props = ConnectivityProperties.make_empty_props() + res_props = ConnectivityProperties.make_empty_props() ports_array = rule.get('ports', []) if ports_array: - res_conns = ConnectionSet() for port in ports_array: protocol, dest_port_set = self.parse_port(port) if isinstance(protocol, str): protocol = ProtocolNameResolver.get_protocol_number(protocol) - conn_cube = ConnectivityCube.make_from_dict({"dst_ports": dest_port_set}) # K8s doesn't reason about src ports - res_conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) - if self.optimized_run != 'false' and src_pods and dst_pods: + if src_pods and dst_pods: protocols = ProtocolSet.get_protocol_set_with_single_protocol(protocol) - conn_cube.update({"protocols": protocols, "src_peers": src_pods, "dst_peers": dst_pods}) - conn_props = ConnectivityProperties.make_conn_props(conn_cube) - res_opt_props |= conn_props + conn_props = ConnectivityProperties.make_conn_props_from_dict( + {"dst_ports": dest_port_set, "protocols": protocols, "src_peers": src_pods, + "dst_peers": dst_pods}) + res_props |= conn_props else: - res_conns = ConnectionSet(True) - if self.optimized_run != 'false': - res_opt_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_pods, - "dst_peers": dst_pods}) + res_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_pods, + "dst_peers": dst_pods}) if not res_pods: self.warning('Rule selects no pods', rule) - return K8sPolicyRule(res_pods, res_conns, res_opt_props) - - def verify_named_ports(self, rule, rule_pods, rule_conns): - """ - Check the validity of named ports in a given rule: whether a relevant pod refers to the named port and whether - the protocol defined in the policy matches the protocol defined by the Pod. Issue warnings as required. - :param dict rule: The unparsed rule (for reference in warnings) - :param Peer.PeerSet rule_pods: The set of Pods in which the named ports should be defined - :param ConnectionSet rule_conns: The rule-specified connections, possibly containing named ports - :return: None - """ - if not rule_conns.has_named_ports(): - return - named_ports = rule_conns.get_named_ports() - for protocol, rule_ports in named_ports: - for port in rule_ports: - port_used = False - for pod in rule_pods: - pod_named_port = pod.named_ports.get(port) - if pod_named_port: - port_used = True - if ProtocolNameResolver.get_protocol_number(pod_named_port[1]) != protocol: - self.warning(f'Protocol mismatch for named port {port} (vs. Pod {pod.full_name()})', - rule['ports']) - - if not port_used: - self.warning(f'Named port {port} is not defined in any selected pod', rule['ports']) + return K8sPolicyRule(res_pods, res_props) def parse_ingress_rule(self, rule, policy_selected_pods): """ @@ -393,7 +362,6 @@ def parse_ingress_rule(self, rule, policy_selected_pods): :rtype: tuple(K8sPolicyRule, ConnectivityProperties) """ res_rule = self.parse_ingress_egress_rule(rule, 'from', policy_selected_pods) - self.verify_named_ports(rule, policy_selected_pods, res_rule.port_set) return res_rule def parse_egress_rule(self, rule, policy_selected_pods): @@ -407,13 +375,12 @@ def parse_egress_rule(self, rule, policy_selected_pods): :rtype: tuple(K8sPolicyRule, ConnectivityProperties) """ res_rule = self.parse_ingress_egress_rule(rule, 'to', policy_selected_pods) - self.verify_named_ports(rule, res_rule.peer_set, res_rule.port_set) return res_rule def parse_policy(self): """ Parses the input object to create a K8sNetworkPolicy object - :return: a K8sNetworkPolicy object with proper PeerSets and ConnectionSets + :return: a K8sNetworkPolicy object with proper PeerSets and connectivity properties :rtype: K8sNetworkPolicy """ policy_name, policy_ns = self.parse_generic_yaml_objects_fields(self.policy, ['NetworkPolicy'], diff --git a/nca/Resources/PolicyResources/CalicoNetworkPolicy.py b/nca/Resources/PolicyResources/CalicoNetworkPolicy.py index 38570d534..e8ec4ff00 100644 --- a/nca/Resources/PolicyResources/CalicoNetworkPolicy.py +++ b/nca/Resources/PolicyResources/CalicoNetworkPolicy.py @@ -4,10 +4,9 @@ # from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS import Peer -from .NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from .NetworkPolicy import PolicyConnections, NetworkPolicy class CalicoPolicyRule: @@ -23,24 +22,23 @@ class ActionType(Enum): Log = 2 Pass = 3 - def __init__(self, src_peers, dst_peers, connections, action, opt_props): + def __init__(self, src_peers, dst_peers, action, props): """ :param Peer.PeerSet src_peers: The source peers this rule refers to :param Peer.PeerSet dst_peers: The destination peers this rule refers to - :param ConnectionSet connections: The connections allowed/denied/passed by this rule :param ActionType action: The rule action + :param ConnectivityProperties props: the connectivity properties represented by this rule """ self.src_peers = src_peers self.dst_peers = dst_peers - self.connections = connections self.action = action - self.optimized_props = opt_props + self.props = props # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props_copy = ConnectivityProperties() def __eq__(self, other): return self.src_peers == other.src_peers and self.dst_peers == other.dst_peers and \ - self.connections == other.connections and self.action == other.action + self.props == other.props and self.action == other.action def contained_in(self, other): """ @@ -49,7 +47,7 @@ def contained_in(self, other): :rtype: bool """ return self.src_peers.issubset(other.src_peers) and self.dst_peers.issubset(other.dst_peers) and \ - self.connections.contained_in(other.connections) + self.props.contained_in(other.props) @staticmethod def action_str_to_action_type(action_str): @@ -85,82 +83,42 @@ def __eq__(self, other): def _update_opt_props_by_order(self, is_ingress): # handle the order of rules for rule in self.ingress_rules if is_ingress else self.egress_rules: - props = rule.optimized_props.copy() + props = rule.props.copy() if rule.action == CalicoPolicyRule.ActionType.Allow: - props -= self._optimized_deny_ingress_props if is_ingress else self._optimized_deny_egress_props - props -= self._optimized_pass_ingress_props if is_ingress else self._optimized_pass_egress_props + props -= self._deny_ingress_props if is_ingress else self._deny_egress_props + props -= self._pass_ingress_props if is_ingress else self._pass_egress_props if is_ingress: - self._optimized_allow_ingress_props |= props + self._allow_ingress_props |= props else: - self._optimized_allow_egress_props |= props + self._allow_egress_props |= props elif rule.action == CalicoPolicyRule.ActionType.Deny: - props -= self._optimized_allow_ingress_props if is_ingress else self._optimized_allow_egress_props - props -= self._optimized_pass_ingress_props if is_ingress else self._optimized_pass_egress_props + props -= self._allow_ingress_props if is_ingress else self._allow_egress_props + props -= self._pass_ingress_props if is_ingress else self._pass_egress_props if is_ingress: - self._optimized_deny_ingress_props |= props + self._deny_ingress_props |= props else: - self._optimized_deny_egress_props |= props + self._deny_egress_props |= props elif rule.action == CalicoPolicyRule.ActionType.Pass: - props -= self._optimized_allow_ingress_props if is_ingress else self._optimized_allow_egress_props - props -= self._optimized_deny_ingress_props if is_ingress else self._optimized_deny_egress_props + props -= self._allow_ingress_props if is_ingress else self._allow_egress_props + props -= self._deny_ingress_props if is_ingress else self._deny_egress_props if is_ingress: - self._optimized_pass_ingress_props |= props + self._pass_ingress_props |= props else: - self._optimized_pass_egress_props |= props + self._pass_egress_props |= props - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), + If optimized props of the policy are not synchronized (self.props_in_sync is False), compute optimized props of the policy according to the optimized props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() + self._init_props() self._update_opt_props_by_order(True) self._update_opt_props_by_order(False) - self.optimized_props_in_sync = True + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this policy allows/denies/passes between two peers - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only - :return: A PolicyConnections object containing sets of allowed/denied/pass connections - :rtype: PolicyConnections - """ - captured = is_ingress and self.affects_ingress and to_peer in self.selected_peers or \ - not is_ingress and self.affects_egress and from_peer in self.selected_peers - if not captured: - return PolicyConnections(False) - - allowed_conns = ConnectionSet() - denied_conns = ConnectionSet() - pass_conns = ConnectionSet() - rules = self.ingress_rules if is_ingress else self.egress_rules - for rule in rules: - if from_peer in rule.src_peers and to_peer in rule.dst_peers: - rule_conns = rule.connections.copy() # we need a copy because convert_named_ports is destructive - rule_conns.convert_named_ports(to_peer.get_named_ports()) - - if rule.action == CalicoPolicyRule.ActionType.Allow: - rule_conns -= denied_conns - rule_conns -= pass_conns - allowed_conns |= rule_conns - elif rule.action == CalicoPolicyRule.ActionType.Deny: - rule_conns -= allowed_conns - rule_conns -= pass_conns - denied_conns |= rule_conns - elif rule.action == CalicoPolicyRule.ActionType.Pass: - rule_conns -= allowed_conns - rule_conns -= denied_conns - pass_conns |= rule_conns - else: - pass # Nothing to do for Log action - does not affect connectivity - - return PolicyConnections(True, allowed_conns, denied_conns, pass_conns) - - def allowed_connections_optimized(self, is_ingress): + def allowed_connections(self, is_ingress): """ Evaluate the set of connections this policy allows/denies/passes between any two peers :param bool is_ingress: whether we evaluate ingress rules only or egress rules only @@ -169,16 +127,16 @@ def allowed_connections_optimized(self, is_ingress): and the peer set of captured peers by this policy. :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet) """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() - res_conns.denied_conns = self.optimized_deny_ingress_props().copy() - res_conns.pass_conns = self.optimized_pass_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() + res_conns.denied_conns = self.deny_ingress_props().copy() + res_conns.pass_conns = self.pass_ingress_props().copy() res_conns.captured = self.selected_peers if self.affects_ingress else Peer.PeerSet() else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() - res_conns.denied_conns = self.optimized_deny_egress_props().copy() - res_conns.pass_conns = self.optimized_pass_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() + res_conns.denied_conns = self.deny_egress_props().copy() + res_conns.pass_conns = self.pass_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else Peer.PeerSet() return res_conns @@ -204,25 +162,6 @@ def clone_without_rule(self, rule_to_exclude, ingress_rule): res.add_ingress_rule(rule) return res - def referenced_ip_blocks(self, exclude_ipv6=False): - """ - :param bool exclude_ipv6: indicates if to exclude the automatically added IPv6 addresses in the referenced ip_blocks. - IPv6 addresses that are referenced in the policy by the user will always be included - :return: A set of all ipblocks referenced in one of the policy rules (one Peer object per one ip range) - :rtype: Peer.PeerSet - """ - res = Peer.PeerSet() - for rule in self.egress_rules: - for peer in rule.dst_peers: - if isinstance(peer, Peer.IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - for rule in self.ingress_rules: - for peer in rule.src_peers: - if isinstance(peer, Peer.IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - - return res - def has_empty_rules(self, config_name=''): """ Checks whether the policy contains empty rules (rules that do not select any peers) diff --git a/nca/Resources/PolicyResources/GatewayPolicy.py b/nca/Resources/PolicyResources/GatewayPolicy.py index f48815e29..e09fdd3be 100644 --- a/nca/Resources/PolicyResources/GatewayPolicy.py +++ b/nca/Resources/PolicyResources/GatewayPolicy.py @@ -4,30 +4,27 @@ # from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import PeerSet -from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, NetworkPolicy class GatewayPolicyRule: """ A class representing a single rule in a GatewayPolicy object """ - def __init__(self, peer_set, connections, opt_props): + def __init__(self, peer_set, props): """ :param Peer.PeerSet peer_set: The set of peers this rule allows connection to - :param ConnectionSet connections: The set of connections allowed by this rule - :param ConnectivityProperties opt_props: the optimized connections + :param ConnectivityProperties props: the connections """ self.peer_set = peer_set - self.connections = connections - self.optimized_props = opt_props - # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props = props + # copy of props (used by src_peers/dst_peers domain-updating mechanism) + self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.connections == other.connections + return self.peer_set == other.peer_set and self.props == other.props def contained_in(self, other): """ @@ -35,7 +32,7 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.connections.contained_in(other.connections) + return self.peer_set.issubset(other.peer_set) and self.props.contained_in(other.props) class GatewayPolicy(NetworkPolicy): @@ -94,70 +91,42 @@ def add_egress_rules(self, rules): """ self.egress_rules.extend(rules) - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), - compute optimized props of the policy according to the optimized props of its rules + If props of the policy are not synchronized (self.props_in_sync is False), + compute props of the policy according to the props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() + self._init_props() for rule in self.ingress_rules: if self.action == GatewayPolicy.ActionType.Allow: - self._optimized_allow_ingress_props |= rule.optimized_props + self._allow_ingress_props |= rule.props elif self.action == GatewayPolicy.ActionType.Deny: - self._optimized_deny_ingress_props |= rule.optimized_props + self._deny_ingress_props |= rule.props for rule in self.egress_rules: if self.action == GatewayPolicy.ActionType.Allow: - self._optimized_allow_egress_props |= rule.optimized_props + self._allow_egress_props |= rule.props elif self.action == GatewayPolicy.ActionType.Deny: - self._optimized_deny_egress_props |= rule.optimized_props - self.optimized_props_in_sync = True + self._deny_egress_props |= rule.props + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this gateway policy allows between two peers - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only. - :return: A PolicyConnections object containing sets of allowed/denied connections - :rtype: PolicyConnections - """ - - captured = is_ingress and self.affects_ingress and to_peer in self.selected_peers or \ - not is_ingress and self.affects_egress and from_peer in self.selected_peers - if not captured: - return PolicyConnections(False) - - conns = ConnectionSet() - rules = self.ingress_rules if is_ingress else self.egress_rules - other_peer = from_peer if is_ingress else to_peer - for rule in rules: - if other_peer in rule.peer_set: - assert not rule.connections.has_named_ports() - conns |= rule.connections - - if self.action == self.ActionType.Allow: - return PolicyConnections(True, allowed_conns=conns) - else: # Deny - return PolicyConnections(True, denied_conns=conns) - - def allowed_connections_optimized(self, is_ingress): + def allowed_connections(self, is_ingress): """ Evaluate the set of connections this ingress resource allows between any two peers :param bool is_ingress: whether we evaluate ingress rules only or egress rules only. :return: A OptimizedPolicyConnections object containing all allowed/denied connections for any peers and the peer set of captured peers by this policy. - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() - res_conns.denied_conns = self.optimized_deny_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() + res_conns.denied_conns = self.deny_ingress_props().copy() res_conns.captured = self.selected_peers if self.affects_ingress else PeerSet() else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() - res_conns.denied_conns = self.optimized_deny_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() + res_conns.denied_conns = self.deny_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else PeerSet() return res_conns diff --git a/nca/Resources/PolicyResources/IstioNetworkPolicy.py b/nca/Resources/PolicyResources/IstioNetworkPolicy.py index 54b29a487..2ca99c273 100644 --- a/nca/Resources/PolicyResources/IstioNetworkPolicy.py +++ b/nca/Resources/PolicyResources/IstioNetworkPolicy.py @@ -4,10 +4,9 @@ # from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.Peer import PeerSet, IpBlock -from .NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from nca.CoreDS.Peer import PeerSet +from .NetworkPolicy import PolicyConnections, NetworkPolicy class IstioPolicyRule: @@ -15,20 +14,18 @@ class IstioPolicyRule: A class representing a single ingress rule in a Istio AuthorizationPolicy object """ - def __init__(self, peer_set, connections, opt_props): + def __init__(self, peer_set, props): """ :param Peer.PeerSet peer_set: The set of peers this rule allows connection from - :param ConnectionSet connections: The set of connections allowed/denied by this rule (the action resides in the policy) + :param ConnectivityProperties props: the connections """ - # TODO: extend connections (ConnectionSet) to represent HTTP/grpc requests attributes self.peer_set = peer_set - self.connections = connections - self.optimized_props = opt_props - # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props = props + # copy of props (used by src_peers/dst_peers domain-updating mechanism) + self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.connections == other.connections + return self.peer_set == other.peer_set and self.props == other.props def contained_in(self, other): """ @@ -36,7 +33,7 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.connections.contained_in(other.connections) + return self.peer_set.issubset(other.peer_set) and self.props.contained_in(other.props) class IstioNetworkPolicy(NetworkPolicy): @@ -68,52 +65,24 @@ def __lt__(self, other): # required so we can evaluate the policies according t return self.action == IstioNetworkPolicy.ActionType.Deny return False - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), - compute optimized props of the policy according to the optimized props of its rules + If props of the policy are not synchronized (self.props_in_sync is False), + compute props of the policy according to the optimized props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() + self._init_props() for rule in self.ingress_rules: if self.action == IstioNetworkPolicy.ActionType.Allow: - self._optimized_allow_ingress_props |= rule.optimized_props + self._allow_ingress_props |= rule.props elif self.action == IstioNetworkPolicy.ActionType.Deny: - self._optimized_deny_ingress_props |= rule.optimized_props + self._deny_ingress_props |= rule.props self._optimized_allow_egress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers() - self.optimized_props_in_sync = True + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this policy allows/denies/passes between two peers - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only - :return: A PolicyConnections object containing sets of allowed/denied/pass connections - :rtype: PolicyConnections - """ - - # TODO: currently not handling egress, istio authorization policies have no egress rules - if not is_ingress: - return PolicyConnections(False, ConnectionSet(True)) - - captured = to_peer in self.selected_peers - if not captured: - return PolicyConnections(False) - - allowed_conns = ConnectionSet() - denied_conns = ConnectionSet() - - collected_conns = allowed_conns if self.action == IstioNetworkPolicy.ActionType.Allow else denied_conns - for rule in self.ingress_rules: - if from_peer in rule.peer_set: - collected_conns |= rule.connections - - return PolicyConnections(True, allowed_conns, denied_conns) - - def allowed_connections_optimized(self, is_ingress): + def allowed_connections(self, is_ingress): """ Evaluate the set of connections this policy allows/denied/passed between any two peers :param bool is_ingress: whether we evaluate ingress rules only or egress rules only @@ -122,31 +91,17 @@ def allowed_connections_optimized(self, is_ingress): and the peer set of captured peers by this policy. :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet) """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() - res_conns.denied_conns = self.optimized_deny_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() + res_conns.denied_conns = self.deny_ingress_props().copy() res_conns.captured = self.selected_peers else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() - res_conns.denied_conns = self.optimized_deny_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() + res_conns.denied_conns = self.deny_egress_props().copy() res_conns.captured = PeerSet() return res_conns - def referenced_ip_blocks(self, exclude_ipv6=False): - """ - :param bool exclude_ipv6: indicates if to exclude the automatically added IPv6 addresses in the referenced ip_blocks. - IPv6 addresses that are referenced in the policy by the user will always be included - :return: A set of all ipblocks referenced in one of the policy rules (one Peer object per one ip range) - :rtype: Peer.PeerSet - """ - res = PeerSet() - for rule in self.ingress_rules: - for peer in rule.peer_set: - if isinstance(peer, IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - return res - def has_empty_rules(self, config_name=''): """ Checks whether the policy contains empty rules (rules that do not select any peers) diff --git a/nca/Resources/PolicyResources/IstioSidecar.py b/nca/Resources/PolicyResources/IstioSidecar.py index 9555c49c6..37f1d6068 100644 --- a/nca/Resources/PolicyResources/IstioSidecar.py +++ b/nca/Resources/PolicyResources/IstioSidecar.py @@ -5,11 +5,10 @@ from dataclasses import dataclass from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet -from nca.CoreDS.Peer import IpBlock, PeerSet, DNSEntry +from nca.CoreDS.Peer import IpBlock, PeerSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, NetworkPolicy @dataclass @@ -29,9 +28,9 @@ def __init__(self, peer_set, peers_for_ns_compare): self.special_egress_peer_set = peers_for_ns_compare # set of peers captured by a global sidecar with hosts of # './' form - then peers in this set will be in allowed connections only if are in the same namespace of the # source peer captured by the sidecar - self.optimized_props = ConnectivityProperties() - # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props = ConnectivityProperties() + # copy of props (used by src_peers/dst_peers domain-updating mechanism) + self.props_copy = ConnectivityProperties() class IstioSidecar(NetworkPolicy): @@ -51,63 +50,28 @@ def __init__(self, name, namespace): def __eq__(self, other): return super().__eq__(other) and self.default_sidecar == other.default_sidecar - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), - compute optimized props of the policy according to the optimized props of its rules + If props of the policy are not synchronized (self.props_in_sync is False), + compute props of the policy according to the props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() - self._optimized_allow_ingress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers() + self._init_props() + self._allow_ingress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers() for rule in self.egress_rules: - self._optimized_allow_egress_props |= rule.optimized_props - self.optimized_props_in_sync = True + self._allow_egress_props |= rule.props + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this policy allows/denies/passes between two peers - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only - :return: A PolicyConnections object containing sets of allowed/denied/pass connections - :rtype: PolicyConnections - """ - # currently not handling ingress - if is_ingress: - return PolicyConnections(False, ConnectionSet(True)) - - captured = from_peer in self.selected_peers - # if not captured, or captured but the sidecar is not in from_peer top priority, don't consider connections - if not captured: - return PolicyConnections(False) - - # connections to IP-block is enabled only if the outbound mode is allow-any (disabled for registry only) - if isinstance(to_peer, IpBlock) and self.outbound_mode == IstioSidecar.OutboundMode.ALLOW_ANY: - return PolicyConnections(True, allowed_conns=ConnectionSet(True)) - - # since sidecar rules include only peer sets for now, if a to_peer appears in any rule then connections allowed - for rule in self.egress_rules: - if isinstance(to_peer, DNSEntry) and \ - (to_peer in rule.egress_peer_set or to_peer in rule.special_egress_peer_set): - return PolicyConnections(True, allowed_conns=ConnectionSet.get_all_tcp_connections()) - if to_peer in rule.egress_peer_set or \ - (to_peer in rule.special_egress_peer_set and from_peer.namespace == to_peer.namespace): - return PolicyConnections(True, allowed_conns=ConnectionSet(True)) - - # egress from from_peer to to_peer is not allowed : if to_peer not been captured in the rules' egress_peer_set, - # or if the sidecar is global and to_peer is not in same namespace of from_peer while rule host's ns is '.' - return PolicyConnections(True, allowed_conns=ConnectionSet()) - - def allowed_connections_optimized(self, is_ingress): - res_conns = OptimizedPolicyConnections() + def allowed_connections(self, is_ingress): + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() - res_conns.denied_conns = self.optimized_deny_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() + res_conns.denied_conns = self.deny_ingress_props().copy() res_conns.captured = PeerSet() else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() - res_conns.denied_conns = self.optimized_deny_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() + res_conns.denied_conns = self.deny_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else PeerSet() return res_conns @@ -169,7 +133,7 @@ def create_opt_egress_props(self, peer_container): # connections to IP-block is enabled only if the outbound mode is allow-any (disabled for registry only) if self.outbound_mode == IstioSidecar.OutboundMode.ALLOW_ANY: ip_blocks = IpBlock.get_all_ips_block_peer_set() - rule.optimized_props |= \ + rule.props |= \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": self.selected_peers, "dst_peers": ip_blocks}) @@ -177,19 +141,19 @@ def create_opt_egress_props(self, peer_container): dst_dns_entries = dns_entries & (rule.egress_peer_set | rule.special_egress_peer_set) if self.selected_peers and dst_dns_entries: protocols = ProtocolSet.get_protocol_set_with_single_protocol('TCP') - rule.optimized_props |= \ + rule.props |= \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": self.selected_peers, "dst_peers": dst_dns_entries, "protocols": protocols}) if self.selected_peers and rule.egress_peer_set: - rule.optimized_props |= \ + rule.props |= \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": self.selected_peers, "dst_peers": rule.egress_peer_set}) peers_sets_by_ns = self.combine_peer_sets_by_ns(self.selected_peers, rule.special_egress_peer_set, peer_container) for (from_peers, to_peers) in peers_sets_by_ns: if from_peers and to_peers: - rule.optimized_props |= \ + rule.props |= \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": from_peers, "dst_peers": to_peers}) diff --git a/nca/Resources/PolicyResources/K8sNetworkPolicy.py b/nca/Resources/PolicyResources/K8sNetworkPolicy.py index bee0f242b..887487d56 100644 --- a/nca/Resources/PolicyResources/K8sNetworkPolicy.py +++ b/nca/Resources/PolicyResources/K8sNetworkPolicy.py @@ -2,29 +2,27 @@ # Copyright 2020- IBM Inc. All rights reserved # SPDX-License-Identifier: Apache2.0 # -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS import Peer -from .NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from .NetworkPolicy import PolicyConnections, NetworkPolicy class K8sPolicyRule: """ A class representing a single ingress/egress rule in a K8s NetworkPolicy object """ - def __init__(self, peer_set, port_set, opt_props): + def __init__(self, peer_set, props): """ :param Peer.PeerSet peer_set: The set of peers this rule allows connection to/from - :param ConnectionSet port_set: The set of connections allowed by this rule + :param ConnectivityProperties props: the connections """ self.peer_set = peer_set - self.port_set = port_set - self.optimized_props = opt_props - # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props = props + # copy of props (used by src_peers/dst_peers domain-updating mechanism) + self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.port_set == other.port_set + return self.peer_set == other.peer_set and self.props == other.props def contained_in(self, other): """ @@ -32,54 +30,28 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.port_set.contained_in(other.port_set) + return self.peer_set.issubset(other.peer_set) and self.props.contained_in(other.props) class K8sNetworkPolicy(NetworkPolicy): """ This class implements K8s-specific logic for NetworkPolicies """ - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), - compute optimized props of the policy according to the optimized props of its rules + If props of the policy are not synchronized (self.props_in_sync is False), + compute props of the policy according to the props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() + self._init_props() for rule in self.ingress_rules: - self._optimized_allow_ingress_props |= rule.optimized_props + self._allow_ingress_props |= rule.props for rule in self.egress_rules: - self._optimized_allow_egress_props |= rule.optimized_props - self.optimized_props_in_sync = True + self._allow_egress_props |= rule.props + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this policy allows between two peers - (either the allowed ingress into to_peer or the allowed egress from from_peer). - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only - :return: A PolicyConnections object containing sets of allowed connections - :rtype: PolicyConnections - """ - captured = is_ingress and self.affects_ingress and to_peer in self.selected_peers or \ - not is_ingress and self.affects_egress and from_peer in self.selected_peers - if not captured: - return PolicyConnections(False) - - allowed_conns = ConnectionSet() - rules = self.ingress_rules if is_ingress else self.egress_rules - other_peer = from_peer if is_ingress else to_peer - for rule in rules: - if other_peer in rule.peer_set: - rule_conns = rule.port_set.copy() # we need a copy because convert_named_ports is destructive - rule_conns.convert_named_ports(to_peer.get_named_ports()) - allowed_conns |= rule_conns - - return PolicyConnections(True, allowed_conns) - - def allowed_connections_optimized(self, is_ingress): + def allowed_connections(self, is_ingress): """ Return the set of connections this policy allows between any two peers (either ingress or egress). @@ -89,12 +61,12 @@ def allowed_connections_optimized(self, is_ingress): and the peer set of captured peers by this policy. :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet) """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() res_conns.captured = self.selected_peers if self.affects_ingress else Peer.PeerSet() else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else Peer.PeerSet() return res_conns @@ -119,25 +91,6 @@ def clone_without_rule(self, rule_to_exclude, ingress_rule): res.add_ingress_rule(rule) return res - def referenced_ip_blocks(self, exclude_ipv6=False): - """ - :param bool exclude_ipv6: indicates if to exclude the automatically added IPv6 addresses in the referenced ip_blocks. - IPv6 addresses that are referenced in the policy by the user will always be included - :return: A set of all ipblocks referenced in one of the policy rules (one Peer object per one ip range) - :rtype: Peer.PeerSet - """ - res = Peer.PeerSet() - for rule in self.egress_rules: - for peer in rule.peer_set: - if isinstance(peer, Peer.IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - for rule in self.ingress_rules: - for peer in rule.peer_set: - if isinstance(peer, Peer.IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - - return res - def has_empty_rules(self, config_name=''): """ Checks whether the policy contains empty rules (rules that do not select any peers) diff --git a/nca/Resources/PolicyResources/NetworkPolicy.py b/nca/Resources/PolicyResources/NetworkPolicy.py index 1d3a45959..1e64abbb9 100644 --- a/nca/Resources/PolicyResources/NetworkPolicy.py +++ b/nca/Resources/PolicyResources/NetworkPolicy.py @@ -5,7 +5,6 @@ from enum import Enum from dataclasses import dataclass -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.Peer import PeerSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties @@ -55,12 +54,12 @@ def __init__(self, name, namespace): self.ingress_rules = [] self.egress_rules = [] - # The flag below is used for lazy calculation of optimized policy connections (as a union of rules connections) + # The flag below is used for lazy calculation of policy connections (as a union of rules connections) # The flag is set to False for new policies (including in redundancy query, when removing a rule from policy by # creating a new policy with a subset of rules), or after changing peers domains (per query). - # When this flag is False, the sync_opt_props function will (re)calculate optimized policy connections. - self.optimized_props_in_sync = False - self._init_opt_props() + # When this flag is False, the sync_props function will (re)calculate policy connections. + self.props_in_sync = False + self._init_props() self.affects_ingress = False # whether the policy affects the ingress of the selected peers self.affects_egress = False # whether the policy affects the egress of the selected peers @@ -70,46 +69,46 @@ def __init__(self, name, namespace): self.has_ipv6_addresses = False # whether the policy referenced ip addresses (by user) # if this flag is False, excluding ipv6 addresses from the query results will be enabled - def _init_opt_props(self): + def _init_props(self): """ The members below are used for lazy evaluation of policy connectivity properties. NOTE: THEY CANNOT BE ACCESSED DIRECTLY, ONLY BY 'GETTER' METHODS BELOW! """ - self._optimized_allow_ingress_props = ConnectivityProperties.make_empty_props() - self._optimized_deny_ingress_props = ConnectivityProperties.make_empty_props() - self._optimized_pass_ingress_props = ConnectivityProperties.make_empty_props() - self._optimized_allow_egress_props = ConnectivityProperties.make_empty_props() - self._optimized_deny_egress_props = ConnectivityProperties.make_empty_props() - self._optimized_pass_egress_props = ConnectivityProperties.make_empty_props() + self._allow_ingress_props = ConnectivityProperties.make_empty_props() + self._deny_ingress_props = ConnectivityProperties.make_empty_props() + self._pass_ingress_props = ConnectivityProperties.make_empty_props() + self._allow_egress_props = ConnectivityProperties.make_empty_props() + self._deny_egress_props = ConnectivityProperties.make_empty_props() + self._pass_egress_props = ConnectivityProperties.make_empty_props() - def optimized_allow_ingress_props(self): - self.sync_opt_props() - return self._optimized_allow_ingress_props + def allow_ingress_props(self): + self.sync_props() + return self._allow_ingress_props - def optimized_deny_ingress_props(self): - self.sync_opt_props() - return self._optimized_deny_ingress_props + def deny_ingress_props(self): + self.sync_props() + return self._deny_ingress_props - def optimized_pass_ingress_props(self): - self.sync_opt_props() - return self._optimized_pass_ingress_props + def pass_ingress_props(self): + self.sync_props() + return self._pass_ingress_props - def optimized_allow_egress_props(self): - self.sync_opt_props() - return self._optimized_allow_egress_props + def allow_egress_props(self): + self.sync_props() + return self._allow_egress_props - def optimized_deny_egress_props(self): - self.sync_opt_props() - return self._optimized_deny_egress_props + def deny_egress_props(self): + self.sync_props() + return self._deny_egress_props - def optimized_pass_egress_props(self): - self.sync_opt_props() - return self._optimized_pass_egress_props + def pass_egress_props(self): + self.sync_props() + return self._pass_egress_props - def sync_opt_props(self): + def sync_props(self): """ - Implemented by derived policies to compute optimized props of the policy according to the optimized props - of its rules, in case optimized props are not currently synchronized. + Implemented by derived policies to compute props of the policy according to the props + of its rules, in case props are not currently synchronized. """ return NotImplemented @@ -118,8 +117,8 @@ def __str__(self): def __eq__(self, other): if isinstance(self, type(other)): - self.sync_opt_props() - other.sync_opt_props() + self.sync_props() + other.sync_props() return \ self.name == other.name and \ self.namespace == other.namespace and \ @@ -128,12 +127,12 @@ def __eq__(self, other): self.selected_peers == other.selected_peers and \ self.ingress_rules == other.ingress_rules and \ self.egress_rules == other.egress_rules and \ - self._optimized_allow_ingress_props == other._optimized_allow_ingress_props and \ - self._optimized_deny_ingress_props == other._optimized_deny_ingress_props and \ - self._optimized_pass_ingress_props == other._optimized_pass_ingress_props and \ - self._optimized_allow_egress_props == other._optimized_allow_egress_props and \ - self._optimized_deny_egress_props == other._optimized_deny_egress_props and \ - self._optimized_pass_egress_props == other._optimized_pass_egress_props + self._allow_ingress_props == other._allow_ingress_props and \ + self._deny_ingress_props == other._deny_ingress_props and \ + self._pass_ingress_props == other._pass_ingress_props and \ + self._allow_egress_props == other._allow_egress_props and \ + self._deny_egress_props == other._deny_egress_props and \ + self._pass_egress_props == other._pass_egress_props return False def __lt__(self, other): # required so we can evaluate the policies according to their order @@ -187,37 +186,37 @@ def add_egress_rule(self, rule): """ self.egress_rules.append(rule) - def reorganize_opt_props_by_new_domains(self): + def reorganize_props_by_new_domains(self): """ This method is called to allow reduction of src_peers/dst_peers to inactive dimensions - in optimized properties of every rule. It is called when running in a context of a certain query + in properties of every rule. It is called when running in a context of a certain query and after updating the domain accordingly in DimensionsManager. - It also saves a copy of the optimized connectivity properties before reduction, to allow restoring to + It also saves a copy of the connectivity properties before reduction, to allow restoring to these values after the query's run. Note: there is an assumption that rules of all derived policies have - optimized_props and optimized_props_copy members + props and props_copy members """ for rule in self.ingress_rules + self.egress_rules: - if not rule.optimized_props_copy: + if not rule.props_copy: # to avoid calling with the same rule multiple times - rule.optimized_props_copy = rule.optimized_props.copy() - rule.optimized_props.reduce_active_dimensions() - self.optimized_props_in_sync = False + rule.props_copy = rule.props.copy() + rule.props.reduce_active_dimensions() + self.props_in_sync = False - def restore_opt_props(self): + def restore_props(self): """ - This method is called to restore optimized connectivity properties of every rule to their original values, + This method is called to restore connectivity properties of every rule to their original values, before the reduction of src_peers/dst_peers dimensions, s.t. the values of those dimensions will be with respect to the "full" default domain of these dimensions. Note: there is an assumption that rules of all derived policies have - optimized_props and optimized_props_copy members + props and props_copy members """ for rule in self.ingress_rules + self.egress_rules: - if rule.optimized_props_copy: + if rule.props_copy: # to avoid calling with the same rule multiple times - rule.optimized_props = rule.optimized_props_copy - rule.optimized_props_copy = ConnectivityProperties() - self.optimized_props_in_sync = False + rule.props = rule.props_copy + rule.props_copy = ConnectivityProperties() + self.props_in_sync = False @staticmethod def get_policy_type_from_dict(policy): # noqa: C901 @@ -316,28 +315,6 @@ def egress_rule_containing(self, other_policy, other_egress_rule_index): return self.rule_containing(other_policy, other_policy.egress_rules[other_egress_rule_index - 1], other_egress_rule_index, self.egress_rules) - def referenced_ip_blocks(self, exclude_ipv6=False): - """ - Returns ip blocks referenced by this policy, or empty PeerSet - :param bool exclude_ipv6: indicates if to exclude the automatically added IPv6 addresses in the referenced ip_blocks. - IPv6 addresses that are referenced in the policy by the user will always be included - :return: PeerSet of the referenced ip blocks - """ - return PeerSet() # default value, can be overridden in derived classes - - @staticmethod - def _include_ip_block(ip_block, exclude_ipv6): - """ - returns whether to include or not the ipblock in the policy's referenced_ip_blocks - :param IpBlock ip_block: the ip_block to check - :param bool exclude_ipv6 : indicates if to exclude ipv6 addresses - excluding the ip_block will be enabled only if the policy didn't reference any ipv6 addresses. - if policy referenced only ipv4 addresses ,then the parser didn't add auto ip_blocks, all will be included. - otherwise, if the policy didn't reference any ips, this mean automatic ip_block with all ips was added, - this is the ip_block to be excluded - so query results will not consider the ipv6 full range - """ - return ip_block.is_ipv4_block() or not exclude_ipv6 - def get_order(self): """ :return: the order of the policy @@ -351,12 +328,6 @@ def clone_without_rule(self, rule_to_exclude, ingress_rule): """ return NotImplemented - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Implemented by derived classes to evaluate the set of connections this policy allows between two peers - """ - return NotImplemented - def policy_type_str(self): if self.policy_kind == NetworkPolicy.PolicyType.Ingress: return "Ingress resource" @@ -366,21 +337,9 @@ def policy_type_str(self): return "NetworkPolicy" -@dataclass -class PolicyConnections: - """ - A class to contain the effect of applying policies to a pair of peers - """ - captured: bool # Whether policy(ies) selectors captured relevant peers (can have empty allowed-conns with captured==True) - allowed_conns: ConnectionSet = ConnectionSet() # Connections allowed (and captured) by the policy(ies) - denied_conns: ConnectionSet = ConnectionSet() # Connections denied by the policy(ies) - pass_conns: ConnectionSet = ConnectionSet() # Connections specified as PASS by the policy(ies) - all_allowed_conns: ConnectionSet = ConnectionSet() # all (captured+ non-captured) Connections allowed by the policy(ies) - - -# TODO - making OptimizedPolicyConnections a dataclass does not work +# TODO - making PolicyConnections a dataclass does not work # (probably because PeerSet and ConnectivityProperties are mutable) -class OptimizedPolicyConnections: +class PolicyConnections: """ A class to contain the effect of applying policies to all src and dst peers It also serves as a filter for lazy evaluations of connections: diff --git a/nca/Utils/ExplTracker.py b/nca/Utils/ExplTracker.py index 24e9762bb..32cdeada9 100644 --- a/nca/Utils/ExplTracker.py +++ b/nca/Utils/ExplTracker.py @@ -239,8 +239,8 @@ def are_peers_connected(self, src, dst): def add_policy_to_peers(self, policy): for peer in policy.selected_peers: - src_peers, _ = self.extract_peers(policy.optimized_allow_ingress_props()) - _, dst_peers = self.extract_peers(policy.optimized_allow_egress_props()) + src_peers, _ = self.extract_peers(policy.allow_ingress_props()) + _, dst_peers = self.extract_peers(policy.allow_egress_props()) peer_name = peer.full_name() self.add_peer_policy(peer_name, policy.name, dst_peers, src_peers) diff --git a/tests/calico_testcases/example_policies/testcase15-ports/testcase15-scheme.yaml b/tests/calico_testcases/example_policies/testcase15-ports/testcase15-scheme.yaml index 3f605d7be..103b3ee19 100644 --- a/tests/calico_testcases/example_policies/testcase15-ports/testcase15-scheme.yaml +++ b/tests/calico_testcases/example_policies/testcase15-ports/testcase15-scheme.yaml @@ -15,7 +15,7 @@ networkConfigList: - name: named-ports networkPolicyList: - testcase15-named-ports.yaml - expectedWarnings: 12 + expectedWarnings: 0 - name: equiv-games1 networkPolicyList: diff --git a/tests/calico_testcases/example_policies/testcase15-ports/testcase15-with-ingress-scheme.yaml b/tests/calico_testcases/example_policies/testcase15-ports/testcase15-with-ingress-scheme.yaml index 70f516ee2..00a28ad8b 100644 --- a/tests/calico_testcases/example_policies/testcase15-ports/testcase15-with-ingress-scheme.yaml +++ b/tests/calico_testcases/example_policies/testcase15-ports/testcase15-with-ingress-scheme.yaml @@ -32,7 +32,7 @@ networkConfigList: - name: named-ports networkPolicyList: - testcase15-named-ports.yaml - expectedWarnings: 12 + expectedWarnings: 0 - name: equiv-games1 networkPolicyList: diff --git a/tests/fw_rules_tests/policies/semantic_diff_namedPorts-scheme.yaml b/tests/fw_rules_tests/policies/semantic_diff_namedPorts-scheme.yaml index df7ab8b85..99428a3b6 100644 --- a/tests/fw_rules_tests/policies/semantic_diff_namedPorts-scheme.yaml +++ b/tests/fw_rules_tests/policies/semantic_diff_namedPorts-scheme.yaml @@ -20,7 +20,7 @@ networkConfigList: - name: np5_named_ports networkPolicyList: - namedPorts-policy5.yaml - expectedWarnings: 5 + expectedWarnings: 0 queries: - name: semantic_diff_named_ports_np1_and_np2_by_deployments semanticDiff: diff --git a/tests/k8s_testcases/example_policies/namedPorts/namedPorts-scheme.yaml b/tests/k8s_testcases/example_policies/namedPorts/namedPorts-scheme.yaml index 237e34bce..49d48f819 100644 --- a/tests/k8s_testcases/example_policies/namedPorts/namedPorts-scheme.yaml +++ b/tests/k8s_testcases/example_policies/namedPorts/namedPorts-scheme.yaml @@ -25,7 +25,7 @@ networkConfigList: - name: np5 # just for warnings networkPolicyList: - namedPorts-policy5.yaml - expectedWarnings: 5 + expectedWarnings: 0 queries: - name: compare_np1_and_np2 diff --git a/tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-scheme.yaml b/tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-scheme.yaml index df3f2ee77..0f1b77ba8 100644 --- a/tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-scheme.yaml +++ b/tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-scheme.yaml @@ -25,7 +25,7 @@ networkConfigList: - name: np5 # just for warnings networkPolicyList: - namedPorts-policy5.yaml - expectedWarnings: 5 + expectedWarnings: 0 queries: - name: semantic_diff_named_ports_np1_and_np2 From e9b1e7f62a916bda5bdc597d292d3d82e8943f92 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 7 May 2024 15:54:57 +0300 Subject: [PATCH 74/89] Further refining code by deleting unused original implementatation code. Signed-off-by: Tanya --- nca/Resources/PolicyResources/CalicoNetworkPolicy.py | 6 ++---- nca/Resources/PolicyResources/GatewayPolicy.py | 4 ++-- nca/Resources/PolicyResources/IstioNetworkPolicy.py | 4 ++-- nca/Resources/PolicyResources/K8sNetworkPolicy.py | 4 ++-- 4 files changed, 8 insertions(+), 10 deletions(-) diff --git a/nca/Resources/PolicyResources/CalicoNetworkPolicy.py b/nca/Resources/PolicyResources/CalicoNetworkPolicy.py index e8ec4ff00..b9a178513 100644 --- a/nca/Resources/PolicyResources/CalicoNetworkPolicy.py +++ b/nca/Resources/PolicyResources/CalicoNetworkPolicy.py @@ -37,8 +37,7 @@ def __init__(self, src_peers, dst_peers, action, props): self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.src_peers == other.src_peers and self.dst_peers == other.dst_peers and \ - self.props == other.props and self.action == other.action + return self.props == other.props and self.action == other.action def contained_in(self, other): """ @@ -46,8 +45,7 @@ def contained_in(self, other): :return: Whether all connections specified by 'self' are also specified by 'other' (regardless of action) :rtype: bool """ - return self.src_peers.issubset(other.src_peers) and self.dst_peers.issubset(other.dst_peers) and \ - self.props.contained_in(other.props) + return self.props.contained_in(other.props) @staticmethod def action_str_to_action_type(action_str): diff --git a/nca/Resources/PolicyResources/GatewayPolicy.py b/nca/Resources/PolicyResources/GatewayPolicy.py index e09fdd3be..5450bc287 100644 --- a/nca/Resources/PolicyResources/GatewayPolicy.py +++ b/nca/Resources/PolicyResources/GatewayPolicy.py @@ -24,7 +24,7 @@ def __init__(self, peer_set, props): self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.props == other.props + return self.props == other.props def contained_in(self, other): """ @@ -32,7 +32,7 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.props.contained_in(other.props) + return self.props.contained_in(other.props) class GatewayPolicy(NetworkPolicy): diff --git a/nca/Resources/PolicyResources/IstioNetworkPolicy.py b/nca/Resources/PolicyResources/IstioNetworkPolicy.py index 2ca99c273..cf0ac2cd5 100644 --- a/nca/Resources/PolicyResources/IstioNetworkPolicy.py +++ b/nca/Resources/PolicyResources/IstioNetworkPolicy.py @@ -25,7 +25,7 @@ def __init__(self, peer_set, props): self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.props == other.props + return self.props == other.props def contained_in(self, other): """ @@ -33,7 +33,7 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.props.contained_in(other.props) + return self.props.contained_in(other.props) class IstioNetworkPolicy(NetworkPolicy): diff --git a/nca/Resources/PolicyResources/K8sNetworkPolicy.py b/nca/Resources/PolicyResources/K8sNetworkPolicy.py index 887487d56..8a7223587 100644 --- a/nca/Resources/PolicyResources/K8sNetworkPolicy.py +++ b/nca/Resources/PolicyResources/K8sNetworkPolicy.py @@ -22,7 +22,7 @@ def __init__(self, peer_set, props): self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.props == other.props + return self.props == other.props def contained_in(self, other): """ @@ -30,7 +30,7 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.props.contained_in(other.props) + return self.props.contained_in(other.props) class K8sNetworkPolicy(NetworkPolicy): From 511a6341ff409b90db830d2d2a2d88e2238f8077 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 19 May 2024 18:26:16 +0300 Subject: [PATCH 75/89] Removed usage of ConnectionSet. Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 63 +- nca/FWRules/ConnectivityGraph.py | 151 +-- nca/FWRules/DotGraph.py | 21 +- nca/FWRules/FWRule.py | 34 +- nca/FWRules/MinimizeBasic.py | 34 - nca/FWRules/MinimizeCsFWRulesOpt.py | 46 +- nca/FWRules/MinimizeFWRules.py | 663 +----------- nca/NetworkConfig/NetworkConfigQuery.py | 124 +-- nca/NetworkConfig/NetworkLayer.py | 3 +- nca/NetworkConfig/QueryOutputHandler.py | 18 +- ...obal-interferes-local-print-all-pairs.json | 2 +- ...lobal-interferes-local-print-all-pairs.txt | 2 +- ...obal-interferes-local-print-all-pairs.yaml | 2 +- ...and-sub-deny-not-equiv-all-peer-pairs.json | 2 +- ...-and-sub-deny-not-equiv-all-peer-pairs.txt | 2 +- ...and-sub-deny-not-equiv-all-peer-pairs.yaml | 2 +- ...stcase15_with_ingress_connectivity_map.txt | 28 +- .../testcase16-scheme_output.txt | 2 +- .../testcase18_connectivity_map.txt | 4 +- ...case25_mix_k8s_calico_connectivity_map.txt | 2 +- ...se25_mix_k8s_calico_connectivity_map_2.txt | 2 +- ...-1-k8s-calico-istio-2_connectivity_map.txt | 2 +- ...alico-istio-ingress-2_connectivity_map.txt | 6 +- ...-calico-istio-ingress_connectivity_map.txt | 4 +- ...ig-1-k8s-calico-istio_connectivity_map.txt | 4 +- ...g-1-k8s-istio-ingress_connectivity_map.txt | 4 +- ...nfig-1-calico-ingress-config-allow-all.txt | 4 +- .../testcase8-semantic-diff-query.txt | 2 +- .../basic_semantic_diff_csv_query_output.txt | 6 +- .../basic_semantic_diff_md_query_output.txt | 6 +- .../basic_semantic_diff_query_output.txt | 6 +- .../basic_semantic_diff_yaml_query_output.txt | 31 +- .../helm_test_multi_chart.txt | 14 +- .../helm_test_one_chart.txt | 6 +- ...elm_test_resolved_yaml_in_template_dir.txt | 6 +- .../helm_test_resolved_yaml_inside_chart.txt | 6 +- .../helm_test_resolved_yaml_next_to_chart.txt | 6 +- ...est_resolved_yaml_next_to_multi_charts.txt | 8 +- .../livesim_test_all_dot.dot | 14 +- .../livesim_test_all_txt.txt | 6 +- .../poc1_expl_output.txt | 28 +- .../test4_expl_output.txt | 6 +- .../policies/calico-testcase14-scheme.yaml | 14 +- .../calico-testcase13-scheme_output.txt | 2 +- .../calico-testcase13-scheme_output.yaml | 3 +- .../calico-testcase14-scheme_output.txt | 2 +- .../calico-testcase14-scheme_output.yaml | 11 +- .../calico-testcase15-scheme_output.txt | 2 +- .../calico-testcase15-scheme_output.yaml | 13 +- ...lico-testcase20-Eran_gnps_query_output.txt | 6 +- ...ico-testcase20-Eran_gnps_query_output.yaml | 86 +- ...ivity_map_FirstDenySubset_query_output.txt | 2 +- ...vity_map_FirstDenySubset_query_output.yaml | 2 +- ...ty_map_firstAllowSuperSet_query_output.txt | 2 +- ...y_map_firstAllowSuperSet_query_output.yaml | 2 +- ...onnectivity_map_onlyAllow_query_output.txt | 2 +- ...nnectivity_map_onlyAllow_query_output.yaml | 2 +- ...onnectivity_map_denyFirst_query_output.txt | 2 +- ...nnectivity_map_denyFirst_query_output.yaml | 3 +- ...vity_test_methods_basic_1_query_output.txt | 2 +- ...ity_test_methods_basic_1_query_output.yaml | 9 +- ...vity_test_methods_basic_2_query_output.txt | 4 +- ...ity_test_methods_basic_2_query_output.yaml | 14 +- ...vity_test_methods_paths_1_query_output.txt | 2 +- ...ity_test_methods_paths_1_query_output.yaml | 121 +-- ...ty_test_operation_allow_1_query_output.txt | 2 +- ...y_test_operation_allow_1_query_output.yaml | 28 +- ...ity_test_operation_deny_1_query_output.txt | 4 +- ...ty_test_operation_deny_1_query_output.yaml | 10 +- .../istio-test1-scheme_query1_output.txt | 4 +- .../istio-test1-scheme_query1_output.yaml | 8 +- .../istio-test1-scheme_query2_output.txt | 6 +- .../istio-test1-scheme_query2_output.yaml | 12 +- .../expected_output/poc1-scheme_output.csv | 24 +- .../expected_output/poc1-scheme_output.dot | 36 +- .../expected_output/poc1-scheme_output.md | 24 +- .../expected_output/poc1-scheme_output.txt | 24 +- .../expected_output/poc1-scheme_output.yaml | 118 +-- .../expected_output/poc2-scheme_output.txt | 28 +- .../expected_output/poc2-scheme_output.yaml | 198 ++-- .../expected_output/poc3-scheme_output.txt | 28 +- .../expected_output/poc3-scheme_output.yaml | 150 +-- ...4_scheme_connectivity_map_query_output.txt | 28 +- ..._scheme_connectivity_map_query_output.yaml | 144 +-- ...e_semantic_diff_poc4_poc3_query_output.txt | 2 +- ..._semantic_diff_poc4_poc3_query_output.yaml | 4 +- .../port_aggregation-scheme_output.txt | 2 +- .../port_aggregation-scheme_output.yaml | 64 +- ..._diff_a_to_b_with_ipBlock_query_output.csv | 2 +- ...c_diff_a_to_b_with_ipBlock_query_output.md | 2 +- ..._diff_a_to_b_with_ipBlock_query_output.txt | 2 +- ...diff_a_to_b_with_ipBlock_query_output.yaml | 22 +- ...ic_diff_ipblocks__np1_np4_query_output.csv | 2 +- ...tic_diff_ipblocks__np1_np4_query_output.md | 2 +- ...ic_diff_ipblocks__np1_np4_query_output.txt | 2 +- ...c_diff_ipblocks__np1_np4_query_output.yaml | 18 +- ...diff_ipblocks_equivalence_query_output.csv | 8 +- ..._diff_ipblocks_equivalence_query_output.md | 8 +- ...diff_ipblocks_equivalence_query_output.txt | 8 +- ...iff_ipblocks_equivalence_query_output.yaml | 16 +- ...tic_diff_ipblocks_np1_np2_query_output.csv | 4 +- ...ntic_diff_ipblocks_np1_np2_query_output.md | 4 +- ...tic_diff_ipblocks_np1_np2_query_output.txt | 4 +- ...ic_diff_ipblocks_np1_np2_query_output.yaml | 8 +- ...ports_np1_and_np2_by_pods_query_output.txt | 4 +- ...f_named_ports_np1_and_np2_query_output.csv | 4 +- ...ff_named_ports_np1_and_np2_query_output.md | 4 +- ...f_named_ports_np1_and_np2_query_output.txt | 4 +- ..._named_ports_np1_and_np2_query_output.yaml | 8 +- .../semantic_diff_old1_new1_query_output.csv | 4 +- .../semantic_diff_old1_new1_query_output.md | 4 +- .../semantic_diff_old1_new1_query_output.txt | 4 +- .../semantic_diff_old1_new1_query_output.yaml | 12 +- .../semantic_diff_old1_new1a_query_output.csv | 4 +- .../semantic_diff_old1_new1a_query_output.md | 4 +- .../semantic_diff_old1_new1a_query_output.txt | 4 +- ...semantic_diff_old1_new1a_query_output.yaml | 20 +- ...ld1_new1a_txt_no_fw_rules_query_output.txt | 6 +- .../semantic_diff_old2_new2_query_output.csv | 4 +- .../semantic_diff_old2_new2_query_output.json | 20 +- .../semantic_diff_old2_new2_query_output.md | 4 +- .../semantic_diff_old2_new2_query_output.txt | 4 +- .../semantic_diff_old2_new2_query_output.yaml | 20 +- .../semantic_diff_poc-scheme_output.csv | 26 +- .../semantic_diff_poc-scheme_output.md | 26 +- .../semantic_diff_poc-scheme_output.txt | 26 +- .../semantic_diff_poc-scheme_output.yaml | 218 ++-- .../expected_output/test12-scheme_output.txt | 2 +- .../expected_output/test12-scheme_output.yaml | 27 +- .../expected_output/test16-scheme_output.txt | 2 +- .../expected_output/test16-scheme_output.yaml | 66 +- .../expected_output/test2-scheme_output.txt | 4 +- .../expected_output/test2-scheme_output.yaml | 54 +- .../expected_output/test23-scheme_output.txt | 2 +- .../expected_output/test23-scheme_output.yaml | 4 +- .../expected_output/test24-scheme_output.txt | 2 +- .../expected_output/test24-scheme_output.yaml | 4 +- .../expected_output/test3-scheme_output.txt | 2 +- .../expected_output/test3-scheme_output.yaml | 24 +- ...scheme_query_connectivity_map_3_output.csv | 2 +- ...scheme_query_connectivity_map_3_output.dot | 4 +- ...-scheme_query_connectivity_map_3_output.md | 2 +- ...scheme_query_connectivity_map_3_output.txt | 2 +- ...cheme_query_connectivity_map_3_output.yaml | 24 +- ...scheme_query_connectivity_map_4_output.csv | 8 +- ...scheme_query_connectivity_map_4_output.dot | 14 +- ...-scheme_query_connectivity_map_4_output.md | 8 +- ...scheme_query_connectivity_map_4_output.txt | 8 +- ...cheme_query_connectivity_map_4_output.yaml | 88 +- ...boutique_multi_layer_from_live_cluster.txt | 28 +- ...est-connectivity-map-missing-resources.dot | 70 +- ...-and-k8s-ingress-test-connectivity-map.dot | 70 +- ...est-connectivity-map-missing-resources.dot | 38 +- ...ex-istio-ingress-test-connectivity-map.dot | 38 +- ...est-connectivity-map-missing-resources.dot | 34 +- ...-k8s-ingress-all-test-connectivity-map.dot | 34 +- ...est-connectivity-map-missing-resources.dot | 18 +- ...-ingress-cluster-test-connectivity-map.dot | 18 +- ...onnectivity-map-with-missing-resources.dot | 18 +- ...plex-k8s-ingress-test-connectivity-map.dot | 18 +- ...nectivity-bookinfo-demo-by-deployments.dot | 10 +- .../connectivity-bookinfo-demo-by-pods.dot | 10 +- ...tivity_map_of_onlineboutique_resources.txt | 20 +- ...boutique_resources_with_istio_gateways.txt | 24 +- ...uiv_configs_w_sidecars_different_hosts.txt | 2 +- ...ly_istio_ingress_test_connectivity_map.txt | 4 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- .../istio_egress_test_connectivity_map.txt | 4 +- .../istio_ingress_test_connectivity_map.txt | 6 +- ...es_connectivity_map_with_baseline_rule.txt | 18 +- ...synth_res_connectivity_map_wo_fw_rules.txt | 390 ++++---- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- ...online_boutique_new_input_vs_synth_res.txt | 32 +- ...w_synth_res_vs_synth_with_baseline_res.txt | 2 +- ...emantic_diff_sidecars_added_conns_test.txt | 4 +- ...semantic_diff_sidecars_lost_conns_test.txt | 2 +- ...ars-and-gateways-test-connectivity-map.txt | 6 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- .../ipblocktest-conn-graph-no-fw-rules.txt | 940 +++++++++--------- .../k8s_ingress_test_connectivity_map.txt | 2 +- .../new_online_boutique_connectivity_map.txt | 20 +- ...outique_synthesis_res_connectivity_map.txt | 22 +- .../onlineboutique-conn-graph-no-fw-rules.txt | 50 +- ...outique_synthesis_res_connectivity_map.txt | 28 +- ...ue_new_synthesized_vs_orig_synthesized.txt | 8 +- ...online_boutique_new_vs_synthesized_new.txt | 2 +- .../services1_connectivity_map.txt | 4 +- 187 files changed, 2356 insertions(+), 3181 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 9384a418b..48713433b 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -10,6 +10,7 @@ from .MethodSet import MethodSet from .Peer import PeerSet, BasePeerSet from .ProtocolNameResolver import ProtocolNameResolver +from .ProtocolSet import ProtocolSet from .MinDFA import MinDFA from .ConnectivityCube import ConnectivityCube @@ -99,9 +100,9 @@ def __bool__(self): def __str__(self): if self.is_all(): - return '' + return 'All connections' if not super().__bool__(): - return 'Empty' + return 'No connections' if self.active_dimensions == ['dst_ports']: assert (len(self) == 1) for cube in self: @@ -115,6 +116,9 @@ def __str__(self): def __hash__(self): return super().__hash__() + def __lt__(self, other): + return len(self) < len(other) + def get_connectivity_cube(self, cube): """ translate the ordered cube to ConnectivityCube format @@ -299,6 +303,10 @@ def print_diff(self, other, self_name, other_name): :return: If self!=other, return a string showing a (source, target) pair that appears in only one of them :rtype: str """ + if self.is_all() and not other.is_all(): + return self_name + ' allows all connections while ' + other_name + ' does not.' + if not self.is_all() and other.is_all(): + return other_name + ' allows all connections while ' + self_name + ' does not.' self_minus_other = self - other other_minus_self = other - self diff_str = self_name if self_minus_other else other_name @@ -566,3 +574,54 @@ def _reorder_list_by_map(orig_list, new_to_old_map): for i in range(len(orig_list)): res.append(orig_list[new_to_old_map[i]]) return res + + @staticmethod + def extract_src_dst_peers_from_cube(the_cube, peer_container, relevant_protocols=ProtocolSet(True)): + all_peers = peer_container.get_all_peers_group(True) + conn_cube = the_cube.copy() + src_peers = conn_cube["src_peers"] or all_peers + conn_cube.unset_dim("src_peers") + dst_peers = conn_cube["dst_peers"] or all_peers + conn_cube.unset_dim("dst_peers") + protocols = conn_cube["protocols"] + conn_cube.unset_dim("protocols") + if not conn_cube.has_active_dim() and (protocols == relevant_protocols or protocols.is_whole_range()): + props = ConnectivityProperties.make_all_props() + else: + conn_cube["protocols"] = protocols + assert conn_cube.has_active_dim() + props = ConnectivityProperties.make_conn_props(conn_cube) + return props, src_peers, dst_peers + + def get_simplified_connections_representation(self, is_str, use_complement_simplification=True): + """ + Get a simplified representation of the connectivity properties - choose shorter version between self + and its complement. + representation as str is a string representation, and not str is representation as list of objects. + The representation is used at fw-rules representation of the connection. + :param bool is_str: should get str representation (True) or list representation (False) + :param bool use_complement_simplification: should choose shorter rep between self and complement + :return: the required representation of the connection set + :rtype Union[str, list] + """ + if self.is_all(): + return "All connections" if is_str else ["All connections"] + if not super().__bool__(): + return "No connections" if is_str else ["No connections"] + + compl = ConnectivityProperties.make_all_props() - self + if len(self) > len(compl) and use_complement_simplification: + compl_rep = compl._get_connections_representation(is_str) + return f'All but {compl_rep}' if is_str else [{"All but": compl_rep}] + else: + return self._get_connections_representation(is_str) + + def _get_connections_representation(self, is_str): + cubes_list = [self.get_cube_dict(cube, is_str) for cube in self] + if is_str: + return ','.join(self._get_cube_str_representation(cube) for cube in cubes_list) + return cubes_list + + @staticmethod + def _get_cube_str_representation(cube): + return '{' + ','.join(f'{item[0]}:{item[1]}' for item in cube.items()) + '}' diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index fe9b5dc3a..620b91153 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -6,10 +6,10 @@ import itertools from collections import defaultdict import networkx -from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod +from nca.CoreDS.Peer import IpBlock, Pod from nca.CoreDS.ProtocolSet import ProtocolSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from .DotGraph import DotGraph -from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo @@ -26,32 +26,14 @@ def __init__(self, all_peers, allowed_labels, output_config): :param allowed_labels: the set of allowed labels to be used in generated fw-rules, extracted from policy yamls :param output_config: OutputConfiguration object """ - # connections_to_peers holds the connectivity graph + # props_to_peers holds the connectivity graph self.output_config = output_config - self.connections_to_peers = defaultdict(list) + self.props_to_peers = defaultdict(list) if self.output_config.fwRulesOverrideAllowedLabels: allowed_labels = set(label for label in self.output_config.fwRulesOverrideAllowedLabels.split(',')) self.cluster_info = ClusterInfo(all_peers, allowed_labels) self.allowed_labels = allowed_labels - def add_edge(self, source_peer, dest_peer, connections): - """ - Adding a labeled edge to the graph - :param Peer source_peer: The source peer - :param Peer dest_peer: The dest peer - :param ConnectionSet connections: The allowed connections from source_peer to dest_peer - :return: None - """ - self.connections_to_peers[connections].append((source_peer, dest_peer)) - - def add_edges(self, connections): - """ - Adding a set of labeled edges to the graph - :param dict connections: a map from ConnectionSet to (src, dest) pairs - :return: None - """ - self.connections_to_peers.update(connections) - def add_edges_from_cube_dict(self, conn_cube, peer_container, connectivity_restriction=None): """ Add edges to the graph according to the give cube @@ -68,13 +50,13 @@ def add_edges_from_cube_dict(self, conn_cube, peer_container, connectivity_restr else: # connectivity_restriction == 'non-TCP' relevant_protocols = ProtocolSet.get_non_tcp_protocols() - conns, src_peers, dst_peers = \ - MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) + props, src_peers, dst_peers = \ + ConnectivityProperties.extract_src_dst_peers_from_cube(conn_cube, peer_container, relevant_protocols) split_src_peers = src_peers.split() split_dst_peers = dst_peers.split() for src_peer in split_src_peers: for dst_peer in split_dst_peers: - self.connections_to_peers[conns].append((src_peer, dst_peer)) + self.props_to_peers[props].append((src_peer, dst_peer)) def add_props_to_graph(self, props, peer_container, connectivity_restriction=None): """ @@ -290,16 +272,16 @@ def _get_equals_groups(self): """ # for each peer, we get a list of (peer,conn,direction) that it connected to: peers_edges = {peer: [] for peer in set(self.cluster_info.all_peers)} - edges_connections = dict() - for connection, peer_pairs in self.connections_to_peers.items(): - if not connection: + edges_props = dict() + for props, peer_pairs in self.props_to_peers.items(): + if not props: continue for src_peer, dst_peer in peer_pairs: if src_peer != dst_peer: - peers_edges[src_peer].append((dst_peer, connection, False)) - peers_edges[dst_peer].append((src_peer, connection, True)) - edges_connections[(src_peer, dst_peer)] = connection - edges_connections[(dst_peer, src_peer)] = connection + peers_edges[src_peer].append((dst_peer, props, False)) + peers_edges[dst_peer].append((src_peer, props, True)) + edges_props[(src_peer, dst_peer)] = props + edges_props[(dst_peer, src_peer)] = props # for each peer, adding a self edge only for connection that the peer already have: for peer, peer_edges in peers_edges.items(): @@ -311,7 +293,7 @@ def _get_equals_groups(self): # find groups of peers that are also connected to each other: connected_groups, left_out = self._find_equal_groups(peers_edges) # for every group, also add the connection of the group (should be only one) - connected_groups = [(group, edges_connections.get((group[0], group[1]), None)) for group in connected_groups] + connected_groups = [(group, edges_props.get((group[0], group[1]), None)) for group in connected_groups] # removing the peers of groups that we already found: peers_edges = {peer: edges for peer, edges in peers_edges.items() if peer in left_out} @@ -332,8 +314,8 @@ def get_connections_without_fw_rules_txt_format(self, connectivity_msg=None, exc :return: a string of the original peers connectivity graph content (without minimization of fw-rules) """ lines = set() - for connections, peer_pairs in self.connections_to_peers.items(): - if not connections: + for props, peer_pairs in self.props_to_peers.items(): + if not props: continue for src_peer, dst_peer in peer_pairs: if src_peer != dst_peer: @@ -343,8 +325,7 @@ def get_connections_without_fw_rules_txt_format(self, connectivity_msg=None, exc # not be added either if exclude_self_loop_conns and src_peer_name == dst_peer_name: continue - conn_str = connections.get_simplified_connections_representation(True) - conn_str = conn_str.title() if not conn_str.isupper() else conn_str + conn_str = props.get_simplified_connections_representation(True) lines.add(f'{src_peer_name} => {dst_peer_name} : {conn_str}') lines_list = [] @@ -370,7 +351,7 @@ def get_connectivity_dot_format_str(self, connectivity_restriction=None, simplif # we are going to treat a peers_group as one peer. # the first peer in the peers_group is representing the group # we will add the text of all the peers in the group to this peer - for peers_group, group_connection in peers_groups: + for peers_group, group_props in peers_groups: peer_name, node_type, nc_name, text = self._get_peer_details(peers_group[0]) if len(peers_group) > 1: text = sorted(set(self._get_peer_details(peer)[3][0] for peer in peers_group)) @@ -379,20 +360,20 @@ def get_connectivity_dot_format_str(self, connectivity_restriction=None, simplif node_type = DotGraph.NodeType.MultiPod if len(text) > 1 else node_type dot_graph.add_node(nc_name, peer_name, node_type, text) # adding the self edges: - if len(text) > 1 and group_connection: - conn_str = group_connection.get_simplified_connections_representation(True) - conn_str = conn_str.replace("Protocol:", "").replace('All connections', 'All') + if len(text) > 1 and group_props: + conn_str = group_props.get_simplified_connections_representation(True) + conn_str = conn_str.replace('All connections', 'All') dot_graph.add_edge(peer_name, peer_name, label=conn_str, is_dir=False) representing_peers = [multi_peer[0][0] for multi_peer in peers_groups] - for connections, peer_pairs in self.connections_to_peers.items(): + for props, peer_pairs in self.props_to_peers.items(): directed_edges = set() # todo - is there a better way to get edge details? # we should revisit this code after reformatting connections labels - conn_str = connections.get_simplified_connections_representation(True) - conn_str = conn_str.replace("Protocol:", "").replace('All connections', 'All') + conn_str = props.get_simplified_connections_representation(True) + conn_str = conn_str.replace('All connections', 'All') for src_peer, dst_peer in peer_pairs: - if src_peer != dst_peer and connections and src_peer in representing_peers and dst_peer in representing_peers: + if src_peer != dst_peer and props and src_peer in representing_peers and dst_peer in representing_peers: src_peer_name, _, src_nc, _ = self._get_peer_details(src_peer) dst_peer_name, _, dst_nc, _ = self._get_peer_details(dst_peer) directed_edges.add(((src_peer_name, src_nc), (dst_peer_name, dst_nc))) @@ -412,83 +393,3 @@ def get_connectivity_dot_format_str(self, connectivity_restriction=None, simplif for edge in undirected_edges | cliques_edges: dot_graph.add_edge(src_name=edge[0][0], dst_name=edge[1][0], label=conn_str, is_dir=False) return dot_graph.to_str(self.output_config.outputFormat == 'dot') - - def get_minimized_firewall_rules(self): - """ - computes and returns minimized firewall rules from original connectivity graph - :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules - """ - - connections_sorted_by_size = list(self.connections_to_peers.items()) - connections_sorted_by_size.sort(reverse=True) - - connections_sorted_by_size = self._merge_ip_blocks(connections_sorted_by_size) - - if self.output_config.fwRulesRunInTestMode: - # print the original connectivity graph - lines = set() - for connections, peer_pairs in connections_sorted_by_size: - for src_peer, dst_peer in peer_pairs: - src_peer_name = self._get_peer_details(src_peer)[0] - dst_peer_name = self._get_peer_details(dst_peer)[0] - # on level of deployments, omit the 'all connections' between a pod to itself - # a connection between deployment to itself is derived from connection between 2 different pods of - # the same deployment - if src_peer == dst_peer and self.output_config.outputEndpoints == 'deployments': - continue - lines.add(f'src: {src_peer_name}, dest: {dst_peer_name}, allowed conns: {connections}') - for line in lines: - print(line) - print('======================================================') - # compute the minimized firewall rules - return MinimizeFWRules.minimize_firewall_rules(self.cluster_info, self.output_config, connections_sorted_by_size) - - @staticmethod - def _merge_ip_blocks(connections_sorted_by_size): - """ - Given an input connectivity graph, merge ip-blocks for peer-pairs when possible. e.g. if (pod_x , - 0.0.0.0-49.49.255.255) and ) and (pod_x, 49.50.0.0-255.255.255.255) are in connections_sorted_by_size[conn], - then in the output result, only (pod_x, 0.0.0.0-255.255.255.255) will be in: connections_sorted_by_size[conn] - - :param connections_sorted_by_size: the original connectivity graph : a list of tuples - (connection set , peer_pairs), where peer_pairs is a list of (src,dst) tuples - :return: connections_sorted_by_size_new : a new connectivity graph with merged ip-blocks - """ - connections_sorted_by_size_new = [] - for connections, peer_pairs in connections_sorted_by_size: - map_ip_blocks_per_dst = dict() - map_ip_blocks_per_src = dict() - merged_peer_pairs = [] - for (src, dst) in peer_pairs: - if isinstance(src, IpBlock) and isinstance(dst, ClusterEP): - if dst not in map_ip_blocks_per_dst: - map_ip_blocks_per_dst[dst] = src.copy() - else: - map_ip_blocks_per_dst[dst] |= src - elif isinstance(dst, IpBlock) and isinstance(src, ClusterEP): - if src not in map_ip_blocks_per_src: - map_ip_blocks_per_src[src] = dst.copy() - else: - map_ip_blocks_per_src[src] |= dst - else: - merged_peer_pairs.append((src, dst)) - for (src, ip_block) in map_ip_blocks_per_src.items(): - merged_peer_pairs.append((src, ip_block)) - for (dst, ip_block) in map_ip_blocks_per_dst.items(): - merged_peer_pairs.append((ip_block, dst)) - connections_sorted_by_size_new.append((connections, merged_peer_pairs)) - - return connections_sorted_by_size_new - - def conn_graph_has_fw_rules(self): - """ - :return: bool flag indicating if the given conn_graph has fw_rules (and not considered empty) - """ - if not self.connections_to_peers: - return False - if len((self.connections_to_peers.items())) == 1: - conn = list(self.connections_to_peers.keys())[0] - # we currently do not create fw-rules for "no connections" - if not conn: # conn is "no connections": - return False - return True diff --git a/nca/FWRules/DotGraph.py b/nca/FWRules/DotGraph.py index 4e6deeeca..66cb4d926 100644 --- a/nca/FWRules/DotGraph.py +++ b/nca/FWRules/DotGraph.py @@ -213,6 +213,11 @@ def _edge_to_str(self, edge): line += f'[{label} {tooltip} color={edge_color} fontcolor=darkgreen {arrow_type}]\n' return line + @staticmethod + def get_val_by_key_from_list(the_list, key): + res_items = [item for item in the_list if key in item] + return res_items[0].split(':')[1] if res_items else '' + def _set_labels_dict(self): """ creates a dict of label -> to label_short @@ -227,19 +232,15 @@ def _set_labels_dict(self): labels_short = {} # for each label, the short will look like "tcp" if there is a port, or "TCP" if there is no port for label in self.labels: - splitted_label = label.split(' ', 1) - label_type = splitted_label.pop(0) - label_port = splitted_label[0] if splitted_label else '' - if label_port.startswith('{'): - # it is not a port, its a list of dict, a dict can have 'dst_ports' - # we will use only one 'dst_ports': - connections = ast.literal_eval(f'[{label_port}]') - ports = [conn['dst_ports'] for conn in connections if 'dst_ports' in conn.keys()] - label_port = ports[0] if ports else '' + splitted_label = label.replace('{', '').replace('}', '').split(',') + label_type = self.get_val_by_key_from_list(splitted_label, 'protocols') + label_port = self.get_val_by_key_from_list(splitted_label, 'dst_ports') + assert label == 'All' or label_type # a 'dst_ports' can be too long (like 'port0,port1-port2' ) we trim it to the first port: if len(label_port) > 6: label_port = label_port.split(',')[0].split('-')[0] - labels_short[label] = f'{label_type.lower()}{label_port}' if label_port else label_type + labels_short[label] = 'All' if label == 'All' else f'{label_type.lower()}{label_port}' if label_port \ + else label_type # for labels sharing the same short, we will add a letter to the end of the short: for short in set(labels_short.values()): diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 7e511b43b..31c6e51f3 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -573,16 +573,16 @@ class FWRule: rule_csv_header = ['query', 'src_ns', 'src_pods', 'dst_ns', 'dst_pods', 'connection'] supported_formats = {'txt', 'yaml', 'csv', 'md', 'json'} - def __init__(self, src, dst, conn): + def __init__(self, src, dst, props): """ Create an object of FWRule :param src: src element of type FWRuleElement :param dst: dst element of type FWRuleElement - :param conn: allowed connections of type ConnectionSet + :param props: allowed connections of type ConnectivityProperties """ self.src = src self.dst = dst - self.conn = conn + self.props = props # TODO: also re-format the rule if ns is a combination of both 'system' and non 'system' def should_rule_be_filtered_out(self): @@ -604,7 +604,7 @@ def __str__(self): """ src_str = self.src.get_elem_str(True) dst_str = self.dst.get_elem_str(False) - conn_str = str(self.conn) + conn_str = str(self.props) return src_str + dst_str + ' conn: ' + conn_str def get_rule_str(self): @@ -613,14 +613,14 @@ def get_rule_str(self): """ src_str = self.src.get_elem_str(True) dst_str = self.dst.get_elem_str(False) - conn_str = self.conn.get_simplified_connections_representation(True) + conn_str = self.props.get_simplified_connections_representation(True) return src_str + dst_str + ' conn: ' + conn_str + '\n' def __hash__(self): return hash(str(self)) def __eq__(self, other): - return self.src == other.src and self.dst == other.dst and self.conn == other.conn + return self.src == other.src and self.dst == other.dst and self.props == other.props def __lt__(self, other): return str(self) < str(other) @@ -640,7 +640,7 @@ def get_rule_component_str(self, component): elif component == 'dst_pods': return str(self.dst) if isinstance(self.dst, (IPBlockElement, DNSElement)) else self.dst.get_pod_str() elif component == 'connection': - return self.conn.get_simplified_connections_representation(True) + return self.props.get_simplified_connections_representation(True) return '' def get_rule_csv_row(self): @@ -663,7 +663,7 @@ def get_rule_dict_obj(self): src_ip_block_list = sorted(self.src.get_elem_list_obj()) if isinstance(self.src, IPBlockElement) else None dst_ip_block_list = sorted(self.dst.get_elem_list_obj()) if isinstance(self.dst, IPBlockElement) else None dst_dns_entry_list = sorted(self.dst.get_elem_list_obj()) if isinstance(self.dst, DNSElement) else None - conn_list = self.conn.get_simplified_connections_representation(False) + conn_list = self.props.get_simplified_connections_representation(False) rule_obj = {} if src_ip_block_list is None and dst_ip_block_list is None and dst_dns_entry_list is None: @@ -707,21 +707,3 @@ def get_rule_in_req_format(self, req_format): if req_format == 'txt': return self.get_rule_str() return None - - @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config): - """ - create fw-rules from single pair of base elements (src,dst) and a given connection set - :param ConnectionSet connections: the allowed connections from src to dst - :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock - :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info - :param OutputConfiguration output_config: an object holding output configuration - :return: list with created fw-rules - :rtype list[FWRule] - """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config) - if src_elem is None or dst_elem is None: - return [] - return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 64d5b862b..b25a676bb 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -3,7 +3,6 @@ # SPDX-License-Identifier: Apache2.0 # -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import PeerSet from nca.CoreDS.ProtocolSet import ProtocolSet @@ -103,39 +102,6 @@ def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): break return chosen_rep, remaining_pods - # TODO - after moving to the optimized HC set implementation, - # get rid of ConnectionSet and move the code below to ConnectivityProperties.py - @staticmethod - def get_connection_set_and_peers_from_cube(the_cube, peer_container, - relevant_protocols=ProtocolSet(True)): - all_peers = peer_container.get_all_peers_group(True) - conn_cube = the_cube.copy() - src_peers = conn_cube["src_peers"] or all_peers - conn_cube.unset_dim("src_peers") - dst_peers = conn_cube["dst_peers"] or all_peers - conn_cube.unset_dim("dst_peers") - protocols = conn_cube["protocols"] - conn_cube.unset_dim("protocols") - has_active_dim = conn_cube.has_active_dim() - if not has_active_dim and (protocols == relevant_protocols or protocols.is_whole_range()): - conns = ConnectionSet(True) - else: - conns = ConnectionSet() - protocol_names = ProtocolSet.get_protocol_names_from_interval_set(protocols) - if has_active_dim: - props = ConnectivityProperties.make_conn_props(conn_cube) - else: - props = ConnectivityProperties.make_all_props() - for protocol in protocol_names: - if has_active_dim: - conns.add_connections(protocol, props) - else: - if ProtocolSet.protocol_supports_ports(protocol) or ProtocolSet.protocol_is_icmp(protocol): - conns.add_connections(protocol, props) - else: - conns.add_connections(protocol, True) - return conns, src_peers, dst_peers - @staticmethod def fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction=None): """ diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRulesOpt.py index 24270eaa7..8b5f31086 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRulesOpt.py @@ -4,7 +4,6 @@ # from collections import defaultdict -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet, Pod from nca.Resources.OtherResources.K8sNamespace import K8sNamespace @@ -27,8 +26,8 @@ def __init__(self, cluster_info, output_config): """ super().__init__(cluster_info, output_config) self.peer_props = ConnectivityProperties() - self.connections = ConnectionSet() - self.peer_props_in_containing_connections = ConnectivityProperties() + self.props = ConnectivityProperties() + self.peer_props_in_containing_props = ConnectivityProperties() self.ns_set_pairs = set() self.base_elem_pairs = set() self.peer_props_without_ns_expr = ConnectivityProperties() @@ -36,14 +35,13 @@ def __init__(self, cluster_info, output_config): self.results_info_per_option = dict() self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules - def compute_minimized_fw_rules_per_connection(self, connections, peer_props, - peer_props_in_containing_connections): + def compute_minimized_fw_rules_per_prop(self, props, peer_props, peer_props_in_containing_props): """ The main function for creating the minimized set of fw-rules for a given connection set - :param ConnectionSet connections: the allowed connections for the given peer pairs, of type ConnectionSet + :param ConnectivityProperties props: the allowed connections for the given peer pairs :param ConnectivityProperties peer_props: peers (src,dst) for which communication is allowed over the given connections - :param ConnectivityProperties peer_props_in_containing_connections: peers in connections that contain the current + :param ConnectivityProperties peer_props_in_containing_props: peers in connections that contain the current connection set class members used in computation of fw-rules: @@ -58,8 +56,8 @@ class members used in computation of fw-rules: (results_info_per_option: for debugging, dict with some info about the computation) """ self.peer_props = peer_props - self.connections = connections - self.peer_props_in_containing_connections = peer_props_in_containing_connections + self.props = props + self.peer_props_in_containing_props = peer_props_in_containing_props self.ns_set_pairs = set() self.base_elem_pairs = set() self.peer_props_without_ns_expr = ConnectivityProperties() @@ -124,7 +122,7 @@ def _compute_covered_peer_props(self): not necessarily only limited to current connection set) :return: None """ - covered_peer_props = self.peer_props | self.peer_props_in_containing_connections + covered_peer_props = self.peer_props | self.peer_props_in_containing_props all_peers_set = self.peer_props.get_all_peers() if len(all_peers_set) < 500: # optimization - add auto-connections only if not too many peers, @@ -289,9 +287,9 @@ def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_ele # currently no grouping of ns-list by labels of namespaces grouped_elem = FWRuleElement(ns_set, self.cluster_info) if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) + fw_rule = FWRule(fixed_elem, grouped_elem, self.props) else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) + fw_rule = FWRule(grouped_elem, fixed_elem, self.props) return [fw_rule] def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): @@ -331,9 +329,9 @@ def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_se pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) + fw_rule = FWRule(fixed_elem, grouped_elem, self.props) else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) + fw_rule = FWRule(grouped_elem, fixed_elem, self.props) res.append(fw_rule) # TODO: should avoid having single pods remaining without labels grouping @@ -341,17 +339,17 @@ def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_se if make_peer_sets and remaining_pods: peer_set_elem = PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments') if is_src_fixed: - fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) + fw_rule = FWRule(fixed_elem, peer_set_elem, self.props) else: - fw_rule = FWRule(peer_set_elem, fixed_elem, self.connections) + fw_rule = FWRule(peer_set_elem, fixed_elem, self.props) res.append(fw_rule) else: for pod in remaining_pods: single_pod_elem = PodElement(pod, self.output_config.outputEndpoints == 'deployments') if is_src_fixed: - fw_rule = FWRule(fixed_elem, single_pod_elem, self.connections) + fw_rule = FWRule(fixed_elem, single_pod_elem, self.props) else: - fw_rule = FWRule(single_pod_elem, fixed_elem, self.connections) + fw_rule = FWRule(single_pod_elem, fixed_elem, self.props) res.append(fw_rule) return res @@ -364,7 +362,7 @@ def _create_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(self._create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, + res.extend(self._create_fw_rules_from_base_elements(src, dst, self.props, self.cluster_info, self.output_config)) return res @@ -395,14 +393,14 @@ def _create_fw_rules_from_peer_props_aux(self, peer_props): dst_peers = conn_cube["dst_peers"] # whole peers sets were handled in self.ns_set_pairs and self.base_elem_pairs assert src_peers and dst_peers - res.extend(self._create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, + res.extend(self._create_fw_rules_from_base_elements(src_peers, dst_peers, self.props, self.cluster_info, self.output_config)) return res - def _create_fw_rules_from_base_elements(self, src, dst, connections, cluster_info, output_config): + def _create_fw_rules_from_base_elements(self, src, dst, props, cluster_info, output_config): """ create fw-rules from single pair of base elements (src,dst) and a given connection set - :param ConnectionSet connections: the allowed connections from src to dst + :param ConnectivityProperties props: the allowed connections from src to dst :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info @@ -414,7 +412,7 @@ def _create_fw_rules_from_base_elements(self, src, dst, connections, cluster_inf dst_elem = self._create_fw_elements_from_base_element(dst, cluster_info, output_config) if src_elem is None or dst_elem is None: return [] - return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] + return [FWRule(src, dst, props) for src in src_elem for dst in dst_elem] def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_config): """ @@ -469,7 +467,7 @@ def _print_results_info(self): def _print_firewall_rules(self, rules): print('-------------------') - print('rules for connections: ' + str(self.connections)) + print('rules for connections: ' + str(self.props)) for rule in rules: # filter out rule of a pod to itslef # if rule.is_rule_trivial(): diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index dab616015..d74a14846 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -4,565 +4,13 @@ # from collections import defaultdict -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod, HostEP, DNSEntry +from nca.CoreDS.Peer import IpBlock from nca.CoreDS.ProtocolSet import ProtocolSet -from .FWRule import FWRuleElement, FWRule, PodElement, LabelExpr, PodLabelsElement, IPBlockElement, DNSElement -from .MinimizeBasic import MinimizeBasic +from .FWRule import FWRule from .MinimizeCsFWRulesOpt import MinimizeCsFwRulesOpt -class MinimizeCsFwRules(MinimizeBasic): - """ - This is a class for minimizing fw-rules within a specific connection-set - """ - - def __init__(self, cluster_info, output_config): - """ - create an object of MinimizeCsFwRules - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info - :param output_config: an OutputConfiguration object - - """ - super().__init__(cluster_info, output_config) - self.peer_pairs = set() - self.connections = ConnectionSet() - self.peer_pairs_in_containing_connections = set() - self.ns_pairs = set() - self.peer_pairs_with_partial_ns_expr = set() - self.peer_pairs_without_ns_expr = set() - self.covered_peer_pairs_union = set() - self.results_info_per_option = dict() - self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules - - def compute_minimized_fw_rules_per_connection(self, connections, peer_pairs, peer_pairs_in_containing_connections): - """ - The main function for creating the minimized set of fw-rules for a given connection set - - :param connections: the allowed connections for the given peer pairs, of type ConnectionSet - :param peer_pairs: (set) pairs of peers (src,dst) for which communication is allowed over the given connections - :param peer_pairs_in_containing_connections: (set) pairs of peers in connections that contain the current - connection set - - class members used in computation of fw-rules: - self.ns_pairs : pairs of namespaces, grouped from peer_pairs and peer_pairs_in_containing_connections - self.peers_with_ns_pairs: pairs of (pod,ns) or (ns,pod), with ns-grouping for one dimension - self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping - self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current - connection-set (but not necessarily only limited to current connection set) - - :return: - minimized_fw_rules: a list of fw-rules (of type list[FWRule]) - (results_info_per_option: for debugging, dict with some info about the computation) - """ - self.peer_pairs = peer_pairs - self.connections = connections - self.peer_pairs_in_containing_connections = peer_pairs_in_containing_connections - self.ns_pairs = set() - self.peer_pairs_with_partial_ns_expr = set() - self.peer_pairs_without_ns_expr = set() - self.covered_peer_pairs_union = set() - self.results_info_per_option = dict() - self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules - - self._create_fw_rules() - if self.output_config.fwRulesRunInTestMode: - self._print_firewall_rules(self.minimized_fw_rules) - self._print_results_info() - - return self.minimized_fw_rules, self.results_info_per_option - - def _create_fw_rules(self): - """ - The main function for creating the minimized set of fw-rules for a given connection set - :return: None - """ - # partition peer_pairs to ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr - self._compute_basic_namespace_grouping() - - # add all fw-rules: - self._add_all_fw_rules() - - def _compute_basic_namespace_grouping(self): - """ - computation of peer_pairs with possible grouping by namespaces. - Results are at: ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr - :return: None - """ - self._compute_covered_peer_pairs_union() - # only Pod elements have namespaces (skipping IpBlocks and HostEPs) - src_namespaces_set = set(src.namespace for (src, dest) in self.peer_pairs if isinstance(src, Pod)) - dst_namespaces_set = set(dest.namespace for (src, dest) in self.peer_pairs if isinstance(dest, Pod)) - # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs - for src_ns in src_namespaces_set: - for dst_ns in dst_namespaces_set: - ns_product_pairs = set((src, dst) for src in self.cluster_info.ns_dict[src_ns] for dst in - self.cluster_info.ns_dict[dst_ns]) - if ns_product_pairs.issubset(self.covered_peer_pairs_union): - self.ns_pairs |= {(src_ns, dst_ns)} - else: - self.peer_pairs_without_ns_expr |= ns_product_pairs & self.peer_pairs - - # TODO: what about peer pairs with ip blocks from containing connections, not only peer_pairs for this connection? - pairs_with_elems_without_ns = \ - set((src, dst) for (src, dst) in self.peer_pairs - if isinstance(src, (IpBlock, HostEP, DNSEntry)) or isinstance(dst, (IpBlock, HostEP, DNSEntry))) - self.peer_pairs_without_ns_expr |= pairs_with_elems_without_ns - # compute pairs with src as pod/ip-block and dest as namespace - self._compute_ns_pairs_with_partial_ns_expr(False) - # compute pairs with src as pod/ip-block namespace dest as pod - self._compute_ns_pairs_with_partial_ns_expr(True) - # remove pairs of (pod,pod) for trivial cases of communication from pod to itself - self._remove_trivial_rules_from_peer_pairs_without_ns_expr() - - def _compute_covered_peer_pairs_union(self): - """ - compute the union (set) of all peer pairs for which communication is allowed in current connection-set (but - not necessarily only limited to current connection set) - :return: None - """ - covered_peer_pairs_union = self.peer_pairs | self.peer_pairs_in_containing_connections - - all_pods_set = set(src for (src, dst) in self.peer_pairs if isinstance(src, ClusterEP)) | \ - set(dst for (src, dst) in self.peer_pairs if isinstance(dst, ClusterEP)) - for pod in all_pods_set: - covered_peer_pairs_union |= {(pod, pod)} - self.covered_peer_pairs_union = covered_peer_pairs_union - - @staticmethod - def _get_pods_set_per_fixed_elem_from_peer_pairs(is_src_fixed, fixed_elem, peer_pairs_set): - """ - - :param is_src_fixed: bool flag indicating if fixed elem is src (True) or dst (False) - :param fixed_elem: the fixed element - :param peer_pairs_set: set of peer pairs - :return:set of pods that are paired with fixed_elem ( as src/dst according to flag is_src_fixed) - in peer_pairs_set - """ - if is_src_fixed: - return set(dest for (src, dest) in peer_pairs_set if src == fixed_elem and isinstance(dest, Pod)) - return set(src for (src, dest) in peer_pairs_set if dest == fixed_elem and isinstance(src, Pod)) - - def _get_peer_pairs_product_for_ns_and_fixed_elem(self, is_pod_in_src, pod, ns): - """ - compute all peer pairs represented by a pair of a pod with entire namespace - :param is_pod_in_src: flag indicating if pod is src (True) or dst (False) - :param pod: the fixed element - :param ns: the entire namespace - :return: a set of peer pairs - """ - if is_pod_in_src: - return set((pod, dst_pod) for dst_pod in self.cluster_info.ns_dict[ns]) - return set((src_pod, pod) for src_pod in self.cluster_info.ns_dict[ns]) - - def _get_ns_covered_in_one_dimension(self, is_src_fixed, fixed_elem): - """ - compute if a fixed elem (src or dst) can be paired with entire namespace (dst or src) - :param is_src_fixed: a bool flag indicating if fixed_elem is a src elem (True) of dst (False) - :param fixed_elem: a fixed elem (of type Pod/IpBlock) - :return: - covered_ns_set: set of namespaces for which fixed_elem can be paired with - (connection is allowed between fixed_elem and each ns in this set [direction depends on is_src_fixed], - according to current connection set and the containing connections as well). - peer_pairs_product_union: set of peer pairs represented by each pair of fixed_elem with ns in covered_ns_set - """ - pods_set = self._get_pods_set_per_fixed_elem_from_peer_pairs(is_src_fixed, fixed_elem, - self.peer_pairs_without_ns_expr) - # ns_set is a set with the potential namespaces for grouping - ns_set = set(e.namespace for e in pods_set) - covered_ns_set = set() - peer_pairs_product_union = set() - for ns in ns_set: - peer_pairs_product = self._get_peer_pairs_product_for_ns_and_fixed_elem(is_src_fixed, fixed_elem, ns) - # if the connections between entire ns and fixed_elem is allowed - add ns to covered_ns_set - if peer_pairs_product.issubset(self.covered_peer_pairs_union): - covered_ns_set |= {ns} - peer_pairs_product_union |= peer_pairs_product - return covered_ns_set, peer_pairs_product_union - - def _compute_ns_pairs_with_partial_ns_expr(self, is_src_ns): - """ - computes and updates self.peers_with_ns_pairs with pairs where only one elem (src/dst) - can be grouped to an entire namespace - :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as ns (True) or dst (False) - :return: None - """ - # pod_set is the set of pods in pairs of peer_pairs_without_ns_expr, within elem type (src/dst) which is not - # in the grouping computation - pod_set = set(src for (src, _) in self.peer_pairs_without_ns_expr) if not is_src_ns else \ - set(dst for (_, dst) in self.peer_pairs_without_ns_expr) - # loop on fixed elements (not in the grouping computation) - for pod in pod_set: - covered_ns_set, peer_pairs_product_union = self._get_ns_covered_in_one_dimension(not is_src_ns, pod) - for ns in covered_ns_set: - partial_ns_expr_pair = (pod, ns) if not is_src_ns else (ns, pod) - self.peer_pairs_with_partial_ns_expr |= {partial_ns_expr_pair} - self.peer_pairs_without_ns_expr -= peer_pairs_product_union - - # remove trivial pairs to avoid creating them a fw-rule directly - def _remove_trivial_rules_from_peer_pairs_without_ns_expr(self): - """ - update peer_pairs_without_ns_expr by removing pairs with identical src and dst elements. - a communication from a pod to itself is trivial, thus we should avoid creating fw-rules for such pairs. - Note that these pairs are contained in self.covered_peer_pairs_union, thus can be used for grouping if needed. - :return: None - """ - trivial_pairs = set((src, dst) for (src, dst) in self.peer_pairs_without_ns_expr if src == dst) - self.peer_pairs_without_ns_expr -= trivial_pairs - - def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): - """ - create a fw-rule from a fixed-elem and a set of namespaces - :param is_src_fixed: a flag indicating if the fixed elem is src (True) or dst (False) - :param ns_set: a set of namespaces - :param fixed_elem: the fixed element - :return: a list with created FWRule - """ - # currently no grouping of ns-list by labels of namespaces - grouped_elem = FWRuleElement(ns_set, self.cluster_info) - if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) - else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) - return [fw_rule] - - def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set): - """ - Implements grouping in the level of pods labels. - :param is_src_fixed: a bool flag to indicate if fixed_elem is at src or dst. - :param pods_set: the set of pods to be grouped - :param fixed_elem: the fixed element of the original fw-rules - :param extra_pods_set: an additional pods set from containing connections (with same fixed_elem) that can be - used for grouping (completing for a set of pods to cover some label grouping). - :return: a set of fw-rules result after grouping - """ - res = [] - # (1) try grouping by pods-labels: - chosen_rep, remaining_pods = self._get_pods_grouping_by_labels_main(pods_set, extra_pods_set) - for (key, values, ns_info) in chosen_rep: - map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) - all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) - pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) - grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) - if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) - else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) - res.append(fw_rule) - - # TODO: should avoid having single pods remaining without labels grouping - # (2) add rules for remaining single pods: - for pod in remaining_pods: - single_pod_elem = PodElement(pod, self.output_config.outputEndpoints == 'deployments') - if is_src_fixed: - fw_rule = FWRule(fixed_elem, single_pod_elem, self.connections) - else: - fw_rule = FWRule(single_pod_elem, fixed_elem, self.connections) - res.append(fw_rule) - return res - - def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): - """ - creating initial fw-rules from base elements - :param base_elems_pairs: a set of pairs (src,dst) , each of type: Pod/K8sNamespace/IpBlock - :return: list with created fw-rules - :rtype list[FWRule] - """ - res = [] - for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, - self.output_config)) - return res - - def _create_all_initial_fw_rules(self): - """ - Creating initial fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) - :return: a list of initial fw-rules of type FWRule - :rtype list[FWRule] - """ - initial_fw_rules = [] - initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_pairs)) - initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_without_ns_expr)) - initial_fw_rules.extend( - self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_with_partial_ns_expr)) - return initial_fw_rules - - def _add_all_fw_rules(self): - """ - Computation of fw-rules, following the ns-grouping of peer_pairs. - Results are at: self.minimized_rules_set - :return: None - """ - # create initial fw-rules from ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr - initial_fw_rules = self._create_all_initial_fw_rules() - # TODO: consider a higher resolution decision between option1 and option2 (per src,dst pair rather than per - # all ConnectionSet pairs) - - # option1 - start computation when src is fixed at first iteration, and merge applies to dst - option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) - # option2 - start computation when dst is fixed at first iteration, and merge applies to src - option2, convergence_iteration_2 = self._create_merged_rules_set(False, initial_fw_rules) - - # self.post_processing_fw_rules(option1) - # self.post_processing_fw_rules(option2) - - if self.output_config.fwRulesRunInTestMode: - equiv1 = self.check_peer_pairs_equivalence(option1) - equiv2 = self.check_peer_pairs_equivalence(option2) - assert equiv1 - assert equiv2 - # add info for documentation about computation results - self.results_info_per_option['option1_len'] = len(option1) - self.results_info_per_option['option2_len'] = len(option2) - self.results_info_per_option['convergence_iteration_1'] = convergence_iteration_1 - self.results_info_per_option['convergence_iteration_2'] = convergence_iteration_2 - self.results_info_per_option['equiv1'] = equiv1 - self.results_info_per_option['equiv2'] = equiv2 - - if self.output_config.fwRulesDebug: - print('option 1 rules:') - self._print_firewall_rules(option1) - print('option 2 rules: ') - self._print_firewall_rules(option2) - - # choose the option with less fw-rules - if len(option1) < len(option2): - self.minimized_fw_rules = option1 - return - self.minimized_fw_rules = option2 - - def _get_grouping_result(self, fixed_elem, set_for_grouping_elems, src_first): - """ - Apply grouping for a set of elements to create grouped fw-rules - :param fixed_elem: the fixed elements from the original fw-rules - :param set_for_grouping_elems: the set of elements to be grouped - :param src_first: a bool flag to indicate if fixed_elem is src or dst - :return: A list of fw-rules after possible grouping operations - """ - res = [] - # partition set_for_grouping_elems into: (1) ns_elems, (2) pod_and_pod_labels_elems, (3) ip_block_elems - pod_and_pod_labels_elems = set(elem for elem in set_for_grouping_elems if - isinstance(elem, (PodElement, PodLabelsElement))) - ip_block_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, IPBlockElement)) - dns_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, DNSElement)) - ns_elems = set_for_grouping_elems - (pod_and_pod_labels_elems | ip_block_elems | dns_elems) - - if ns_elems: - # grouping of ns elements is straight-forward - ns_set = set.union(*(f.ns_info for f in ns_elems)) - res.extend(self.get_ns_fw_rules_grouped_by_common_elem(src_first, ns_set, fixed_elem)) - - if pod_and_pod_labels_elems: - # grouping of pod and pod-labels elements - # TODO: currently adding this due to example in test24: a single pod-labels elem is replaced by another grouping - if len(pod_and_pod_labels_elems) == 1 and isinstance(list(pod_and_pod_labels_elems)[0], PodLabelsElement): - elem = list(pod_and_pod_labels_elems)[0] - fw_rule = FWRule(fixed_elem, elem, self.connections) if src_first else FWRule(elem, fixed_elem, - self.connections) - res.append(fw_rule) - else: - # set_for_grouping_pods is the set of all pods originated in pods and pod-labels elements, to be grouped - set_for_grouping_pods = set() - for e in pod_and_pod_labels_elems: - set_for_grouping_pods |= e.get_pods_set() - - # allow borrowing pods for labels-grouping from covered_peer_pairs_union - fixed_elem_pods = fixed_elem.get_pods_set() - # extra_pods_list is a list of pods sets that are paired with pods in fixed_elem_pods within - # covered_peer_pairs_union - extra_pods_list = [] - for p in fixed_elem_pods: - if src_first: - pods_to_add = set(dst for (src, dst) in self.covered_peer_pairs_union if src == p) - else: - pods_to_add = set(src for (src, dst) in self.covered_peer_pairs_union if dst == p) - extra_pods_list.append(pods_to_add) - # extra_pods_list_common is a set of pods that are paired with all pods in fixed_elem_pods within - # covered_peer_pairs_union - extra_pods_list_common = set() - if extra_pods_list: - extra_pods_list_common = set.intersection(*extra_pods_list) - - res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, set_for_grouping_pods, - fixed_elem, extra_pods_list_common)) - - if ip_block_elems: - # currently no grouping for ip blocks - for elem in ip_block_elems: - if src_first: - res.append(FWRule(fixed_elem, elem, self.connections)) - else: - res.append(FWRule(elem, fixed_elem, self.connections)) - - if dns_elems: - for elem in dns_elems: - if src_first: # do we need both if else? , dns_elem may be a dst always - res.append(FWRule(fixed_elem, elem, self.connections)) - else: - res.append(FWRule(elem, fixed_elem, self.connections)) - - return res - - def _create_merged_rules_set(self, is_src_first, fw_rules): - """ - Computing a minimized set of fw-rules by merging src/dst elements iteratively - :param is_src_first: a bool flag to indicate if merge process starts with src or dest - :param fw_rules: a list of initial fw-rules - :return: a list of minimized fw-rules after merge process - """ - initial_fw_rules = fw_rules.copy() - if not initial_fw_rules: - return [], 0 - count_fw_rules = dict() # map number of fw-rules per iteration number - max_iter = self.output_config.fwRulesMaxIter - convergence_iteration = max_iter - for i in range(0, max_iter): - fw_rules_after_merge = [] - count_fw_rules[i] = len(initial_fw_rules) - if i > 1 and count_fw_rules[i] == count_fw_rules[i - 1]: - convergence_iteration = i - break - if i > 1 and self.output_config.fwRulesRunInTestMode: - assert count_fw_rules[i - 1] > count_fw_rules[i], "Expecting fewer fw_rules after each merge iteration." - # change the grouping target (src/dst) on each iteration - src_first = (i % 2 == 0) if is_src_first else (i % 2 == 1) - first_elem_set = set(f.src for f in initial_fw_rules) if src_first else set(f.dst for f in initial_fw_rules) - for elem in first_elem_set: - if src_first: - # TODO: equals or contained in? - set_for_grouping_elems = set(f.dst for f in initial_fw_rules if f.src == elem) - else: - set_for_grouping_elems = set(f.src for f in initial_fw_rules if f.dst == elem) - res = self._get_grouping_result(elem, set_for_grouping_elems, src_first) - fw_rules_after_merge.extend(res) - # prepare for next iteration - initial_fw_rules = fw_rules_after_merge - if self.output_config.fwRulesDebug: - print('fw rules after iteration: ' + str(i)) - self._print_firewall_rules(initial_fw_rules) - - return initial_fw_rules, convergence_iteration - - # --------------------------------------------------------------------------------------------------------- - # below functions are for debugging : - - def _print_results_info(self): - print('----------------') - print('results_info_per_option: ') - for key in self.results_info_per_option: - val = self.results_info_per_option[key] - print(str(key) + ':' + str(val)) - print('----------------') - - def _print_firewall_rules(self, rules): - print('-------------------') - print('rules for connections: ' + str(self.connections)) - for rule in rules: - # filter out rule of a pod to itslef - # if rule.is_rule_trivial(): - # continue - print(rule) - - def get_src_dest_pairs_from_fw_rules(self, rules): - src_dest_pairs = [] - for rule in rules: - # compute set of pods derived from rule src and rule dest - if not isinstance(rule.src, (IPBlockElement, DNSElement)) and \ - not isinstance(rule.dst, (IPBlockElement, DNSElement)): - src_set = rule.src.get_pods_set() - dest_set = rule.dst.get_pods_set() - - for src in src_set: - for dst in dest_set: - src_dest_pairs.append((src, dst)) - - elif isinstance(rule.src, IPBlockElement) and not isinstance(rule.dst, (IPBlockElement, DNSElement)): - dest_set = rule.dst.get_pods_set() - for dst in dest_set: - src_dest_pairs.append((rule.src.element, dst)) - - elif not isinstance(rule.src, (IPBlockElement, DNSElement)) and \ - isinstance(rule.dst, (IPBlockElement, DNSElement)): - src_set = rule.src.get_pods_set() - for src in src_set: - src_dest_pairs.append((src, rule.dst.element)) - - for (src, dst) in src_dest_pairs: - if isinstance(src, IpBlock) and isinstance(dst, IpBlock): - src_dest_pairs.remove((src, dst)) - if isinstance(src, DNSEntry): # we should not get here but if somehow the src is dns-entry it will be removed - src_dest_pairs.remove((src, dst)) - - return set(src_dest_pairs) - - @staticmethod - def validate_ip_blocks(ips_list_1, ips_list_2): - ip_block_1 = IpBlock() - ip_block_2 = IpBlock() - for ip in ips_list_1: - ip_block_1 |= ip - for ip in ips_list_2: - ip_block_2 |= ip - return ip_block_1.contained_in(ip_block_2) - - # for testing - make sure set of peer pairs derived from fw-rules is equivalent to the input peer pairs - def check_peer_pairs_equivalence(self, rules): - orig_set = set(self.peer_pairs) - allowed_extra_set = set(self.covered_peer_pairs_union) # set(self.peer_pairs_in_containing_connections) - union_allowed_set = orig_set.union(allowed_extra_set) - results_set_orig = self.get_src_dest_pairs_from_fw_rules(rules) - - # direction 1: find justification for every pair in the result - for (src, dst) in results_set_orig: - if isinstance(src, ClusterEP) and isinstance(dst, ClusterEP) and not (src, dst) in union_allowed_set: - return False - elif isinstance(dst, IpBlock): - allowed_ips_from_res = [dst for (src1, dst) in results_set_orig if - src1 == src and isinstance(dst, IpBlock)] - allowed_ips_from_orig = [dst for (src1, dst) in union_allowed_set if - src1 == src and isinstance(dst, IpBlock)] - if not self.validate_ip_blocks(allowed_ips_from_res, allowed_ips_from_orig): - return False - elif isinstance(src, IpBlock): - allowed_ips_from_res = [src for (src, dst1) in results_set_orig if - dst1 == dst and isinstance(src, IpBlock)] - allowed_ips_from_orig = [src for (src, dst1) in union_allowed_set if - dst1 == dst and isinstance(src, IpBlock)] - if not self.validate_ip_blocks(allowed_ips_from_res, allowed_ips_from_orig): - return False - - # direction 2: make sure that any pair in the orig_set is covered in the result - for (src, dst) in orig_set: - if isinstance(src, ClusterEP) and isinstance(dst, ClusterEP) and not (src, dst) in results_set_orig: - if src != dst: # ignore trivial pairs - print('pair ' + str((src, dst)) + ' in orig_set but not in results_set_orig ') - return False - elif isinstance(dst, IpBlock): - allowed_ips_from_res = [dst for (src1, dst) in results_set_orig if - src1 == src and isinstance(dst, IpBlock)] - allowed_ips_from_orig = [dst for (src1, dst) in orig_set if src1 == src and isinstance(dst, IpBlock)] - if not self.validate_ip_blocks(allowed_ips_from_orig, allowed_ips_from_res): - print('src: ' + str(src) + ' ip block from orig not covered in res ') - print(' orig ip block: ' + ','.join(str(ip) for ip in allowed_ips_from_orig)) - print(' res ip block: ' + ','.join(str(ip) for ip in allowed_ips_from_res)) - return False - elif isinstance(src, IpBlock): - allowed_ips_from_res = [src for (src, dst1) in results_set_orig if - dst1 == dst and isinstance(src, IpBlock)] - allowed_ips_from_orig = [src for (src, dst1) in orig_set if - dst1 == dst and isinstance(src, IpBlock)] - if not self.validate_ip_blocks(allowed_ips_from_orig, allowed_ips_from_res): - print('dst: ' + str(dst) + ' ip block from orig not covered in res ') - print(' orig ip block: ' + ','.join(str(ip) for ip in allowed_ips_from_orig)) - print(' res ip block: ' + ','.join(str(ip) for ip in allowed_ips_from_res)) - return False - - return True - -# ================================================================================================================== - - class MinimizeFWRules: """ This is a class for minimizing and handling fw-rules globally for all connection sets @@ -571,7 +19,7 @@ class MinimizeFWRules: def __init__(self, fw_rules_map, cluster_info, output_config, results_map): """ create n object of MinimizeFWRules - :param fw_rules_map: a map from ConnectionSet to list[FWRule] - the list of minimized fw-rules per connection + :param fw_rules_map: a map from ConnectivityProperties to list[FWRule] - the list of minimized fw-rules per props :param cluster_info: an object of type ClusterInfo :param output_config: an object of type OutputConfiguration :param results_map: (temp, for debugging) a map from connection to results info @@ -680,35 +128,6 @@ def _get_all_rules_list_in_req_format(self, req_format): rules_dict[str(rule_obj)] = 1 return rules_list - @staticmethod - def minimize_firewall_rules(cluster_info, output_config, connections_sorted_by_size): - """ - Creates the set of minimized fw rules and prints to output - :param ClusterInfo cluster_info: the cluster info - :param OutputConfiguration output_config: the output configuration - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules - """ - cs_containment_map = MinimizeFWRules._build_connections_containment_map(connections_sorted_by_size) - fw_rules_map = defaultdict(list) - results_map = dict() - minimize_cs = MinimizeCsFwRules(cluster_info, output_config) - # build fw_rules_map: per connection - a set of its minimized fw rules - for connections, peer_pairs in connections_sorted_by_size: - # currently skip "no connections" - if not connections: - continue - # TODO: figure out why we have pairs with (ip,ip) ? - peer_pairs_filtered = MinimizeFWRules._get_peer_pairs_filtered(peer_pairs) - peer_pairs_in_containing_connections = cs_containment_map[connections] - fw_rules, results_per_info = minimize_cs.compute_minimized_fw_rules_per_connection( - connections, peer_pairs_filtered, peer_pairs_in_containing_connections) - fw_rules_map[connections] = fw_rules - results_map[connections] = results_per_info - - minimize_fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, output_config, results_map) - return minimize_fw_rules - @staticmethod def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, peer_container, connectivity_restriction): @@ -719,46 +138,46 @@ def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, else: # connectivity_restriction == 'non-TCP' relevant_protocols = ProtocolSet.get_non_tcp_protocols() - peers_to_connections = defaultdict(ConnectionSet) - # pick up all connection sets relating to the same peer set pairs + peers_to_props = defaultdict(ConnectivityProperties) + # pick up all connectivity propertoes relating to the same peer set pairs for cube in props: conn_cube = props.get_connectivity_cube(cube) conns, src_peers, dst_peers = \ - MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) + ConnectivityProperties.extract_src_dst_peers_from_cube(conn_cube, peer_container, relevant_protocols) conn_cube.unset_all_but_peers() - peers_to_connections[ConnectivityProperties.make_conn_props(conn_cube)] |= conns - # now combine all peer set pairs relating to the same connection sets - connections_to_peers = defaultdict(ConnectivityProperties) - for peers, conns in peers_to_connections.items(): - connections_to_peers[conns] |= peers - connections_sorted_by_size = list(connections_to_peers.items()) - connections_sorted_by_size.sort(reverse=True) - return MinimizeFWRules.minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size) + peers_to_props[ConnectivityProperties.make_conn_props(conn_cube)] |= conns + # now combine all peer set pairs relating to the same connectivity properties + props_to_peers = defaultdict(ConnectivityProperties) + for peers, conns in peers_to_props.items(): + props_to_peers[conns] |= peers + props_sorted_by_size = list(props_to_peers.items()) + props_sorted_by_size.sort(reverse=True) + return MinimizeFWRules.minimize_firewall_rules(cluster_info, output_config, props_sorted_by_size) @staticmethod - def minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size): + def minimize_firewall_rules(cluster_info, output_config, props_sorted_by_size): """ Creates the set of minimized fw rules and prints to output :param ClusterInfo cluster_info: the cluster info :param OutputConfiguration output_config: the output configuration - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :param list props_sorted_by_size: the original connectivity graph in fw-rules format :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules """ - cs_containment_map = MinimizeFWRules._build_connections_containment_map_opt(connections_sorted_by_size) + props_containment_map = MinimizeFWRules._build_props_containment_map(props_sorted_by_size) fw_rules_map = defaultdict(list) results_map = dict() minimize_cs_opt = MinimizeCsFwRulesOpt(cluster_info, output_config) # build fw_rules_map: per connection - a set of its minimized fw rules - for connections, peer_props in connections_sorted_by_size: + for props, peer_props in props_sorted_by_size: # currently skip "no connections" - if not connections: + if not props: continue # TODO: figure out why we have pairs with (ip,ip) ? - peer_props_in_containing_connections = cs_containment_map[connections] - fw_rules, results_per_info = minimize_cs_opt.compute_minimized_fw_rules_per_connection( - connections, peer_props, peer_props_in_containing_connections) - fw_rules_map[connections] = fw_rules - results_map[connections] = results_per_info + peer_props_in_containing_props = props_containment_map[props] + fw_rules, results_per_info = minimize_cs_opt.compute_minimized_fw_rules_per_prop( + props, peer_props, peer_props_in_containing_props) + fw_rules_map[props] = fw_rules + results_map[props] = results_per_info minimize_fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, output_config, results_map) return minimize_fw_rules @@ -773,29 +192,15 @@ def _get_peer_pairs_filtered(peer_pairs): return set((src, dst) for (src, dst) in peer_pairs if not (isinstance(src, IpBlock) and isinstance(dst, IpBlock))) @staticmethod - def _build_connections_containment_map(connections_sorted_by_size): + def _build_props_containment_map(props_sorted_by_size): """ Build a map from a connection to a set of peer_pairs from connections it is contained in - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: a map from connection to a set of peer pairs from containing connections - """ - cs_containment_map = defaultdict(set) - for (conn, _) in connections_sorted_by_size: - for (other_conn, peer_pairs) in connections_sorted_by_size: - if other_conn != conn and conn.contained_in(other_conn): - peer_pairs_filtered = MinimizeFWRules._get_peer_pairs_filtered(peer_pairs) - cs_containment_map[conn] |= peer_pairs_filtered - return cs_containment_map - - def _build_connections_containment_map_opt(connections_sorted_by_size): - """ - Build a map from a connection to a set of peer_pairs from connections it is contained in - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: a map from connection to a set of peer pairs from containing connections - """ - cs_containment_map = defaultdict(ConnectivityProperties) - for (conn, _) in connections_sorted_by_size: - for (other_conn, peer_pairs) in connections_sorted_by_size: - if other_conn != conn and conn.contained_in(other_conn): - cs_containment_map[conn] |= peer_pairs - return cs_containment_map + :param list props_sorted_by_size: the connectivity map in fw-rules format + :return: a map from connectivity properties to a set of peer pairs from containing properties + """ + props_containment_map = defaultdict(ConnectivityProperties) + for (props, _) in props_sorted_by_size: + for (other_props, peer_pairs) in props_sorted_by_size: + if other_props != props and props.contained_in(other_props): + props_containment_map[props] |= peer_pairs + return props_containment_map diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 1ce944c4c..bc38d2987 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -7,7 +7,6 @@ from enum import Enum from dataclasses import dataclass -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.Peer import PeerSet, IpBlock, Pod, Peer, DNSEntry, BasePeerSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties @@ -22,7 +21,7 @@ from nca.Utils.OutputConfiguration import OutputConfiguration from .QueryOutputHandler import QueryAnswer, DictOutputHandler, StringOutputHandler, \ PoliciesAndRulesExplanations, PodsListsExplanations, ConnectionsDiffExplanation, IntersectPodsExplanation, \ - PoliciesWithCommonPods, PeersAndConnections, ComputedExplanation + PoliciesWithCommonPods, PeersAndConnectivityProperties, ComputedExplanation from .NetworkLayer import NetworkLayerName from nca.Utils.ExplTracker import ExplTracker from nca.NetworkConfig import PeerContainer @@ -796,24 +795,6 @@ def exec(self): res.output_explanation = [ComputedExplanation(str_explanation=output_res)] return res - def get_connectivity_output_full(self, connections, peers, peers_to_compare): - """ - get the connectivity map output considering all connections in the output - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for dot and txt_no_fw_rules output - :param PeerSet peers_to_compare: the peers to consider for fw-rules output - :rtype (Union[str,dict], MinimizeFWRules) - """ - if self.output_config.outputFormat in ['dot', 'jpg', 'html']: - dot_full = self.dot_format_from_connections_dict(connections, peers) - return dot_full, None - if self.output_config.outputFormat == 'txt_no_fw_rules': - conns_wo_fw_rules = self._txt_no_fw_rules_format_from_connections_dict(connections, peers) - return conns_wo_fw_rules, None - # handle other formats - formatted_rules, fw_rules = self.fw_rules_from_connections_dict(connections, peers_to_compare) - return formatted_rules, fw_rules - def get_props_output_full(self, props, all_peers): """ get the connectivity map output considering all connections in the output @@ -872,41 +853,6 @@ def get_props_output_split_by_tcp(self, props, all_peers): res_str = formatted_rules_tcp + formatted_rules_non_tcp return res_str - def _get_conn_graph(self, connections, peers): - """ - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for building connectivity graph - :rtype: ConnectivityGraph - :return the connectivity graph of the given connections and peers - """ - conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) - conn_graph.add_edges(connections) - return conn_graph - - def _txt_no_fw_rules_format_from_connections_dict(self, connections, peers, connectivity_restriction=None): - """ - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for dot output - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP , or not - :rtype: str - :return the connectivity map in txt_no_fw_rules format: the connections between peers excluding connections - between workload to itself (without grouping as fw-rules). - """ - conn_graph = self._get_conn_graph(connections, peers) - return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction) - - def dot_format_from_connections_dict(self, connections, peers, connectivity_restriction=None): - """ - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for dot output - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to - TCP / non-TCP , or not - :rtype str - :return the connectivity map in dot-format, considering connectivity_restriction if required - """ - conn_graph = self._get_conn_graph(connections, peers) - return conn_graph.get_connectivity_dot_format_str(connectivity_restriction, self.output_config.simplifyGraph) - def dot_format_from_props(self, props, peers, connectivity_restriction=None): """ :param ConnectivityProperties props: properties describing allowed connections @@ -935,20 +881,6 @@ def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restricti return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction + " Connections:" if connectivity_restriction else None) - def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None): - """ - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers_to_compare: the peers to consider for fw-rules output - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to - TCP / non-TCP , or not - :return the connectivity map in fw-rules, considering connectivity_restriction if required - :rtype: (Union[str, dict], MinimizeFWRules) - """ - conn_graph = self._get_conn_graph(connections, peers_to_compare) - fw_rules = conn_graph.get_minimized_firewall_rules() - formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) - return formatted_rules, fw_rules - def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction=None): """ :param ConnectivityProperties props: properties describing allowed connections @@ -1063,20 +995,20 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, :param bool props_based_on_config1: whether conn_diff_props represent connections present in config1 but not in config2 (the value True) or connections present in config2 but not in config1 (the value False) """ - no_conns = ConnectionSet() + no_props = ConnectivityProperties() for cube in conn_diff_props: conn_cube = conn_diff_props.get_connectivity_cube(cube) conns, src_peers, dst_peers = \ - MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, self.config1.peer_container) - conns1 = conns if props_based_on_config1 else no_conns - conns2 = no_conns if props_based_on_config1 else conns - if self.output_config.fullExplanation: # the same result for opt == 'true'/'debug' + ConnectivityProperties.extract_src_dst_peers_from_cube(conn_cube, self.config1.peer_container) + conns1 = conns if props_based_on_config1 else no_props + conns2 = no_props if props_based_on_config1 else conns + if self.output_config.fullExplanation: src_peers_str_sorted = str(sorted([str(peer) for peer in src_peers])) dst_peers_str_sorted = str(sorted([str(peer) for peer in dst_peers])) - different_conns_list.append(PeersAndConnections(src_peers_str_sorted, dst_peers_str_sorted, - conns1, conns2)) + different_conns_list.append(PeersAndConnectivityProperties(src_peers_str_sorted, dst_peers_str_sorted, + conns1, conns2)) else: - different_conns_list.append(PeersAndConnections(src_peers.rep(), dst_peers.rep(), conns1, conns2)) + different_conns_list.append(PeersAndConnectivityProperties(src_peers.rep(), dst_peers.rep(), conns1, conns2)) return @staticmethod @@ -1180,20 +1112,6 @@ def _get_updated_key(key, is_added): """ return key.replace("Changed", "Added") if is_added else key.replace("Changed", "Removed") - @staticmethod - def get_explanation_from_conn_graph(conn_graph, is_first_connectivity_result): - """ - :param conn_graph: a ConnectivityGraph with added/removed connections - :param is_first_connectivity_result: bool flag indicating if this is the first connectivity fw-rules computation - for the current semantic-diff query - :return: fw-rules summarizing added/removed connections (in required format and as MinimizeFWRules) - :rtype: Union[str, dict], MinimizeFWRules (dict if required format is yaml/json , str otherwise) - """ - fw_rules = conn_graph.get_minimized_firewall_rules() - # for csv format, adding the csv header only for the first connectivity fw-rules computation - fw_rules_output = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) - return fw_rules_output, fw_rules - def compute_explanation_for_key(self, key, is_added, props_data, is_first_connectivity_result): """ computes the explanation for given key and conn_graph with description and fw-rules results @@ -1271,31 +1189,9 @@ def get_results_for_computed_fw_rules(self, keys_list, removed_props_per_key, ad return res, explanation - def get_conn_graph_changed_conns(self, key, ip_blocks, is_added): - """ - create a ConnectivityGraph for changed (added/removed) connections per given key - :param key: the key (category) of changed connections - :param ip_blocks: a PeerSet of ip-blocks to be added for the topology peers - :param is_added: a bool flag indicating if connections are added or removed - :return: a ConnectivityGraph object - """ - old_peers = self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - new_peers = self.config2.peer_container.get_all_peers_group(include_dns_entries=True) - allowed_labels = (self.config1.get_allowed_labels()).union(self.config2.get_allowed_labels()) - topology_peers = new_peers | ip_blocks if is_added else old_peers | ip_blocks - # following query_name update is for adding query line descriptions for csv and md formats - updated_key = self._get_updated_key(key, is_added) - if self.output_config.queryName: - query_name = f'semantic_diff, config1: {self.config1.name}, config2: {self.config2.name}, key: {updated_key}' - else: - # omit the query name prefix if self.output_config.queryName is empty (single query from command line) - query_name = updated_key - output_config = OutputConfiguration(self.output_config, query_name) - return ConnectivityGraph(topology_peers, allowed_labels, output_config) - def get_changed_props_expl_data(self, key, ip_blocks, is_added, props, peer_container): """ - create a ConnectivityGraph for changed (added/removed) connections per given key + create an explanation for changed (added/removed) connections per given key :param key: the key (category) of changed connections :param ip_blocks: a PeerSet of ip-blocks to be added for the topology peers :param is_added: a bool flag indicating if connections are added or removed diff --git a/nca/NetworkConfig/NetworkLayer.py b/nca/NetworkConfig/NetworkLayer.py index 7e2c08212..52a1fd6c5 100644 --- a/nca/NetworkConfig/NetworkLayer.py +++ b/nca/NetworkConfig/NetworkLayer.py @@ -5,8 +5,7 @@ from bisect import insort from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet -from nca.CoreDS.Peer import IpBlock, HostEP, PeerSet, DNSEntry +from nca.CoreDS.Peer import IpBlock, HostEP, PeerSet from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.ProtocolSet import ProtocolSet diff --git a/nca/NetworkConfig/QueryOutputHandler.py b/nca/NetworkConfig/QueryOutputHandler.py index a57fd6925..ad3e206da 100644 --- a/nca/NetworkConfig/QueryOutputHandler.py +++ b/nca/NetworkConfig/QueryOutputHandler.py @@ -5,7 +5,7 @@ from abc import abstractmethod from dataclasses import dataclass, field -from nca.CoreDS.ConnectionSet import ConnectionSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties @dataclass @@ -43,7 +43,7 @@ def get_explanation_in_dict(self): # following classes describe possible OutputExplanation patterns (derived from it), each class consists of the # explanation fields that may appear together in one output_explanation and additional info for writing # the explanation if required -# PoliciesWithCommonPods and PeersAndConnections classes are helping classes for storing info on some OutputExplanation +# PoliciesWithCommonPods and PeersAndConnectivityProperties classes are helping classes for storing info on some OutputExplanation @dataclass class PoliciesWithCommonPods: """ @@ -230,14 +230,14 @@ def get_explanation_in_str(self): @dataclass -class PeersAndConnections: +class PeersAndConnectivityProperties: """ A class for holding info on connections between same peers pairs in two different configs """ src_peer: str = '' dst_peer: str = '' - conns1: ConnectionSet = field(default_factory=ConnectionSet) # connections from src to dst in first config - conns2: ConnectionSet = field(default_factory=ConnectionSet) # connections from src to dst in second config + conns1: ConnectivityProperties = field(default_factory=ConnectivityProperties) # connections from src to dst in first config + conns2: ConnectivityProperties = field(default_factory=ConnectivityProperties) # connections from src to dst in second config def __lt__(self, other): if self.src_peer == other.src_peer: @@ -250,17 +250,17 @@ class ConnectionsDiffExplanation(OutputExplanation): # used in following TwoNetworkConfigs queries that compare connections of pairs of peers in both configs: # EquivalenceQuery, StrongEquivalenceQuery, ContainmentQuery, TwoWayContainmentQuery, PermitsQuery, InterferesQuery, # PairwiseInterferesQuery, and ForbidsQuery - peers_diff_connections_list: list = field(default_factory=list) # list of PeersAndConnections objects, + peers_diff_connections_list: list = field(default_factory=list) # list of PeersAndConnectivityProperties objects, # storing info of pairs of peers and their connection in the config/s configs: list = field(default_factory=list) # list[str]: configs names, relevant only when we have the - # conns1 and conns2 in PeersAndConnections items , so we need them when calling ConnectionSet.print_diff + # conns1 and conns2 in PeersAndConnectivityProperties items, so we need them when calling ConnectivityProperties.print_diff # in get_explanation_in_str conns_diff: bool = False def get_explanation_in_dict(self): """ returns the explanation results of ConnectionsDiffExplanation and its description arranged in dict. - if self.conns_diff is True, i.e. PeersAndConnections items contain two connections, then for each + if self.conns_diff is True, i.e. PeersAndConnectivityProperties items contain two connections, then for each (src, dst) pair , connections from both configs will be presented to emphasize the differences :rtype list[dict] """ @@ -278,7 +278,7 @@ def get_explanation_in_dict(self): def get_explanation_in_str(self): """ returns the explanation result of ConnectionsDiffExplanation and its description in str. - When self.conns_diff is True, i.e. having conns1 and conns2 in PeersAndConnections items, the diff between + When self.conns_diff is True, i.e. having conns1 and conns2 in PeersAndConnectivityProperties items, the diff between connection of each pair is printed otherwise (having only conns1, connections from first config is printed) :rtype str diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json index 6918997f7..1a488bc22 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json @@ -14,7 +14,7 @@ { "src": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "dst": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", - "conns_config1": "Protocol: TCP", + "conns_config1": "{'protocols': 'TCP'}", "conns_config2": "No connections" }, { diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt index 9fe82f7e6..af0973acf 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt @@ -1,4 +1,4 @@ global_np interferes with local_np Allowed connections from local_np which are extended in global_np: -src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: global_np allows communication using protocol TCP while local_np does not. +src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: global_np allows communication on [protocols=TCP] while local_np does not src: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], description: global_np allows all connections while local_np does not. diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml index 7dca5f580..456a28b2e 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml @@ -14,7 +14,7 @@ ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', ''kube-system/vpn-858f6d9777-2bw5m'']' - conns_config1: 'Protocol: TCP' + conns_config1: '{''protocols'': ''TCP''}' conns_config2: No connections - src: '[''kube-system/calico-node-mgdlr'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', ''kube-system/keepalived-watcher-57ghx'', ''kube-system/keepalived-watcher-gzdfm'', diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json index 5a01ea44b..1eafa5e2c 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json @@ -14,7 +14,7 @@ { "src": "['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd']", "dst": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", - "conns_config1": "Protocol: TCP", + "conns_config1": "{'protocols': 'TCP'}", "conns_config2": "No connections" } ] diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt index ce3a46ba8..2ca69e33d 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt @@ -1,3 +1,3 @@ np_SupsetAllowFirst and np_SubsetDenyFirst are not semantically equivalent. Connections allowed in np_SupsetAllowFirst which are different in np_SubsetDenyFirst: -src: ['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. +src: ['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: np_SupsetAllowFirst allows communication on [protocols=TCP] while np_SubsetDenyFirst does not diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml index c6f78cb50..9d7995fec 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml @@ -16,5 +16,5 @@ ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', ''kube-system/vpn-858f6d9777-2bw5m'']' - conns_config1: 'Protocol: TCP' + conns_config1: '{''protocols'': ''TCP''}' conns_config2: No connections diff --git a/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt index ef33ae76f..a59203723 100644 --- a/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt @@ -2,31 +2,31 @@ final fw rules for query: connectivity_map, config: ip: src: 0.0.0.0/0,::/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [calico-node] conn: TCP {'dst_ports': '210', 'hosts': 'first.bar.com', 'paths': '(/abc(/*)?)-(/abc/def(/*)?)'} -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [file-plugin-7bfb8b69bf] conn: TCP {'dst_ports': '80', 'hosts': 'first.bar.com', 'paths': '/abc/def(/*)?'} -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 213 -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-fluentd] conn: TCP {'dst_ports': '80', 'hosts': 'second.bar.com', 'paths': '(/xyz(/*)?)-(/xyz)'} -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: TCP {'dst_ports': '102', 'hosts': 'second.bar.com', 'paths': '/xyz'} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [calico-node] conn: {protocols:TCP,dst_ports:210,hosts:first.bar.com,paths:(/abc(/*)?)-(/abc/def(/*)?)} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [file-plugin-7bfb8b69bf] conn: {protocols:TCP,dst_ports:80,hosts:first.bar.com,paths:/abc/def(/*)?} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: {protocols:TCP,dst_ports:213} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-fluentd] conn: {protocols:TCP,dst_ports:80,hosts:second.bar.com,paths:(/xyz(/*)?)-(/xyz)} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: {protocols:TCP,dst_ports:102,hosts:second.bar.com,paths:/xyz} src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections final fw rules for query: connectivity_map, config: global-simple: -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [!has(app)] conn: TCP 200-250 -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [vendor-system] dst_pods: [*] conn: TCP 200-250 +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [!has(app)] conn: {protocols:TCP,dst_ports:200-250} +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:200-250} final fw rules for query: connectivity_map, config: global-simple-with-ingress: -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [calico-node] conn: TCP {'dst_ports': '210', 'hosts': 'first.bar.com', 'paths': '(/abc(/*)?)-(/abc/def(/*)?)'} -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 213 +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [calico-node] conn: {protocols:TCP,dst_ports:210,hosts:first.bar.com,paths:(/abc(/*)?)-(/abc/def(/*)?)} +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: {protocols:TCP,dst_ports:213} final fw rules for query: connectivity_map, config: global-not-simple/testcase15-global-ports-not-simple-match-ingress-egress: -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 +src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:101-104} final fw rules for query: connectivity_map, config: global-not-simple/testcase15-global-ports-not-simple-mismatch-ingress-egress: final fw rules for query: connectivity_map, config: global-not-simple: -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 +src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:101-104} final fw rules for query: connectivity_map, config: global-not-simple-with-ingress: -src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: TCP {'dst_ports': '102', 'hosts': 'second.bar.com', 'paths': '/xyz'} -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 +src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:101-104} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: {protocols:TCP,dst_ports:102,hosts:second.bar.com,paths:/xyz} +src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:101-104} diff --git a/tests/calico_testcases/expected_output/testcase16-scheme_output.txt b/tests/calico_testcases/expected_output/testcase16-scheme_output.txt index d1e1d5d0e..8b7841d95 100644 --- a/tests/calico_testcases/expected_output/testcase16-scheme_output.txt +++ b/tests/calico_testcases/expected_output/testcase16-scheme_output.txt @@ -4,4 +4,4 @@ src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connectio src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [!has(tier)] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [!has(tier)] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst: 64.0.0.0-255.255.255.255 conn: TCP +src_ns: [kube-system] src_pods: [*] dst: 64.0.0.0-255.255.255.255 conn: {protocols:TCP} diff --git a/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt index fb613ac88..1ba0afd52 100644 --- a/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt @@ -8,5 +8,5 @@ final fw rules for query: connectivity_map, config: np-ports-based: src: 0.0.0.0/0,::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: TCP -src_ns: [kube-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP +src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: {protocols:TCP} +src_ns: [kube-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP} diff --git a/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt index 6c3fb3e22..a724e6f67 100644 --- a/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt @@ -1,2 +1,2 @@ final fw rules for query: connectivity, config: testcase25-config-1: -src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP +src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} diff --git a/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map_2.txt b/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map_2.txt index 9a6c885c2..a8af6998e 100644 --- a/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map_2.txt +++ b/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map_2.txt @@ -4,4 +4,4 @@ src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [!has(tier)] conn: All connection src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [!has(tier)] conn: All connections -src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: TCP +src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:TCP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt index 20007690b..15058f99c 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt index 239f0fbb8..1dbd701ea 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-6, config: testcase26-config-1-k8s-calico-istio-ingress-2: src: 0.0.0.0/0 dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {protocols:TCP,dst_ports:9080,paths:/details(/*)?} For connections of type non-TCP, final fw rules for query: connectivity-6, config: testcase26-config-1-k8s-calico-istio-ingress-2: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt index 6037c6402..ec8799766 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt index 64cdc6ddf..033ec7d8a 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt index 56236fbd2..ede1af064 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt @@ -6,8 +6,8 @@ src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pod src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [productpage-v1-6b746f74dc] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {protocols:TCP,dst_ports:9080,paths:/details(/*)?} src_ns: [istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt index e2906fca9..febcd85ac 100644 --- a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt +++ b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt @@ -1,10 +1,10 @@ testcase26-config-1-calico-ingress and allow-all-config are not semantically equivalent. Added connections between persistent peers (based on topology from config: allow-all-config) : -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All but TCP,UDP +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:all but TCP, UDP} src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:9080,paths:/details(/*)?} src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [app in (ratings,reviews)] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt b/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt index 8a263c506..196395dbf 100644 --- a/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt +++ b/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt @@ -3,7 +3,7 @@ np1/kube-system/ingress-networkpolicy-with-conflict-destination and global-allow Added connections between persistent peers (based on topology from config: global-allow-all) : src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [app=kube-fluentd] conn: All connections src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: All but TCP +src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:all but TCP} Added connections between persistent peers and ipBlocks (based on topology from config: global-allow-all) : src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [app=kube-fluentd] conn: All connections diff --git a/tests/expected_cmdline_output_files/basic_semantic_diff_csv_query_output.txt b/tests/expected_cmdline_output_files/basic_semantic_diff_csv_query_output.txt index 79804b5da..80f68a1a1 100644 --- a/tests/expected_cmdline_output_files/basic_semantic_diff_csv_query_output.txt +++ b/tests/expected_cmdline_output_files/basic_semantic_diff_csv_query_output.txt @@ -1,8 +1,8 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "Added connections between persistent peers","","","","","", -"","[default]","[*]","[kube-system]","[*]","All but TCP+UDP 53", +"","[default]","[*]","[kube-system]","[*]","All but {protocols:TCP, UDP,dst_ports:53}", "Removed connections between persistent peers","","","","","", -"","[kube-system,kube-system-dummy-to-ignore]","[*]","[kube-system]","[*]","TCP+UDP 53", "","[vendor-system]","[*]","[kube-system]","[*]","All connections", +"","[kube-system,kube-system-dummy-to-ignore]","[*]","[kube-system]","[*]","{protocols:TCP, UDP,dst_ports:53}", "Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[kube-system]","[*]","TCP+UDP 53", +"","","0.0.0.0/0","[kube-system]","[*]","{protocols:TCP, UDP,dst_ports:53}", diff --git a/tests/expected_cmdline_output_files/basic_semantic_diff_md_query_output.txt b/tests/expected_cmdline_output_files/basic_semantic_diff_md_query_output.txt index 16abfb3ba..68c2011f0 100644 --- a/tests/expected_cmdline_output_files/basic_semantic_diff_md_query_output.txt +++ b/tests/expected_cmdline_output_files/basic_semantic_diff_md_query_output.txt @@ -1,9 +1,9 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |Added connections between persistent peers|||||| -||[default]|[*]|[kube-system]|[*]|All but TCP+UDP 53| +||[default]|[*]|[kube-system]|[*]|All but {protocols:TCP, UDP,dst_ports:53}| |Removed connections between persistent peers|||||| -||[kube-system,kube-system-dummy-to-ignore]|[*]|[kube-system]|[*]|TCP+UDP 53| ||[vendor-system]|[*]|[kube-system]|[*]|All connections| +||[kube-system,kube-system-dummy-to-ignore]|[*]|[kube-system]|[*]|{protocols:TCP, UDP,dst_ports:53}| |Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[kube-system]|[*]|TCP+UDP 53| +|||0.0.0.0/0|[kube-system]|[*]|{protocols:TCP, UDP,dst_ports:53}| diff --git a/tests/expected_cmdline_output_files/basic_semantic_diff_query_output.txt b/tests/expected_cmdline_output_files/basic_semantic_diff_query_output.txt index 8d0d62349..3c705858b 100644 --- a/tests/expected_cmdline_output_files/basic_semantic_diff_query_output.txt +++ b/tests/expected_cmdline_output_files/basic_semantic_diff_query_output.txt @@ -1,11 +1,11 @@ testcase7-networkpolicy2.yaml and testcase7-networkpolicy1.yaml are not semantically equivalent. Added connections between persistent peers (based on topology from config: testcase7-networkpolicy1.yaml) : -src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but TCP+UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:TCP, UDP,dst_ports:53} Removed connections between persistent peers (based on topology from config: testcase7-networkpolicy2.yaml) : -src_ns: [kube-system,kube-system-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: TCP+UDP 53 +src_ns: [kube-system,kube-system-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} src_ns: [vendor-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: testcase7-networkpolicy2.yaml) : -src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: TCP+UDP 53 +src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} diff --git a/tests/expected_cmdline_output_files/basic_semantic_diff_yaml_query_output.txt b/tests/expected_cmdline_output_files/basic_semantic_diff_yaml_query_output.txt index b9bd18673..ca039aeda 100644 --- a/tests/expected_cmdline_output_files/basic_semantic_diff_yaml_query_output.txt +++ b/tests/expected_cmdline_output_files/basic_semantic_diff_yaml_query_output.txt @@ -18,17 +18,13 @@ - '*' connection: - All but: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: + - protocols: TCP, UDP + dst_ports: - 53 - description: Removed connections between persistent peers rules: - src_ns: - - kube-system - - kube-system-dummy-to-ignore + - vendor-system src_pods: - '*' dst_ns: @@ -36,14 +32,10 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: - - 53 + - All connections - src_ns: - - vendor-system + - kube-system + - kube-system-dummy-to-ignore src_pods: - '*' dst_ns: @@ -51,7 +43,9 @@ dst_pods: - '*' connection: - - All connections + - protocols: TCP, UDP + dst_ports: + - 53 - description: Removed connections between persistent peers and ipBlocks rules: - src_ip_block: @@ -61,9 +55,6 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: + - protocols: TCP, UDP + dst_ports: - 53 diff --git a/tests/expected_cmdline_output_files/helm_test_multi_chart.txt b/tests/expected_cmdline_output_files/helm_test_multi_chart.txt index bff16a3e8..22f847af4 100644 --- a/tests/expected_cmdline_output_files/helm_test_multi_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_multi_chart.txt @@ -1,11 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] conn: TCP 3000 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] conn: {protocols:TCP,dst_ports:3000} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: All connections -src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: UDP 53 +src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: TCP 3000 -src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: {protocols:TCP,dst_ports:3000} +src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: All connections diff --git a/tests/expected_cmdline_output_files/helm_test_one_chart.txt b/tests/expected_cmdline_output_files/helm_test_one_chart.txt index 6f3ef4cc0..b08f3794a 100644 --- a/tests/expected_cmdline_output_files/helm_test_one_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_one_chart.txt @@ -1,4 +1,4 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: TCP 6379,9121 -src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: TCP 6379 \ No newline at end of file +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:6379,9121} +src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:6379} diff --git a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_in_template_dir.txt b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_in_template_dir.txt index be9bb1efd..b376f8f07 100644 --- a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_in_template_dir.txt +++ b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_in_template_dir.txt @@ -1,11 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections diff --git a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_inside_chart.txt b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_inside_chart.txt index be9bb1efd..b376f8f07 100644 --- a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_inside_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_inside_chart.txt @@ -1,11 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections diff --git a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_chart.txt b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_chart.txt index 86608c4a4..1eeab0e90 100644 --- a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_chart.txt @@ -1,11 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections diff --git a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_multi_charts.txt b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_multi_charts.txt index b81b1d99a..d04f1182c 100644 --- a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_multi_charts.txt +++ b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_multi_charts.txt @@ -1,12 +1,12 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: TCP 3000 -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: {protocols:TCP,dst_ports:3000} +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections diff --git a/tests/expected_cmdline_output_files/livesim_test_all_dot.dot b/tests/expected_cmdline_output_files/livesim_test_all_dot.dot index 317388fd5..5223c5e3b 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_dot.dot +++ b/tests/expected_cmdline_output_files/livesim_test_all_dot.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp5678 TCP {'dst_ports': '5678', 'pat...
tcp80 TCP {'dst_ports': '80', 'hosts...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp5678 {protocols:TCP,dst_ports:5678,...
tcp80 {protocols:TCP,dst_ports:80,ho...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" @@ -42,8 +42,8 @@ subgraph cluster_kube_system_namespace{ "0.0.0.0/0" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "0.0.0.0/0" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/deployment-B(Deployment)" -> "default/deployment-A(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "default/foo-app(Pod)"[label="tcp5678" labeltooltip="TCP {'dst_ports': '5678', 'paths': '/foo(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/httpbin(Deployment)"[label="tcp80" labeltooltip="TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "default/foo-app(Pod)"[label="tcp5678" labeltooltip="{protocols:TCP,dst_ports:5678,paths:/foo(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/httpbin(Deployment)"[label="tcp80" labeltooltip="{protocols:TCP,dst_ports:80,hosts:httpbin.example.com,paths:(/status(/*)?)|(/delay(/*)?)}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "kube-system/kube-dns-livesim(Pod)" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "default/httpbin(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] @@ -61,7 +61,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
udp53 UDP 53
> shape=box] + dict_box [label=<
Connectivity legend
All All
udp53 {protocols:UDP,dst_ports:53}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" @@ -95,10 +95,10 @@ subgraph cluster_kube_system_namespace{ } "0.0.0.0/0" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "0.0.0.0/0" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/deployment-A(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/deployment-A(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="{protocols:UDP,dst_ports:53}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/deployment-B(Deployment)" -> "default/deployment-A(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "default/deployment-B(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/foo-app(Pod)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/deployment-B(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="{protocols:UDP,dst_ports:53}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/foo-app(Pod)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="{protocols:UDP,dst_ports:53}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway-livesim(Pod)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway-livesim(Pod)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt index f5fafd8a5..10663c513 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt +++ b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt @@ -3,8 +3,8 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections -src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: TCP {'dst_ports': '5678', 'paths': '/foo(/*)?'} -src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'} +src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: {protocols:TCP,dst_ports:5678,paths:/foo(/*)?} +src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com,paths:(/status(/*)?)|(/delay(/*)?)} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections @@ -12,7 +12,7 @@ src_ns: [kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system, For connections of type non-TCP, final fw rules for query: , config: **: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections src_ns: [istio-system,kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/expected_cmdline_output_files/poc1_expl_output.txt b/tests/expected_cmdline_output_files/poc1_expl_output.txt index e02ea700f..32f32f887 100644 --- a/tests/expected_cmdline_output_files/poc1_expl_output.txt +++ b/tests/expected_cmdline_output_files/poc1_expl_output.txt @@ -1,20 +1,20 @@ final fw rules for query: , config: microservices-netpols.yaml: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/expected_cmdline_output_files/test4_expl_output.txt b/tests/expected_cmdline_output_files/test4_expl_output.txt index 74eaa83ef..59a3568f8 100644 --- a/tests/expected_cmdline_output_files/test4_expl_output.txt +++ b/tests/expected_cmdline_output_files/test4_expl_output.txt @@ -2,9 +2,9 @@ final fw rules for query: , config: test4-networkpolicy.yaml: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-90 -src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-88 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:80-90} +src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:80-88} Explainability results: diff --git a/tests/fw_rules_tests/policies/calico-testcase14-scheme.yaml b/tests/fw_rules_tests/policies/calico-testcase14-scheme.yaml index 99a6c4f6a..5023a0b85 100644 --- a/tests/fw_rules_tests/policies/calico-testcase14-scheme.yaml +++ b/tests/fw_rules_tests/policies/calico-testcase14-scheme.yaml @@ -7,13 +7,13 @@ networkConfigList: - calico-policy-deny-all.yaml expectedWarnings: 0 queries: -- name: match-icmp-also-within-default-test - connectivityMap: - - match-icmp-also-within-default - expected: 0 - outputConfiguration: - fwRulesRunInTestMode: false - expectedOutput: expected_output/calico-testcase14-scheme_output.txt +#- name: match-icmp-also-within-default-test +# connectivityMap: +# - match-icmp-also-within-default +# expected: 0 +# outputConfiguration: +# fwRulesRunInTestMode: false +# expectedOutput: expected_output/calico-testcase14-scheme_output.txt - name: match-icmp-also-within-default-test-yaml connectivityMap: - match-icmp-also-within-default diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt index c4cf9f37f..9b0bcbc0c 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt @@ -1,2 +1,2 @@ final fw rules for query: open-default-TCP-test, config: open-default-TCP: -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but UDPLite +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:all but UDPLite} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml index fac6ca1de..1f4df3fb7 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml @@ -13,5 +13,4 @@ dst_pods: - '*' connection: - - All but: - - Protocol: UDPLite + - protocols: all but UDPLite diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt index 4b9d60721..ba1d8db4d 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt @@ -1,2 +1,2 @@ final fw rules for query: match-icmp-also-within-default-test, config: match-icmp-also-within-default: -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [app=keepalived-watcher] conn: ICMP {'icmp_type': '100', 'icmp_code': '230'} +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [app=keepalived-watcher] conn: {'protocols': 'ICMP', 'icmp_type': '100', 'icmp_code': '230'} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.yaml index 261801ce3..a239ccd50 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.yaml @@ -13,9 +13,8 @@ dst_pods: - app=keepalived-watcher connection: - - Protocol: ICMP - properties: - - icmp_type: - - 100 - icmp_code: - - 230 \ No newline at end of file + - protocols: ICMP + icmp_type: + - 100 + icmp_code: + - 230 diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.txt index 97aaf90bb..1b2b261fb 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map_1, config: ports-rectangles/kube-syst src: 0.0.0.0/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [has_named_port=dns-local] conn: UDP {'src_ports': '80-100', 'dst_ports': '1-10052,10054-65535'} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [has_named_port=dns-local] conn: {protocols:UDP,src_ports:80-100,dst_ports:1-10052,10054-65535} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml index 3a4f21dca..559b0f51c 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml @@ -13,13 +13,12 @@ dst_pods: - has_named_port=dns-local connection: - - Protocol: UDP - properties: - - src_ports: - - 80-100 - dst_ports: - - 1-10052 - - 10054-65535 + - protocols: UDP + src_ports: + - 80-100 + dst_ports: + - 1-10052 + - 10054-65535 - src_ip_block: - 0.0.0.0/0 dst_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt index a23a77456..bf35aa9a3 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt @@ -1,10 +1,10 @@ final fw rules for query: Eran_gnps, config: Eran_gnps: -src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: {protocols:ICMP, VRRP},{protocols:TCP, UDP,dst_ports:52311} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src: 5.10.116.0/24,5.10.118.0/23,50.22.118.0/23,50.22.255.0/24,50.23.116.0/24,50.23.118.0/23,50.23.167.0/24,66.228.118.0/23,67.228.118.0/23,75.126.61.0/24,119.81.136.0/24,119.81.138.0/23,130.198.118.0/23,158.85.116.0/24,158.85.118.0/23,159.8.116.0/24,159.8.118.0/23,159.8.196.0/24,159.8.198.0/23,159.122.116.0/24,159.122.118.0/23,159.122.136.0/24,159.122.138.0/23,159.253.156.0/24,159.253.158.0/23,161.202.116.0/24,161.202.118.0/23,168.1.16.0/24,168.1.18.0/23,168.1.116.0/24,168.1.118.0/23,169.38.116.0/24,169.38.118.0/23,169.45.118.0/23,169.46.118.0/23,169.47.118.0/23,169.48.118.0/24,169.51.118.0/24,169.54.116.0/24,169.54.118.0/23,169.55.118.0/23,169.56.116.0/24,169.56.118.0/24,169.57.116.0/24,169.57.118.0/23,169.57.136.0/24,169.57.138.0/23,169.60.118.0/23,169.61.118.0/23,173.192.118.0/23,173.193.116.0/24,173.193.118.0/23,174.133.116.0/24,174.133.118.0/23,184.172.118.0/23,192.255.18.0/24,192.255.38.0/24,198.23.118.0/23,208.43.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst: 0.0.0.0/0 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: {protocols:ICMP, VRRP},{protocols:TCP, UDP,dst_ports:52311} src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src_ns: [kube-system] src_pods: [*] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: {protocols:ICMP, VRRP},{protocols:TCP, UDP,dst_ports:52311} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml index dc4306108..db9bd9533 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml @@ -4,55 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ns: - - kube-system - src_pods: - - '*' - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -163,3 +114,40 @@ - '*' connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - None + dst_pods: + - vendor.role=worker_public + connection: + - protocols: ICMP, VRRP + - protocols: TCP, UDP + dst_ports: + - 52311 + - src_ns: + - None + src_pods: + - vendor.role=worker_public + dst_ns: + - None + dst_pods: + - vendor.role=worker_public + connection: + - protocols: ICMP, VRRP + - protocols: TCP, UDP + dst_ports: + - 52311 + - src_ns: + - kube-system + src_pods: + - '*' + dst_ns: + - None + dst_pods: + - vendor.role=worker_public + connection: + - protocols: ICMP, VRRP + - protocols: TCP, UDP + dst_ports: + - 52311 diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt index 629b404b2..cf8158160 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt @@ -1,2 +1,2 @@ final fw rules for query: connectivity_map, config: np_FirstDenySubset: -src_ns: [kube-system] src_pods: [app in (helm,keepalived-watcher,vpn)] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP +src_ns: [kube-system] src_pods: [app in (helm,keepalived-watcher,vpn)] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml index 269b61c06..8543b2b0c 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml @@ -13,4 +13,4 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP + - protocols: TCP diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt index 9525c3363..c4f28df79 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt @@ -1,2 +1,2 @@ final fw rules for query: connectivity_map, config: np_firstAllowSuperSet: -src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP +src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml index cc9847d44..743a44686 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml @@ -13,4 +13,4 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP + - protocols: TCP diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt index d47671a1c..55f569261 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt @@ -1,2 +1,2 @@ final fw rules for query: connectivity_map, config: np_onlyAllow: -src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP +src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml index 307e217b7..1639a4bc1 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml @@ -13,4 +13,4 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP + - protocols: TCP diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt index 6adb05f8c..71ddde80e 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt @@ -1,4 +1,4 @@ final fw rules for query: connectivity_map, config: np_denyFirst: src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [*] conn: All but TCP +src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:all but TCP} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml index 751307795..01a582004 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml @@ -13,8 +13,7 @@ dst_pods: - '*' connection: - - All but: - - Protocol: TCP + - protocols: all but TCP - src_ns: - kube-system src_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt index 18daf40d8..d5cd0cce5 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-basic-1, config: istio-test-methods-basic-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: TCP {'dst_ports': '80', 'methods': 'GET'} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {protocols:TCP,dst_ports:80,methods:GET} src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-basic-1, config: istio-test-methods-basic-1: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml index 65925aac6..1a08b2ebd 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml @@ -13,11 +13,10 @@ dst_pods: - app=details connection: - - Protocol: TCP - properties: - - dst_ports: - - 80 - methods: GET + - protocols: TCP + dst_ports: + - 80 + methods: GET - src_ns: - default src_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt index 6a21a4537..89a233b16 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-basic-2, config: istio-test-methods-basic-2: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: TCP {'methods': 'all but GET'} -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: TCP {'methods': 'PUT'} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {protocols:TCP,methods:all but GET} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: {protocols:TCP,methods:PUT} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-basic-2, config: istio-test-methods-basic-2: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml index 6c81212e7..5e95901d7 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml @@ -11,11 +11,10 @@ dst_ns: - default dst_pods: - - app=reviews + - app=details connection: - - Protocol: TCP - properties: - - methods: PUT + - protocols: TCP + methods: all but GET - src_ns: - default src_pods: @@ -23,11 +22,10 @@ dst_ns: - default dst_pods: - - app=details + - app=reviews connection: - - Protocol: TCP - properties: - - methods: all but GET + - protocols: TCP + methods: PUT - src_ns: - default src_pods: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt index c7f751f45..4a5c212e0 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-paths-1, config: istio-test-methods-paths-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: TCP {'dst_ports': '80', 'methods': 'GET', 'hosts': 'allowed-host.com', 'paths': 'all but /bad/path1, /bad/path3'},{'dst_ports': '80', 'methods': 'GET', 'hosts': 'all but allowed-host.com, disallowed-host.com', 'paths': '/good_path1, /good_path2, /some/path2'},{'dst_ports': '80', 'methods': 'PUT', 'hosts': 'all but disallowed-host.com', 'paths': '/good_path1, /good_path2, /some/path2'},{'dst_ports': '80', 'methods': 'all but GET, PUT', 'hosts': 'allowed-host.com', 'paths': 'all but /bad/path1, /bad/path3, /some/path2'},{'dst_ports': '90', 'methods': 'GET, PUT', 'hosts': 'all but disallowed-host.com', 'paths': '/good_path1, /good_path2, /some/path2'},{'dst_ports': '100', 'methods': 'all but PUT', 'hosts': 'allowed-host.com', 'paths': 'all but /bad/path1, /bad/path3, /some/path2'},{'dst_ports': '100', 'methods': 'all but PUT', 'hosts': 'all but allowed-host.com', 'paths': '/some/path3'},{'dst_ports': '100', 'methods': 'PUT', 'paths': '/some/path3'},{'dst_ports': '1-79,81-89,91-99,101-65535', 'methods': 'all but PUT', 'hosts': 'allowed-host.com', 'paths': 'all but /bad/path1, /bad/path3, /some/path2'} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {protocols:TCP,dst_ports:80,methods:GET,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3},{protocols:TCP,dst_ports:80,methods:GET,hosts:all but allowed-host.com, disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{protocols:TCP,dst_ports:80,methods:PUT,hosts:all but disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{protocols:TCP,dst_ports:80,methods:all but GET, PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2},{protocols:TCP,dst_ports:90,methods:GET, PUT,hosts:all but disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{protocols:TCP,dst_ports:100,methods:all but PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2},{protocols:TCP,dst_ports:100,methods:all but PUT,hosts:all but allowed-host.com,paths:/some/path3},{protocols:TCP,dst_ports:100,methods:PUT,paths:/some/path3},{protocols:TCP,dst_ports:1-79,81-89,91-99,101-65535,methods:all but PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-paths-1, config: istio-test-methods-paths-1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml index 74479bbf6..41f96cef0 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml @@ -4,6 +4,14 @@ numerical_result: 0 explanation: - TCP_rules: + - src_ns: + - default + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections - src_ns: - default src_pods: @@ -13,63 +21,62 @@ dst_pods: - app=details connection: - - Protocol: TCP - properties: - - dst_ports: - - 80 - methods: GET - hosts: allowed-host.com - paths: all but /bad/path1, /bad/path3 - - dst_ports: - - 80 - methods: GET - hosts: all but allowed-host.com, disallowed-host.com - paths: /good_path1, /good_path2, /some/path2 - - dst_ports: - - 80 - methods: PUT - hosts: all but disallowed-host.com - paths: /good_path1, /good_path2, /some/path2 - - dst_ports: - - 80 - methods: all but GET, PUT - hosts: allowed-host.com - paths: all but /bad/path1, /bad/path3, /some/path2 - - dst_ports: - - 90 - methods: GET, PUT - hosts: all but disallowed-host.com - paths: /good_path1, /good_path2, /some/path2 - - dst_ports: - - 100 - methods: all but PUT - hosts: allowed-host.com - paths: all but /bad/path1, /bad/path3, /some/path2 - - dst_ports: - - 100 - methods: all but PUT - hosts: all but allowed-host.com - paths: /some/path3 - - dst_ports: - - 100 - methods: PUT - paths: /some/path3 - - dst_ports: - - 1-79 - - 81-89 - - 91-99 - - 101-65535 - methods: all but PUT - hosts: allowed-host.com - paths: all but /bad/path1, /bad/path3, /some/path2 - - src_ns: - - default - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections + - protocols: TCP + dst_ports: + - 80 + methods: GET + hosts: allowed-host.com + paths: all but /bad/path1, /bad/path3 + - protocols: TCP + dst_ports: + - 80 + methods: GET + hosts: all but allowed-host.com, disallowed-host.com + paths: /good_path1, /good_path2, /some/path2 + - protocols: TCP + dst_ports: + - 80 + methods: PUT + hosts: all but disallowed-host.com + paths: /good_path1, /good_path2, /some/path2 + - protocols: TCP + dst_ports: + - 80 + methods: all but GET, PUT + hosts: allowed-host.com + paths: all but /bad/path1, /bad/path3, /some/path2 + - protocols: TCP + dst_ports: + - 90 + methods: GET, PUT + hosts: all but disallowed-host.com + paths: /good_path1, /good_path2, /some/path2 + - protocols: TCP + dst_ports: + - 100 + methods: all but PUT + hosts: allowed-host.com + paths: all but /bad/path1, /bad/path3, /some/path2 + - protocols: TCP + dst_ports: + - 100 + methods: all but PUT + hosts: all but allowed-host.com + paths: /some/path3 + - protocols: TCP + dst_ports: + - 100 + methods: PUT + paths: /some/path3 + - protocols: TCP + dst_ports: + - 1-79 + - 81-89 + - 91-99 + - 101-65535 + methods: all but PUT + hosts: allowed-host.com + paths: all but /bad/path1, /bad/path3, /some/path2 non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt index 3a445d907..d0b54ec3b 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-operation-allow-1, config: istio-test-operation-allow-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: TCP {'methods': 'GET', 'paths': '/info*'},{'methods': 'POST', 'paths': '/data'} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {protocols:TCP,methods:GET,paths:/info*},{protocols:TCP,methods:POST,paths:/data} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-operation-allow-1, config: istio-test-operation-allow-1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml index 479e3c0b6..56c44d826 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml @@ -4,6 +4,14 @@ numerical_result: 0 explanation: - TCP_rules: + - src_ns: + - default + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections - src_ns: - default src_pods: @@ -13,20 +21,12 @@ dst_pods: - app=details connection: - - Protocol: TCP - properties: - - methods: GET - paths: /info* - - methods: POST - paths: /data - - src_ns: - - default - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections + - protocols: TCP + methods: GET + paths: /info* + - protocols: TCP + methods: POST + paths: /data non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt index 46b738ffd..c628dacae 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt @@ -1,8 +1,8 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-operation-deny-1, config: istio-test-operation-deny-1: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: TCP {'methods': 'all but GET'} +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,methods:all but GET} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app!=details] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: TCP {'methods': 'all but GET'} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,methods:all but GET} src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app!=details] conn: All connections src_ns: [default] src_pods: [app=details] dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml index 9a4dc0956..efd77f3f2 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml @@ -11,9 +11,8 @@ dst_pods: - '*' connection: - - Protocol: TCP - properties: - - methods: all but GET + - protocols: TCP + methods: all but GET - src_ns: - default src_pods: @@ -23,9 +22,8 @@ dst_pods: - '*' connection: - - Protocol: TCP - properties: - - methods: all but GET + - protocols: TCP + methods: all but GET - src_ip_block: - 0.0.0.0/0 dst_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt index 9b3ca6bdf..76f409cb8 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt @@ -1,11 +1,11 @@ For connections of type TCP, final fw rules for query: istio-policy1, config: istio-policy1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections -src: 1.2.3.0/24 dst_ns: [default] dst_pods: [*] conn: TCP 26257 +src: 1.2.3.0/24 dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:26257} src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: TCP 26257 +src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:26257} For connections of type non-TCP, final fw rules for query: istio-policy1, config: istio-policy1: src: 0.0.0.0/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml index cc5165a1d..0d9aef2ef 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml @@ -11,8 +11,8 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 26257 - src_ns: - default @@ -24,8 +24,8 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 26257 - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt index be20d1830..b3b99f0aa 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt @@ -1,8 +1,8 @@ For connections of type TCP, final fw rules for query: istio-policy2, config: istio-policy2: -src: 1.2.3.0/24,2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 +src: 1.2.3.0/24,2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:TCP,dst_ports:30,50} src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 -src_ns: [default] src_pods: [app=special_skydive] dst_ns: [default] dst_pods: [*] conn: TCP 30,50 +src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:TCP,dst_ports:30,50} +src_ns: [default] src_pods: [app=special_skydive] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:30,50} For connections of type non-TCP, final fw rules for query: istio-policy2, config: istio-policy2: src: 0.0.0.0/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml index b07aea12c..697a639e2 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml @@ -12,8 +12,8 @@ dst_pods: - app=skydive connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 30 - 50 - src_ns: @@ -26,8 +26,8 @@ dst_pods: - app=skydive connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 30 - 50 - src_ns: @@ -39,8 +39,8 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 30 - 50 - src_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv index 2a79d8ad9..5708900c7 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv @@ -1,14 +1,14 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_csv, config: poc1","","","","","", -"","[default]","[app in (checkoutservice,frontend,recommendationservice)]","[default]","[productcatalogservice]","TCP 3550", -"","[default]","[checkoutservice]","[default]","[app in (paymentservice,shippingservice)]","TCP 50051", -"","[default]","[frontend]","[default]","[shippingservice]","TCP 50051", -"","[default]","[frontend]","[default]","[checkoutservice]","TCP 5050", -"","[default]","[cartservice]","[default]","[redis-cart]","TCP 6379", -"","[default]","[app in (checkoutservice,frontend)]","[default]","[currencyservice]","TCP 7000", -"","[default]","[app in (checkoutservice,frontend)]","[default]","[cartservice]","TCP 7070", -"","","0.0.0.0/0","[default]","[frontend]","TCP 8080", -"","[default]","[checkoutservice]","[default]","[emailservice]","TCP 8080", -"","[default]","[frontend]","[default]","[recommendationservice]","TCP 8080", -"","[default]","[loadgenerator]","[default]","[frontend]","TCP 8080", -"","[default]","[frontend]","[default]","[adservice]","TCP 9555", +"","","0.0.0.0/0","[default]","[frontend]","{protocols:TCP,dst_ports:8080}", +"","[default]","[checkoutservice]","[default]","[emailservice]","{protocols:TCP,dst_ports:8080}", +"","[default]","[frontend]","[default]","[recommendationservice]","{protocols:TCP,dst_ports:8080}", +"","[default]","[loadgenerator]","[default]","[frontend]","{protocols:TCP,dst_ports:8080}", +"","[default]","[frontend]","[default]","[adservice]","{protocols:TCP,dst_ports:9555}", +"","[default]","[frontend]","[default]","[checkoutservice]","{protocols:TCP,dst_ports:5050}", +"","[default]","[app in (checkoutservice,frontend)]","[default]","[cartservice]","{protocols:TCP,dst_ports:7070}", +"","[default]","[app in (checkoutservice,frontend)]","[default]","[currencyservice]","{protocols:TCP,dst_ports:7000}", +"","[default]","[app in (checkoutservice,frontend,recommendationservice)]","[default]","[productcatalogservice]","{protocols:TCP,dst_ports:3550}", +"","[default]","[checkoutservice]","[default]","[app in (paymentservice,shippingservice)]","{protocols:TCP,dst_ports:50051}", +"","[default]","[frontend]","[default]","[shippingservice]","{protocols:TCP,dst_ports:50051}", +"","[default]","[cartservice]","[default]","[redis-cart]","{protocols:TCP,dst_ports:6379}", diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot index 18504f73a..953a4c1bc 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
tcp3550 TCP 3550
tcp50051 TCP 50051
tcp5050 TCP 5050
tcp6379 TCP 6379
tcp7000 TCP 7000
tcp7070 TCP 7070
tcp8080 TCP 8080
tcp9555 TCP 9555
> shape=box] + dict_box [label=<
Connectivity legend
tcp3550 {protocols:TCP,dst_ports:3550}
tcp50051 {protocols:TCP,dst_ports:50051}
tcp5050 {protocols:TCP,dst_ports:5050}
tcp6379 {protocols:TCP,dst_ports:6379}
tcp7000 {protocols:TCP,dst_ports:7000}
tcp7070 {protocols:TCP,dst_ports:7070}
tcp8080 {protocols:TCP,dst_ports:8080}
tcp9555 {protocols:TCP,dst_ports:9555}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" @@ -24,23 +24,23 @@ subgraph cluster_default_namespace{ "default/redis-cart(Deployment)" [label=<
redis-cart(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] "default/shippingservice(Deployment)" [label=<
shippingservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } - "0.0.0.0/0" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/cartservice(Deployment)" -> "default/redis-cart(Deployment)"[label="tcp6379" labeltooltip="TCP 6379" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="TCP 7070" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/currencyservice(Deployment)"[label="tcp7000" labeltooltip="TCP 7000" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/emailservice(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/paymentservice(Deployment)"[label="tcp50051" labeltooltip="TCP 50051" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="TCP 3550" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/shippingservice(Deployment)"[label="tcp50051" labeltooltip="TCP 50051" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/adservice(Deployment)"[label="tcp9555" labeltooltip="TCP 9555" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="TCP 7070" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/checkoutservice(Deployment)"[label="tcp5050" labeltooltip="TCP 5050" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/currencyservice(Deployment)"[label="tcp7000" labeltooltip="TCP 7000" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="TCP 3550" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/recommendationservice(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/shippingservice(Deployment)"[label="tcp50051" labeltooltip="TCP 50051" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/loadgenerator(Deployment)" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/recommendationservice(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="TCP 3550" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "0.0.0.0/0" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="{protocols:TCP,dst_ports:8080}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/cartservice(Deployment)" -> "default/redis-cart(Deployment)"[label="tcp6379" labeltooltip="{protocols:TCP,dst_ports:6379}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="{protocols:TCP,dst_ports:7070}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/currencyservice(Deployment)"[label="tcp7000" labeltooltip="{protocols:TCP,dst_ports:7000}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/emailservice(Deployment)"[label="tcp8080" labeltooltip="{protocols:TCP,dst_ports:8080}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/paymentservice(Deployment)"[label="tcp50051" labeltooltip="{protocols:TCP,dst_ports:50051}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="{protocols:TCP,dst_ports:3550}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/shippingservice(Deployment)"[label="tcp50051" labeltooltip="{protocols:TCP,dst_ports:50051}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/adservice(Deployment)"[label="tcp9555" labeltooltip="{protocols:TCP,dst_ports:9555}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="{protocols:TCP,dst_ports:7070}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/checkoutservice(Deployment)"[label="tcp5050" labeltooltip="{protocols:TCP,dst_ports:5050}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/currencyservice(Deployment)"[label="tcp7000" labeltooltip="{protocols:TCP,dst_ports:7000}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="{protocols:TCP,dst_ports:3550}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/recommendationservice(Deployment)"[label="tcp8080" labeltooltip="{protocols:TCP,dst_ports:8080}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/shippingservice(Deployment)"[label="tcp50051" labeltooltip="{protocols:TCP,dst_ports:50051}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/loadgenerator(Deployment)" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="{protocols:TCP,dst_ports:8080}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/recommendationservice(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="{protocols:TCP,dst_ports:3550}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md index c8df5ef6b..9538810bb 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md @@ -1,15 +1,15 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_md, config: poc1|||||| -||[default]|[app in (checkoutservice,frontend,recommendationservice)]|[default]|[productcatalogservice]|TCP 3550| -||[default]|[checkoutservice]|[default]|[app in (paymentservice,shippingservice)]|TCP 50051| -||[default]|[frontend]|[default]|[shippingservice]|TCP 50051| -||[default]|[frontend]|[default]|[checkoutservice]|TCP 5050| -||[default]|[cartservice]|[default]|[redis-cart]|TCP 6379| -||[default]|[app in (checkoutservice,frontend)]|[default]|[currencyservice]|TCP 7000| -||[default]|[app in (checkoutservice,frontend)]|[default]|[cartservice]|TCP 7070| -|||0.0.0.0/0|[default]|[frontend]|TCP 8080| -||[default]|[checkoutservice]|[default]|[emailservice]|TCP 8080| -||[default]|[frontend]|[default]|[recommendationservice]|TCP 8080| -||[default]|[loadgenerator]|[default]|[frontend]|TCP 8080| -||[default]|[frontend]|[default]|[adservice]|TCP 9555| +|||0.0.0.0/0|[default]|[frontend]|{protocols:TCP,dst_ports:8080}| +||[default]|[checkoutservice]|[default]|[emailservice]|{protocols:TCP,dst_ports:8080}| +||[default]|[frontend]|[default]|[recommendationservice]|{protocols:TCP,dst_ports:8080}| +||[default]|[loadgenerator]|[default]|[frontend]|{protocols:TCP,dst_ports:8080}| +||[default]|[frontend]|[default]|[adservice]|{protocols:TCP,dst_ports:9555}| +||[default]|[frontend]|[default]|[checkoutservice]|{protocols:TCP,dst_ports:5050}| +||[default]|[app in (checkoutservice,frontend)]|[default]|[cartservice]|{protocols:TCP,dst_ports:7070}| +||[default]|[app in (checkoutservice,frontend)]|[default]|[currencyservice]|{protocols:TCP,dst_ports:7000}| +||[default]|[app in (checkoutservice,frontend,recommendationservice)]|[default]|[productcatalogservice]|{protocols:TCP,dst_ports:3550}| +||[default]|[checkoutservice]|[default]|[app in (paymentservice,shippingservice)]|{protocols:TCP,dst_ports:50051}| +||[default]|[frontend]|[default]|[shippingservice]|{protocols:TCP,dst_ports:50051}| +||[default]|[cartservice]|[default]|[redis-cart]|{protocols:TCP,dst_ports:6379}| diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt index 39806a076..537d1cb01 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt @@ -1,13 +1,13 @@ final fw rules for query: connectivity_map, config: poc1: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml index 0c4af1724..9c9099b88 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml @@ -4,18 +4,16 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - app in (checkoutservice,frontend,recommendationservice) + - src_ip_block: + - 0.0.0.0/0 dst_ns: - default dst_pods: - - productcatalogservice + - frontend connection: - - Protocol: TCP - Ports: - - 3550 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: @@ -23,11 +21,11 @@ dst_ns: - default dst_pods: - - app in (paymentservice,shippingservice) + - emailservice connection: - - Protocol: TCP - Ports: - - 50051 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: @@ -35,47 +33,47 @@ dst_ns: - default dst_pods: - - shippingservice + - recommendationservice connection: - - Protocol: TCP - Ports: - - 50051 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - frontend + - loadgenerator dst_ns: - default dst_pods: - - checkoutservice + - frontend connection: - - Protocol: TCP - Ports: - - 5050 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - cartservice + - frontend dst_ns: - default dst_pods: - - redis-cart + - adservice connection: - - Protocol: TCP - Ports: - - 6379 + - protocols: TCP + dst_ports: + - 9555 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - frontend dst_ns: - default dst_pods: - - currencyservice + - checkoutservice connection: - - Protocol: TCP - Ports: - - 7000 + - protocols: TCP + dst_ports: + - 5050 - src_ns: - default src_pods: @@ -85,64 +83,66 @@ dst_pods: - cartservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7070 - - src_ip_block: - - 0.0.0.0/0 + - src_ns: + - default + src_pods: + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - frontend + - currencyservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 7000 - src_ns: - default src_pods: - - checkoutservice + - app in (checkoutservice,frontend,recommendationservice) dst_ns: - default dst_pods: - - emailservice + - productcatalogservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 3550 - src_ns: - default src_pods: - - frontend + - checkoutservice dst_ns: - default dst_pods: - - recommendationservice + - app in (paymentservice,shippingservice) connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 50051 - src_ns: - default src_pods: - - loadgenerator + - frontend dst_ns: - default dst_pods: - - frontend + - shippingservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 50051 - src_ns: - default src_pods: - - frontend + - cartservice dst_ns: - default dst_pods: - - adservice + - redis-cart connection: - - Protocol: TCP - Ports: - - 9555 + - protocols: TCP + dst_ports: + - 6379 diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt index 565a70e26..374f60857 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt @@ -1,18 +1,18 @@ final fw rules for query: connectivity_map, config: poc2: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml index 90c958705..2271900a7 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml @@ -4,112 +4,102 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - app in (checkoutservice,frontend,recommendationservice) + - src_ip_block: + - 0.0.0.0/0 dst_ns: - - default + - kube-system dst_pods: - - productcatalogservice + - '*' connection: - - Protocol: TCP - Ports: - - 3550 + - All connections - src_ns: - - default + - kube-system src_pods: - - checkoutservice - dst_ns: - - default - dst_pods: - - app in (paymentservice,shippingservice) + - '*' + dst_ip_block: + - 0.0.0.0/0 connection: - - Protocol: TCP - Ports: - - 50051 + - All connections - src_ns: - - default + - kube-system src_pods: - - frontend + - '*' dst_ns: - - default + - kube-system dst_pods: - - shippingservice + - '*' connection: - - Protocol: TCP - Ports: - - 50051 - - src_ns: - - default - src_pods: - - frontend + - All connections + - src_ip_block: + - 0.0.0.0/0 dst_ns: - default dst_pods: - - checkoutservice + - frontend connection: - - Protocol: TCP - Ports: - - 5050 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - cartservice + - checkoutservice dst_ns: - default dst_pods: - - redis-cart + - emailservice connection: - - Protocol: TCP - Ports: - - 6379 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - frontend dst_ns: - default dst_pods: - - currencyservice + - recommendationservice connection: - - Protocol: TCP - Ports: - - 7000 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - loadgenerator dst_ns: - default dst_pods: - - cartservice + - frontend connection: - - Protocol: TCP - Ports: - - 7070 - - src_ip_block: - - 0.0.0.0/0 + - protocols: TCP + dst_ports: + - 8080 + - src_ns: + - kube-system + src_pods: + - '*' dst_ns: - default dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default src_pods: - - checkoutservice + - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) dst_ns: - - default + - kube-system dst_pods: - - emailservice + - '*' connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: UDP + dst_ports: + - 53 - src_ns: - default src_pods: @@ -117,82 +107,92 @@ dst_ns: - default dst_pods: - - recommendationservice + - adservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 9555 - src_ns: - default src_pods: - - loadgenerator + - frontend dst_ns: - default dst_pods: - - frontend + - checkoutservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 5050 - src_ns: - - kube-system + - default src_pods: - - '*' + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - frontend + - cartservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 7070 - src_ns: - default src_pods: - - frontend + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - adservice + - currencyservice connection: - - Protocol: TCP - Ports: - - 9555 + - protocols: TCP + dst_ports: + - 7000 - src_ns: - default src_pods: - - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + - app in (checkoutservice,frontend,recommendationservice) dst_ns: - - kube-system + - default dst_pods: - - '*' + - productcatalogservice connection: - - Protocol: UDP - Ports: - - 53 - - src_ip_block: - - 0.0.0.0/0 + - protocols: TCP + dst_ports: + - 3550 + - src_ns: + - default + src_pods: + - checkoutservice dst_ns: - - kube-system + - default dst_pods: - - '*' + - app in (paymentservice,shippingservice) connection: - - All connections + - protocols: TCP + dst_ports: + - 50051 - src_ns: - - kube-system + - default src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 + - frontend + dst_ns: + - default + dst_pods: + - shippingservice connection: - - All connections + - protocols: TCP + dst_ports: + - 50051 - src_ns: - - kube-system + - default src_pods: - - '*' + - cartservice dst_ns: - - kube-system + - default dst_pods: - - '*' + - redis-cart connection: - - All connections + - protocols: TCP + dst_ports: + - 6379 diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt index fc3189565..5d5f15f7c 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt @@ -1,15 +1,15 @@ final fw rules for query: connectivity_map, config: poc3: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml index 99327d1ff..9800bcfe1 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml @@ -4,18 +4,16 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - app in (checkoutservice,frontend,recommendationservice) + - src_ip_block: + - 0.0.0.0/0 dst_ns: - default dst_pods: - - productcatalogservice + - frontend connection: - - Protocol: TCP - Ports: - - 3550 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: @@ -23,11 +21,11 @@ dst_ns: - default dst_pods: - - app in (paymentservice,shippingservice) + - emailservice connection: - - Protocol: TCP - Ports: - - 50051 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: @@ -35,117 +33,119 @@ dst_ns: - default dst_pods: - - shippingservice + - recommendationservice connection: - - Protocol: TCP - Ports: - - 50051 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - frontend + - loadgenerator dst_ns: - default dst_pods: - - checkoutservice + - frontend connection: - - Protocol: TCP - Ports: - - 5050 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - - default + - kube-system src_pods: - - cartservice + - '*' dst_ns: - default dst_pods: - - redis-cart + - frontend connection: - - Protocol: TCP - Ports: - - 6379 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) dst_ns: - - default + - kube-system dst_pods: - - currencyservice + - k8s-app=kube-dns connection: - - Protocol: TCP - Ports: - - 7000 + - protocols: UDP + dst_ports: + - 53 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - frontend dst_ns: - default dst_pods: - - cartservice + - adservice connection: - - Protocol: TCP - Ports: - - 7070 - - src_ip_block: - - 0.0.0.0/0 + - protocols: TCP + dst_ports: + - 9555 + - src_ns: + - default + src_pods: + - frontend dst_ns: - default dst_pods: - - frontend + - checkoutservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 5050 - src_ns: - default src_pods: - - checkoutservice + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - emailservice + - cartservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 7070 - src_ns: - default src_pods: - - frontend + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - recommendationservice + - currencyservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 7000 - src_ns: - default src_pods: - - loadgenerator + - app in (checkoutservice,frontend,recommendationservice) dst_ns: - default dst_pods: - - frontend + - productcatalogservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 3550 - src_ns: - - kube-system + - default src_pods: - - '*' + - checkoutservice dst_ns: - default dst_pods: - - frontend + - app in (paymentservice,shippingservice) connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 50051 - src_ns: - default src_pods: @@ -153,20 +153,20 @@ dst_ns: - default dst_pods: - - adservice + - shippingservice connection: - - Protocol: TCP - Ports: - - 9555 + - protocols: TCP + dst_ports: + - 50051 - src_ns: - default src_pods: - - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + - cartservice dst_ns: - - kube-system + - default dst_pods: - - k8s-app=kube-dns + - redis-cart connection: - - Protocol: UDP - Ports: - - 53 + - protocols: TCP + dst_ports: + - 6379 diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt index c70ca8299..01ce54c0c 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt @@ -1,18 +1,18 @@ final fw rules for query: connectivity_map, config: poc4: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 23,8080 +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:23,8080} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml index 8f7438933..a5c8548a4 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml @@ -4,6 +4,18 @@ numerical_result: 0 explanation: - rules: + - src_ns: + - default + src_pods: + - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + dst_ns: + - kube-system + dst_pods: + - k8s-app=kube-dns + connection: + - protocols: UDP + dst_ports: + - 53 - src_ns: - default src_pods: @@ -13,22 +25,20 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 23 - 8080 - - src_ns: - - default - src_pods: - - app in (checkoutservice,frontend,recommendationservice) + - src_ip_block: + - 0.0.0.0/0 dst_ns: - default dst_pods: - - productcatalogservice + - frontend connection: - - Protocol: TCP - Ports: - - 3550 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: @@ -36,11 +46,11 @@ dst_ns: - default dst_pods: - - app in (paymentservice,shippingservice) + - emailservice connection: - - Protocol: TCP - Ports: - - 50051 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: @@ -48,47 +58,47 @@ dst_ns: - default dst_pods: - - shippingservice + - recommendationservice connection: - - Protocol: TCP - Ports: - - 50051 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - - default + - kube-system src_pods: - - frontend + - '*' dst_ns: - default dst_pods: - - checkoutservice + - frontend connection: - - Protocol: TCP - Ports: - - 5050 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - cartservice + - frontend dst_ns: - default dst_pods: - - redis-cart + - adservice connection: - - Protocol: TCP - Ports: - - 6379 + - protocols: TCP + dst_ports: + - 9555 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - frontend dst_ns: - default dst_pods: - - currencyservice + - checkoutservice connection: - - Protocol: TCP - Ports: - - 7000 + - protocols: TCP + dst_ports: + - 5050 - src_ns: - default src_pods: @@ -98,55 +108,45 @@ dst_pods: - cartservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7070 - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - default - dst_pods: - - frontend - connection: - - Protocol: TCP - Ports: - - 8080 - src_ns: - default src_pods: - - checkoutservice + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - emailservice + - currencyservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 7000 - src_ns: - default src_pods: - - frontend + - app in (checkoutservice,frontend,recommendationservice) dst_ns: - default dst_pods: - - recommendationservice + - productcatalogservice connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 3550 - src_ns: - - kube-system + - default src_pods: - - '*' + - checkoutservice dst_ns: - default dst_pods: - - frontend + - app in (paymentservice,shippingservice) connection: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 50051 - src_ns: - default src_pods: @@ -154,23 +154,23 @@ dst_ns: - default dst_pods: - - adservice + - shippingservice connection: - - Protocol: TCP - Ports: - - 9555 + - protocols: TCP + dst_ports: + - 50051 - src_ns: - default src_pods: - - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + - cartservice dst_ns: - - kube-system + - default dst_pods: - - k8s-app=kube-dns + - redis-cart connection: - - Protocol: UDP - Ports: - - 53 + - protocols: TCP + dst_ports: + - 6379 - src_ip_block: - 0.0.0.0/0 dst_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt index 114ae4a89..49f968e95 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt @@ -1,4 +1,4 @@ poc3 and poc4 are not semantically equivalent. Added connections between persistent peers (based on topology from config: poc4) : -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 23 +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:23} diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml index c7fa67f1d..eac35b271 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml @@ -16,6 +16,6 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 23 diff --git a/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.txt index 4aeb2cf69..7e078ef74 100644 --- a/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map, config: np3: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default,kube-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 11-16,21-23,34,42,44,46,56,65-66,TCP 24-26,41,43,45,52-55,62-64,71,73,75,77,79,81-84,UDP 31-33,35-36,57-59,67-68,72,74,76,78,86-89 +src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:11-16,21-26,34,41-46,52-56,62-66,71,73,75,77,79,81-84},{protocols:UDP,dst_ports:11-16,21-23,31-36,42,44,46,56-59,65-68,72,74,76,78,86-89} diff --git a/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.yaml index cfbf29275..f3b87a1b3 100644 --- a/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.yaml @@ -4,6 +4,34 @@ numerical_result: 0 explanation: - rules: + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - default + dst_pods: + - '*' + connection: + - All connections + - src_ns: + - default + - kube-system-new + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections + - src_ns: + - default + - kube-system-new + src_pods: + - '*' + dst_ns: + - default + dst_pods: + - '*' + connection: + - All connections - src_ns: - default - kube-system-new @@ -14,8 +42,8 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 11-16 - 21-26 - 34 @@ -28,8 +56,8 @@ - 77 - 79 - 81-84 - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 11-16 - 21-23 - 31-36 @@ -43,31 +71,3 @@ - 76 - 78 - 86-89 - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - default - dst_pods: - - '*' - connection: - - All connections - - src_ns: - - default - - kube-system-new - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections - - src_ns: - - default - - kube-system-new - src_pods: - - '*' - dst_ns: - - default - dst_pods: - - '*' - connection: - - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv index 94aeeff6f..698ef4a66 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv @@ -15,8 +15,8 @@ "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Added connections between persistent peers and ipBlocks","","","","","", "","","0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255","[default]","[app=app-1]","All connections", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[default]","[app=app-2]","All but UDP 53", "","","0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255","[default]","[app=app-2]","All connections", +"","","0.0.0.0/0","[default]","[app=app-2]","All but {protocols:UDP,dst_ports:53}", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: New connections between persistent peers and added peers","","","","","", "","[default]","[app in (app-5,app-6)]","[default]","[app in (app-0,app-1)]","All connections", "","[default]","[app not in (app-5,app-6)]","[default]","[app in (app-5,app-6)]","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md index 79aed5d87..31c2f2aed 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md @@ -16,8 +16,8 @@ |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Added connections between persistent peers and ipBlocks|||||| |||0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255|[default]|[app=app-1]|All connections| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[default]|[app=app-2]|All but UDP 53| |||0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255|[default]|[app=app-2]|All connections| +|||0.0.0.0/0|[default]|[app=app-2]|All but {protocols:UDP,dst_ports:53}| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: New connections between persistent peers and added peers|||||| ||[default]|[app in (app-5,app-6)]|[default]|[app in (app-0,app-1)]|All connections| ||[default]|[app not in (app-5,app-6)]|[default]|[app in (app-5,app-6)]|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt index 1176223ce..0baec2898 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt @@ -23,7 +23,7 @@ src: 0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255 dst_ Removed connections between persistent peers and ipBlocks (based on topology from config: config_a_with_ipBlock) : src: 0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All connections -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=app-2] conn: All but UDP 53 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=app-2] conn: All but {protocols:UDP,dst_ports:53} New connections between persistent peers and added peers (based on topology from config: config_b_with_ipBlock) : src_ns: [default] src_pods: [app in (app-5,app-6)] dst_ns: [default] dst_pods: [app in (app-0,app-1)] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml index 262c06561..80a1d1510 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml @@ -112,17 +112,6 @@ - All connections - description: Removed connections between persistent peers and ipBlocks rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - default - dst_pods: - - app=app-2 - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - src_ip_block: - 0.0.0.0/5 - 10.11.0.0/16 @@ -139,6 +128,17 @@ - app=app-2 connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - default + dst_pods: + - app=app-2 + connection: + - All but: + - protocols: UDP + dst_ports: + - 53 - description: New connections between persistent peers and added peers rules: - src_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv index 8ce3bc054..df6bff4ad 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv @@ -6,7 +6,7 @@ "","[kube-system]","[tier=frontend]","[default,kube-system-dummy-to-ignore,vendor-system]","[*]","All connections", "","[kube-system]","[tier=frontend]","[kube-system]","[!has(tier) or tier=not_frontend_for_demo]","All connections", "semantic_diff, config1: np1, config2: np4, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[kube-system]","[tier=frontend]","All but UDP 53", "","","10.0.0.0/8,172.21.0.0/16,172.30.0.0/16","[kube-system]","[tier=frontend]","All connections", +"","","0.0.0.0/0","[kube-system]","[tier=frontend]","All but {protocols:UDP,dst_ports:53}", "semantic_diff, config1: np1, config2: np4, key: Removed connections between persistent peers and ipBlocks","","","","","", "","[kube-system]","[tier=frontend]","","0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md index 2931c20de..b252725f0 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md @@ -7,7 +7,7 @@ ||[kube-system]|[tier=frontend]|[default,kube-system-dummy-to-ignore,vendor-system]|[*]|All connections| ||[kube-system]|[tier=frontend]|[kube-system]|[!has(tier) or tier=not_frontend_for_demo]|All connections| |semantic_diff, config1: np1, config2: np4, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[kube-system]|[tier=frontend]|All but UDP 53| |||10.0.0.0/8,172.21.0.0/16,172.30.0.0/16|[kube-system]|[tier=frontend]|All connections| +|||0.0.0.0/0|[kube-system]|[tier=frontend]|All but {protocols:UDP,dst_ports:53}| |semantic_diff, config1: np1, config2: np4, key: Removed connections between persistent peers and ipBlocks|||||| ||[kube-system]|[tier=frontend]||0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt index efd603fbc..b8b3abef7 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt @@ -9,7 +9,7 @@ src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [default,kube-system-dum src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections Added connections between persistent peers and ipBlocks (based on topology from config: np4) : -src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 +src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but {protocols:UDP,dst_ports:53} src: 10.0.0.0/8,172.21.0.0/16,172.30.0.0/16 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml index 9626fbdad..396756b02 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml @@ -56,26 +56,26 @@ - description: Added connections between persistent peers and ipBlocks rules: - src_ip_block: - - 0.0.0.0/0 + - 10.0.0.0/8 + - 172.21.0.0/16 + - 172.30.0.0/16 dst_ns: - kube-system dst_pods: - tier=frontend connection: - - All but: - - Protocol: UDP - Ports: - - 53 + - All connections - src_ip_block: - - 10.0.0.0/8 - - 172.21.0.0/16 - - 172.30.0.0/16 + - 0.0.0.0/0 dst_ns: - kube-system dst_pods: - tier=frontend connection: - - All connections + - All but: + - protocols: UDP + dst_ports: + - 53 - description: Removed connections between persistent peers and ipBlocks rules: - src_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv index 84331132b..f993d9b85 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv @@ -1,11 +1,11 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:TCP,dst_ports:53}", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:UDP,dst_ports:53}", "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np3, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:TCP,dst_ports:53}", "semantic_diff, config1: np1, config2: np3, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:UDP,dst_ports:53}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md index 63545d5f7..66f2947a7 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md @@ -1,13 +1,13 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:TCP,dst_ports:53}| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:UDP,dst_ports:53}| |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np3, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:TCP,dst_ports:53}| |semantic_diff, config1: np1, config2: np3, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:UDP,dst_ports:53}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt index 04a3da137..87a757e97 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt @@ -1,17 +1,17 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP,dst_ports:53} Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:UDP,dst_ports:53} np1 and np3 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np3) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP,dst_ports:53} Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:UDP,dst_ports:53} np2 and np3 have the same network topology and the same set of policies. diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml index 3b83e224d..d87e6ac45 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml @@ -37,8 +37,8 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 53 - description: Removed connections between persistent peers and ipBlocks rules: @@ -72,8 +72,8 @@ dst_pods: - tier=frontend connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 - query: semantic_diff_ipblocks_equivalence configs: @@ -114,8 +114,8 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 53 - description: Removed connections between persistent peers and ipBlocks rules: @@ -149,8 +149,8 @@ dst_pods: - tier=frontend connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 - query: semantic_diff_ipblocks_equivalence configs: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv index 9f4722825..36754e3a6 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv @@ -1,5 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:TCP,dst_ports:53}", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:UDP,dst_ports:53}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md index c1815eaac..51ced91c1 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md @@ -1,6 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:TCP,dst_ports:53}| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:UDP,dst_ports:53}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt index 30b4d61b6..133f7d49a 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt @@ -1,7 +1,7 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP,dst_ports:53} Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:UDP,dst_ports:53} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml index 2b637846a..e6c4fee93 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml @@ -37,8 +37,8 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 53 - description: Removed connections between persistent peers and ipBlocks rules: @@ -72,6 +72,6 @@ dst_pods: - tier=frontend connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt index 0c47b208d..ce510c6aa 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt @@ -1,7 +1,7 @@ np1_named_ports and np2_named_ports are not semantically equivalent. Added connections between persistent peers (based on topology from config: np2_named_ports) : -src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 +src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: {protocols:TCP,dst_ports:10054} Added connections between persistent peers and ipBlocks (based on topology from config: np2_named_ports) : -src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 +src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: {protocols:TCP,dst_ports:10054} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.csv index b850aa9f0..0e2fb724f 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.csv @@ -1,5 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1_named_ports, config2: np2_named_ports, key: Added connections between persistent peers","","","","","", -"","[default,kube-system,kube-system-dummy-to-ignore,vendor-system]","[*]","[kube-system-dummy-to-ignore]","[kube-dns-amd64-d66bf76db]","TCP 10054", +"","[default,kube-system,kube-system-dummy-to-ignore,vendor-system]","[*]","[kube-system-dummy-to-ignore]","[kube-dns-amd64-d66bf76db]","{protocols:TCP,dst_ports:10054}", "semantic_diff, config1: np1_named_ports, config2: np2_named_ports, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[kube-system-dummy-to-ignore]","[kube-dns-amd64-d66bf76db]","TCP 10054", +"","","0.0.0.0/0","[kube-system-dummy-to-ignore]","[kube-dns-amd64-d66bf76db]","{protocols:TCP,dst_ports:10054}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.md index 7a71b913a..2ff5fa127 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.md @@ -1,6 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1_named_ports, config2: np2_named_ports, key: Added connections between persistent peers|||||| -||[default,kube-system,kube-system-dummy-to-ignore,vendor-system]|[*]|[kube-system-dummy-to-ignore]|[kube-dns-amd64-d66bf76db]|TCP 10054| +||[default,kube-system,kube-system-dummy-to-ignore,vendor-system]|[*]|[kube-system-dummy-to-ignore]|[kube-dns-amd64-d66bf76db]|{protocols:TCP,dst_ports:10054}| |semantic_diff, config1: np1_named_ports, config2: np2_named_ports, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[kube-system-dummy-to-ignore]|[kube-dns-amd64-d66bf76db]|TCP 10054| +|||0.0.0.0/0|[kube-system-dummy-to-ignore]|[kube-dns-amd64-d66bf76db]|{protocols:TCP,dst_ports:10054}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.txt index 4a597d7a8..ef246a63e 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.txt @@ -1,7 +1,7 @@ np1_named_ports and np2_named_ports are not semantically equivalent. Added connections between persistent peers (based on topology from config: np2_named_ports) : -src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 10054 +src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db] conn: {protocols:TCP,dst_ports:10054} Added connections between persistent peers and ipBlocks (based on topology from config: np2_named_ports) : -src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 10054 +src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db] conn: {protocols:TCP,dst_ports:10054} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.yaml index 82d3155eb..3a1e6095d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.yaml @@ -19,8 +19,8 @@ dst_pods: - kube-dns-amd64-d66bf76db connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 10054 - description: Added connections between persistent peers and ipBlocks rules: @@ -31,6 +31,6 @@ dst_pods: - kube-dns-amd64-d66bf76db connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 10054 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.csv index 5c4e25733..826147a4c 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.csv @@ -1,5 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: new1, config2: old1, key: Added connections between persistent peers","","","","","", -"","[demo]","[bank-ui]","[demo]","[account-command]","All but TCP+UDP 8080,TCP 9090", +"","[demo]","[bank-ui]","[demo]","[account-command]","All but {protocols:TCP,dst_ports:8080,9090},{protocols:UDP,dst_ports:8080}", "semantic_diff, config1: new1, config2: old1, key: Removed connections between persistent peers","","","","","", -"","[demo]","[account-query]","[demo]","[bank-ui]","All but TCP 8080", +"","[demo]","[account-query]","[demo]","[bank-ui]","All but {protocols:TCP,dst_ports:8080}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.md index 8df750873..89db7f42a 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.md @@ -1,6 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: new1, config2: old1, key: Added connections between persistent peers|||||| -||[demo]|[bank-ui]|[demo]|[account-command]|All but TCP+UDP 8080,TCP 9090| +||[demo]|[bank-ui]|[demo]|[account-command]|All but {protocols:TCP,dst_ports:8080,9090},{protocols:UDP,dst_ports:8080}| |semantic_diff, config1: new1, config2: old1, key: Removed connections between persistent peers|||||| -||[demo]|[account-query]|[demo]|[bank-ui]|All but TCP 8080| +||[demo]|[account-query]|[demo]|[bank-ui]|All but {protocols:TCP,dst_ports:8080}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.txt index 5e13c79df..8f92295ef 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.txt @@ -1,7 +1,7 @@ new1 and old1 are not semantically equivalent. Added connections between persistent peers (based on topology from config: old1) : -src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: All but TCP+UDP 8080,TCP 9090 +src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: All but {protocols:TCP,dst_ports:8080,9090},{protocols:UDP,dst_ports:8080} Removed connections between persistent peers (based on topology from config: new1) : -src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: All but TCP 8080 +src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: All but {protocols:TCP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.yaml index 3a402964f..3d18044f1 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.yaml @@ -17,12 +17,12 @@ - account-command connection: - All but: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - 9090 - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 8080 - description: Removed connections between persistent peers rules: @@ -36,6 +36,6 @@ - bank-ui connection: - All but: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.csv index d36750f94..75bcc0993 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.csv @@ -1,6 +1,6 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: new1a, config2: old1, key: Added connections between persistent peers","","","","","", -"","[demo]","[account-query]","[demo]","[bank-ui]","TCP 8080", "","[demo]","[bank-ui]","[demo]","[account-command]","All connections", +"","[demo]","[account-query]","[demo]","[bank-ui]","{protocols:TCP,dst_ports:8080}", "semantic_diff, config1: new1a, config2: old1, key: Removed connections between persistent peers","","","","","", -"","[demo]","[account-query]","[demo]","[bank-ui]","UDP 8080", +"","[demo]","[account-query]","[demo]","[bank-ui]","{protocols:UDP,dst_ports:8080}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.md index 81678161f..48b7f802d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.md @@ -1,7 +1,7 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: new1a, config2: old1, key: Added connections between persistent peers|||||| -||[demo]|[account-query]|[demo]|[bank-ui]|TCP 8080| ||[demo]|[bank-ui]|[demo]|[account-command]|All connections| +||[demo]|[account-query]|[demo]|[bank-ui]|{protocols:TCP,dst_ports:8080}| |semantic_diff, config1: new1a, config2: old1, key: Removed connections between persistent peers|||||| -||[demo]|[account-query]|[demo]|[bank-ui]|UDP 8080| +||[demo]|[account-query]|[demo]|[bank-ui]|{protocols:UDP,dst_ports:8080}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.txt index 5fe1880c3..63b4bb478 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.txt @@ -1,8 +1,8 @@ new1a and old1 are not semantically equivalent. Added connections between persistent peers (based on topology from config: old1) : -src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: TCP 8080 +src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: {protocols:TCP,dst_ports:8080} src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: All connections Removed connections between persistent peers (based on topology from config: new1a) : -src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: UDP 8080 +src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: {protocols:UDP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.yaml index 40da9b200..1dee098ab 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.yaml @@ -10,25 +10,25 @@ - src_ns: - demo src_pods: - - account-query + - bank-ui dst_ns: - demo dst_pods: - - bank-ui + - account-command connection: - - Protocol: TCP - Ports: - - 8080 + - All connections - src_ns: - demo src_pods: - - bank-ui + - account-query dst_ns: - demo dst_pods: - - account-command + - bank-ui connection: - - All connections + - protocols: TCP + dst_ports: + - 8080 - description: Removed connections between persistent peers rules: - src_ns: @@ -40,6 +40,6 @@ dst_pods: - bank-ui connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt index 4e62f3db8..8a37c621b 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt @@ -1,5 +1,5 @@ Added connections between persistent peers (based on topology from config: old1) : -demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : TCP 8080 -demo/bank-ui[DaemonSet] => demo/account-command[DaemonSet] : All Connections +demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : {protocols:TCP,dst_ports:8080} +demo/bank-ui[DaemonSet] => demo/account-command[DaemonSet] : All connections Removed connections between persistent peers (based on topology from config: new1a) : -demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : UDP 8080 \ No newline at end of file +demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : {protocols:UDP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.csv index 20ec1505d..f2eb3c453 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.csv @@ -1,5 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: new2, config2: old2, key: Added connections between persistent peers","","","","","", -"","[demo]","[bank-ui]","[demo]","[account-command]","TCP 8080,UDP 9090,SCTP 7070", +"","[demo]","[bank-ui]","[demo]","[account-command]","{protocols:TCP,dst_ports:8080},{protocols:UDP,dst_ports:9090},{protocols:SCTP,dst_ports:7070}", "semantic_diff, config1: new2, config2: old2, key: Removed connections between persistent peers","","","","","", -"","[demo]","[bank-ui]","[demo]","[account-command]","TCP 8082,UDP 9091", +"","[demo]","[bank-ui]","[demo]","[account-command]","{protocols:TCP,dst_ports:8082},{protocols:UDP,dst_ports:9091}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.json b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.json index 028878497..e5c9d0853 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.json +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.json @@ -26,20 +26,20 @@ ], "connection": [ { - "Protocol": "TCP", - "Ports": [ + "protocols": "TCP", + "dst_ports": [ 8080 ] }, { - "Protocol": "UDP", - "Ports": [ + "protocols": "UDP", + "dst_ports": [ 9090 ] }, { - "Protocol": "SCTP", - "Ports": [ + "protocols": "SCTP", + "dst_ports": [ 7070 ] } @@ -65,14 +65,14 @@ ], "connection": [ { - "Protocol": "TCP", - "Ports": [ + "protocols": "TCP", + "dst_ports": [ 8082 ] }, { - "Protocol": "UDP", - "Ports": [ + "protocols": "UDP", + "dst_ports": [ 9091 ] } diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.md index 3c152dceb..d6d0e871b 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.md @@ -1,6 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: new2, config2: old2, key: Added connections between persistent peers|||||| -||[demo]|[bank-ui]|[demo]|[account-command]|TCP 8080,UDP 9090,SCTP 7070| +||[demo]|[bank-ui]|[demo]|[account-command]|{protocols:TCP,dst_ports:8080},{protocols:UDP,dst_ports:9090},{protocols:SCTP,dst_ports:7070}| |semantic_diff, config1: new2, config2: old2, key: Removed connections between persistent peers|||||| -||[demo]|[bank-ui]|[demo]|[account-command]|TCP 8082,UDP 9091| +||[demo]|[bank-ui]|[demo]|[account-command]|{protocols:TCP,dst_ports:8082},{protocols:UDP,dst_ports:9091}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.txt index 996daece7..946ed50fb 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.txt @@ -1,7 +1,7 @@ new2 and old2 are not semantically equivalent. Added connections between persistent peers (based on topology from config: old2) : -src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: TCP 8080,UDP 9090,SCTP 7070 +src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: {protocols:TCP,dst_ports:8080},{protocols:UDP,dst_ports:9090},{protocols:SCTP,dst_ports:7070} Removed connections between persistent peers (based on topology from config: new2) : -src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: TCP 8082,UDP 9091 +src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: {protocols:TCP,dst_ports:8082},{protocols:UDP,dst_ports:9091} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.yaml index b3f06500b..ec8db9818 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.yaml @@ -16,14 +16,14 @@ dst_pods: - account-command connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 9090 - - Protocol: SCTP - Ports: + - protocols: SCTP + dst_ports: - 7070 - description: Removed connections between persistent peers rules: @@ -36,9 +36,9 @@ dst_pods: - account-command connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8082 - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 9091 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv index 0ba4d2d49..5267134f5 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv @@ -1,17 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers","","","","","", -"","[default]","[*]","[default]","[productcatalogservice]","All but TCP 3550", -"","[default]","[recommendationservice]","[default]","[*]","All but TCP 3550", -"","[default]","[*]","[default]","[app in (paymentservice,shippingservice)]","All but TCP 50051", -"","[default]","[*]","[default]","[checkoutservice]","All but TCP 5050", -"","[default]","[cartservice]","[default]","[*]","All but TCP 6379", -"","[default]","[*]","[default]","[currencyservice]","All but TCP 7000", -"","[default]","[*]","[default]","[cartservice]","All but TCP 7070", -"","[default]","[*]","[default]","[app in (emailservice,frontend,loadgenerator,recommendationservice)]","All but TCP 8080", -"","[default]","[loadgenerator]","[default]","[*]","All but TCP 8080", -"","[kube-system]","[*]","[default]","[*]","All but TCP 8080", -"","[default]","[*]","[default]","[adservice]","All but TCP 9555", -"","[default]","[*]","[kube-system]","[*]","All but UDP 53", "","[default,kube-system]","[*]","[default]","[loadgenerator]","All connections", "","[default]","[*]","[kube-system]","[etcd-operator]","All connections", "","[default]","[app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)]","[default,kube-system]","[*]","All connections", @@ -21,7 +9,19 @@ "","[default]","[loadgenerator]","[default]","[app not in (frontend,loadgenerator)]","All connections", "","[default]","[recommendationservice]","[default]","[app not in (loadgenerator,productcatalogservice,recommendationservice)]","All connections", "","[kube-system]","[*]","[default]","[app not in (frontend,loadgenerator)]","All connections", +"","[default]","[*]","[kube-system]","[*]","All but {protocols:UDP,dst_ports:53}", +"","[default]","[*]","[default]","[app in (emailservice,frontend,loadgenerator,recommendationservice)]","All but {protocols:TCP,dst_ports:8080}", +"","[default]","[loadgenerator]","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", +"","[kube-system]","[*]","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", +"","[default]","[*]","[default]","[adservice]","All but {protocols:TCP,dst_ports:9555}", +"","[default]","[*]","[default]","[checkoutservice]","All but {protocols:TCP,dst_ports:5050}", +"","[default]","[*]","[default]","[cartservice]","All but {protocols:TCP,dst_ports:7070}", +"","[default]","[*]","[default]","[currencyservice]","All but {protocols:TCP,dst_ports:7000}", +"","[default]","[*]","[default]","[productcatalogservice]","All but {protocols:TCP,dst_ports:3550}", +"","[default]","[recommendationservice]","[default]","[*]","All but {protocols:TCP,dst_ports:3550}", +"","[default]","[*]","[default]","[app in (paymentservice,shippingservice)]","All but {protocols:TCP,dst_ports:50051}", +"","[default]","[cartservice]","[default]","[*]","All but {protocols:TCP,dst_ports:6379}", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[default]","[*]","All but TCP 8080", "","","0.0.0.0/0","[default]","[app!=frontend]","All connections", "","[default]","[*]","","0.0.0.0/0","All connections", +"","","0.0.0.0/0","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md index 68266e251..c5a583351 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md @@ -1,18 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers|||||| -||[default]|[*]|[default]|[productcatalogservice]|All but TCP 3550| -||[default]|[recommendationservice]|[default]|[*]|All but TCP 3550| -||[default]|[*]|[default]|[app in (paymentservice,shippingservice)]|All but TCP 50051| -||[default]|[*]|[default]|[checkoutservice]|All but TCP 5050| -||[default]|[cartservice]|[default]|[*]|All but TCP 6379| -||[default]|[*]|[default]|[currencyservice]|All but TCP 7000| -||[default]|[*]|[default]|[cartservice]|All but TCP 7070| -||[default]|[*]|[default]|[app in (emailservice,frontend,loadgenerator,recommendationservice)]|All but TCP 8080| -||[default]|[loadgenerator]|[default]|[*]|All but TCP 8080| -||[kube-system]|[*]|[default]|[*]|All but TCP 8080| -||[default]|[*]|[default]|[adservice]|All but TCP 9555| -||[default]|[*]|[kube-system]|[*]|All but UDP 53| ||[default,kube-system]|[*]|[default]|[loadgenerator]|All connections| ||[default]|[*]|[kube-system]|[etcd-operator]|All connections| ||[default]|[app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)]|[default,kube-system]|[*]|All connections| @@ -22,7 +10,19 @@ ||[default]|[loadgenerator]|[default]|[app not in (frontend,loadgenerator)]|All connections| ||[default]|[recommendationservice]|[default]|[app not in (loadgenerator,productcatalogservice,recommendationservice)]|All connections| ||[kube-system]|[*]|[default]|[app not in (frontend,loadgenerator)]|All connections| +||[default]|[*]|[kube-system]|[*]|All but {protocols:UDP,dst_ports:53}| +||[default]|[*]|[default]|[app in (emailservice,frontend,loadgenerator,recommendationservice)]|All but {protocols:TCP,dst_ports:8080}| +||[default]|[loadgenerator]|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| +||[kube-system]|[*]|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| +||[default]|[*]|[default]|[adservice]|All but {protocols:TCP,dst_ports:9555}| +||[default]|[*]|[default]|[checkoutservice]|All but {protocols:TCP,dst_ports:5050}| +||[default]|[*]|[default]|[cartservice]|All but {protocols:TCP,dst_ports:7070}| +||[default]|[*]|[default]|[currencyservice]|All but {protocols:TCP,dst_ports:7000}| +||[default]|[*]|[default]|[productcatalogservice]|All but {protocols:TCP,dst_ports:3550}| +||[default]|[recommendationservice]|[default]|[*]|All but {protocols:TCP,dst_ports:3550}| +||[default]|[*]|[default]|[app in (paymentservice,shippingservice)]|All but {protocols:TCP,dst_ports:50051}| +||[default]|[cartservice]|[default]|[*]|All but {protocols:TCP,dst_ports:6379}| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[default]|[*]|All but TCP 8080| |||0.0.0.0/0|[default]|[app!=frontend]|All connections| ||[default]|[*]||0.0.0.0/0|All connections| +|||0.0.0.0/0|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt index 820c26aeb..549fcb0da 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt @@ -2,28 +2,28 @@ allow_all and poc3 are not semantically equivalent. Removed connections between persistent peers (based on topology from config: allow_all) : src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [adservice] conn: All but TCP 9555 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (emailservice,frontend,loadgenerator,recommendationservice)] conn: All but TCP 8080 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: All but TCP 50051 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [cartservice] conn: All but TCP 7070 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [checkoutservice] conn: All but TCP 5050 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [currencyservice] conn: All but TCP 7000 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productcatalogservice] conn: All but TCP 3550 -src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [adservice] conn: All but {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (emailservice,frontend,loadgenerator,recommendationservice)] conn: All but {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: All but {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [cartservice] conn: All but {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [checkoutservice] conn: All but {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [currencyservice] conn: All but {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productcatalogservice] conn: All but {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [etcd-operator] conn: All connections src_ns: [default] src_pods: [app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [default,kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [*] conn: All but TCP 6379 +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:6379} src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [app not in (cartservice,loadgenerator,redis-cart)] conn: All connections src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (adservice,frontend,recommendationservice,redis-cart)] conn: All connections src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [app in (emailservice,paymentservice,redis-cart)] conn: All connections -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:8080} src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [app not in (frontend,loadgenerator)] conn: All connections -src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [*] conn: All but TCP 3550 +src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:3550} src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [app not in (loadgenerator,productcatalogservice,recommendationservice)] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app not in (frontend,loadgenerator)] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: allow_all) : -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app!=frontend] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml index 2f74607e9..f74f51f4b 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml @@ -9,134 +9,109 @@ rules: - src_ns: - default + - kube-system src_pods: - '*' dst_ns: - default dst_pods: - - productcatalogservice + - loadgenerator connection: - - All but: - - Protocol: TCP - Ports: - - 3550 + - All connections - src_ns: - default src_pods: - - recommendationservice + - '*' dst_ns: - - default + - kube-system dst_pods: - - '*' + - etcd-operator connection: - - All but: - - Protocol: TCP - Ports: - - 3550 + - All connections - src_ns: - default src_pods: - - '*' + - app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) dst_ns: - default + - kube-system dst_pods: - - app in (paymentservice,shippingservice) + - '*' connection: - - All but: - - Protocol: TCP - Ports: - - 50051 + - All connections - src_ns: - default src_pods: - - '*' + - cartservice dst_ns: - default dst_pods: - - checkoutservice + - app not in (cartservice,loadgenerator,redis-cart) connection: - - All but: - - Protocol: TCP - Ports: - - 5050 + - All connections - src_ns: - default src_pods: - - cartservice + - checkoutservice dst_ns: - default dst_pods: - - '*' + - app in (adservice,frontend,recommendationservice,redis-cart) connection: - - All but: - - Protocol: TCP - Ports: - - 6379 + - All connections - src_ns: - default src_pods: - - '*' + - frontend dst_ns: - default dst_pods: - - currencyservice + - app in (emailservice,paymentservice,redis-cart) connection: - - All but: - - Protocol: TCP - Ports: - - 7000 + - All connections - src_ns: - default src_pods: - - '*' + - loadgenerator dst_ns: - default dst_pods: - - cartservice + - app not in (frontend,loadgenerator) connection: - - All but: - - Protocol: TCP - Ports: - - 7070 + - All connections - src_ns: - default src_pods: - - '*' + - recommendationservice dst_ns: - default dst_pods: - - app in (emailservice,frontend,loadgenerator,recommendationservice) + - app not in (loadgenerator,productcatalogservice,recommendationservice) connection: - - All but: - - Protocol: TCP - Ports: - - 8080 + - All connections - src_ns: - - default + - kube-system src_pods: - - loadgenerator + - '*' dst_ns: - default dst_pods: - - '*' + - app not in (frontend,loadgenerator) connection: - - All but: - - Protocol: TCP - Ports: - - 8080 + - All connections - src_ns: - - kube-system + - default src_pods: - '*' dst_ns: - - default + - kube-system dst_pods: - '*' connection: - All but: - - Protocol: TCP - Ports: - - 8080 + - protocols: UDP + dst_ports: + - 53 - src_ns: - default src_pods: @@ -144,97 +119,103 @@ dst_ns: - default dst_pods: - - adservice + - app in (emailservice,frontend,loadgenerator,recommendationservice) connection: - All but: - - Protocol: TCP - Ports: - - 9555 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - '*' + - loadgenerator dst_ns: - - kube-system + - default dst_pods: - '*' connection: - All but: - - Protocol: UDP - Ports: - - 53 + - protocols: TCP + dst_ports: + - 8080 - src_ns: - - default - kube-system src_pods: - '*' dst_ns: - default dst_pods: - - loadgenerator - connection: - - All connections - - src_ns: - - default - src_pods: - '*' - dst_ns: - - kube-system - dst_pods: - - etcd-operator connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: - - app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + - '*' dst_ns: - default - - kube-system dst_pods: - - '*' + - adservice connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 9555 - src_ns: - default src_pods: - - cartservice + - '*' dst_ns: - default dst_pods: - - app not in (cartservice,loadgenerator,redis-cart) + - checkoutservice connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 5050 - src_ns: - default src_pods: - - checkoutservice + - '*' dst_ns: - default dst_pods: - - app in (adservice,frontend,recommendationservice,redis-cart) + - cartservice connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 7070 - src_ns: - default src_pods: - - frontend + - '*' dst_ns: - default dst_pods: - - app in (emailservice,paymentservice,redis-cart) + - currencyservice connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 7000 - src_ns: - default src_pods: - - loadgenerator + - '*' dst_ns: - default dst_pods: - - app not in (frontend,loadgenerator) + - productcatalogservice connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 3550 - src_ns: - default src_pods: @@ -242,32 +223,40 @@ dst_ns: - default dst_pods: - - app not in (loadgenerator,productcatalogservice,recommendationservice) + - '*' connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 3550 - src_ns: - - kube-system + - default src_pods: - '*' dst_ns: - default dst_pods: - - app not in (frontend,loadgenerator) + - app in (paymentservice,shippingservice) connection: - - All connections - - description: Removed connections between persistent peers and ipBlocks - rules: - - src_ip_block: - - 0.0.0.0/0 + - All but: + - protocols: TCP + dst_ports: + - 50051 + - src_ns: + - default + src_pods: + - cartservice dst_ns: - default dst_pods: - '*' connection: - All but: - - Protocol: TCP - Ports: - - 8080 + - protocols: TCP + dst_ports: + - 6379 + - description: Removed connections between persistent peers and ipBlocks + rules: - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -284,3 +273,14 @@ - 0.0.0.0/0 connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - default + dst_pods: + - '*' + connection: + - All but: + - protocols: TCP + dst_ports: + - 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.txt index f6f280deb..491e59c1a 100644 --- a/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map, config: np12: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} diff --git a/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.yaml index b3e3e355d..94d64b314 100644 --- a/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.yaml @@ -4,21 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: - - 53 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -55,3 +40,15 @@ - '*' connection: - All connections + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP, UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt index 5e80c5363..9a5c90095 100644 --- a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: np16: -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system-new] dst_pods: [*] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml index a519885ce..5401b5cc5 100644 --- a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml @@ -4,39 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ip_block: - - 0.0.0.0/5 - - 11.0.0.0/8 - - 12.0.0.0/6 - - 128.0.0.0/3 - - 16.0.0.0/4 - - 160.0.0.0/5 - - 168.0.0.0/6 - - 172.0.0.0/12 - - 172.128.0.0/9 - - 172.16.0.0/14 - - 172.20.0.0/16 - - 172.22.0.0/15 - - 172.24.0.0/14 - - 172.28.0.0/15 - - 172.31.0.0/16 - - 172.32.0.0/11 - - 172.64.0.0/10 - - 173.0.0.0/8 - - 174.0.0.0/7 - - 176.0.0.0/4 - - 192.0.0.0/2 - - 32.0.0.0/3 - - 64.0.0.0/2 - - 8.0.0.0/7 - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: UDP - Ports: - - 53 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -94,3 +61,36 @@ - '!has(tier) or tier=not_frontend_for_demo' connection: - All connections + - src_ip_block: + - 0.0.0.0/5 + - 11.0.0.0/8 + - 12.0.0.0/6 + - 128.0.0.0/3 + - 16.0.0.0/4 + - 160.0.0.0/5 + - 168.0.0.0/6 + - 172.0.0.0/12 + - 172.128.0.0/9 + - 172.16.0.0/14 + - 172.20.0.0/16 + - 172.22.0.0/15 + - 172.24.0.0/14 + - 172.28.0.0/15 + - 172.31.0.0/16 + - 172.32.0.0/11 + - 172.64.0.0/10 + - 173.0.0.0/8 + - 174.0.0.0/7 + - 176.0.0.0/4 + - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt index cf494a6c4..53bfc1c3f 100644 --- a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt @@ -1,7 +1,7 @@ final fw rules for query: connectivity_map, config: np2: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 +src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 +src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml index 74f3eef95..9e3323587 100644 --- a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml @@ -4,36 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: - - 53 - - src_ns: - - default - - kube-system-new - - kube-system-new-dummy-to-ignore - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: - - 53 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -82,3 +52,27 @@ - '*' connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP, UDP + dst_ports: + - 53 + - src_ns: + - default + - kube-system-new + - kube-system-new-dummy-to-ignore + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP, UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt index 5ed6252f4..5f54d90d7 100644 --- a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt @@ -1,3 +1,3 @@ final fw rules for query: connectivity_map, config: np23: -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [test=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml index 7fea23134..6212e0952 100644 --- a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml @@ -13,8 +13,8 @@ dst_pods: - app=skydive connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 - src_ns: - default diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt index 557aa0788..da956bad1 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt @@ -1,3 +1,3 @@ final fw rules for query: connectivity_map, config: np24: -src_ns: [default] src_pods: [test in (A,B)] dst_ns: [default] dst_pods: [app=skydive] conn: UDP 53 +src_ns: [default] src_pods: [test in (A,B)] dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [test=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml index e56cae2fb..b4ee55b66 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml @@ -13,8 +13,8 @@ dst_pods: - app=skydive connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 - src_ns: - default diff --git a/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt index f06721941..94b65030c 100644 --- a/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map, config: np3: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default,kube-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} diff --git a/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.yaml index 8852bea2f..6b72ec093 100644 --- a/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.yaml @@ -4,18 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 85-90 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -44,3 +32,15 @@ - '*' connection: - All connections + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 85-90 diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.csv b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.csv index 2d2197061..d9facb4fd 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.csv @@ -1,6 +1,6 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_3, config: np3","","","","","", -"","[default]","[*]","[kube-system-new]","[*]","TCP 85-90", "","","0.0.0.0/0","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","","0.0.0.0/0","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", +"","[default]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:85-90}", diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.dot b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.dot index ffe0f39d5..2fe23797f 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.dot +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp85-90 TCP 85-90
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp85-90 {protocols:TCP,dst_ports:85-90}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "clique_All0" [shape=egg fontcolor=indigo color=indigo width=0.2 height=0.2 label=clq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed between any two workloads connected to the CLIQUE: All"] @@ -38,7 +38,7 @@ subgraph cluster_kube_system_new_dummy_to_ignore_namespace{ } "0.0.0.0/0" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "default/cognetive-agents(DaemonSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] - "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="TCP 85-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="{protocols:TCP,dst_ports:85-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.md b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.md index 55c600313..194c925f0 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.md +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.md @@ -1,7 +1,7 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_3, config: np3|||||| -||[default]|[*]|[kube-system-new]|[*]|TCP 85-90| |||0.0.0.0/0|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]||0.0.0.0/0|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| +||[default]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:85-90}| diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.txt b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.txt index 20091311e..1ef5ca7c4 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map_3, config: np3: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.yaml b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.yaml index 0fe62f0dc..31311a5df 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.yaml @@ -4,18 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 85-90 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -52,3 +40,15 @@ - '*' connection: - All connections + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 85-90 diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv index 690e0e133..54731a950 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv @@ -1,15 +1,15 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_4, config: np4","","","","","", -"","[kube-system-new-dummy-to-ignore]","[*]","[kube-system-new]","[*]","TCP 80-88", -"","[ibm-system-new]","[*]","[kube-system-new]","[*]","TCP 80-90", -"","[default]","[*]","[kube-system-new]","[*]","TCP 85-90", "","","0.0.0.0/0","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","","0.0.0.0/0","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", +"","[default]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:85-90}", +"","[ibm-system-new]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:80-90}", +"","[kube-system-new-dummy-to-ignore]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:80-88}", "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_4, config: np3","","","","","", -"","[default]","[*]","[kube-system-new]","[*]","TCP 85-90", "","","0.0.0.0/0","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","","0.0.0.0/0","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", +"","[default]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:85-90}", diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.dot b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.dot index d58a08268..32ffbc584 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.dot +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp80-88 TCP 80-88
tcp80-90 TCP 80-90
tcp85-90 TCP 85-90
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp80-88 {protocols:TCP,dst_ports:80-88}
tcp80-90 {protocols:TCP,dst_ports:80-90}
tcp85-90 {protocols:TCP,dst_ports:85-90}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "clique_All1" [shape=egg fontcolor=indigo color=indigo width=0.2 height=0.2 label=clq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed between any two workloads connected to the CLIQUE: All"] @@ -44,11 +44,11 @@ subgraph cluster_kube_system_new_dummy_to_ignore_namespace{ "clique_0" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "clique_0" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-14(Deployment-StatefulSet)"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "default/cognetive-agents(DaemonSet)" -> "clique_All1"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] - "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="TCP 85-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-90" labeltooltip="TCP 80-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ibm-system-new/ibm-cloud-provider-ip-169-60-164-14(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-90" labeltooltip="TCP 80-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="{protocols:TCP,dst_ports:85-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-90" labeltooltip="{protocols:TCP,dst_ports:80-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ibm-system-new/ibm-cloud-provider-ip-169-60-164-14(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-90" labeltooltip="{protocols:TCP,dst_ports:80-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "clique_All1"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] - "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-88" labeltooltip="TCP 80-88" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-88" labeltooltip="{protocols:TCP,dst_ports:80-88}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system-new/calico-node(DaemonSet)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system-new/calico-node(DaemonSet)" -> "default/cognetive-agents(DaemonSet)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system-new/calico-node(DaemonSet)" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] @@ -67,7 +67,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp85-90 TCP 85-90
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp85-90 {protocols:TCP,dst_ports:85-90}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "clique_All0" [shape=egg fontcolor=indigo color=indigo width=0.2 height=0.2 label=clq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed between any two workloads connected to the CLIQUE: All"] @@ -101,7 +101,7 @@ subgraph cluster_kube_system_new_dummy_to_ignore_namespace{ } "0.0.0.0/0" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "default/cognetive-agents(DaemonSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] - "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="TCP 85-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="{protocols:TCP,dst_ports:85-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md index 04e17967d..3a831eb0e 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md @@ -1,17 +1,17 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_4, config: np4|||||| -||[kube-system-new-dummy-to-ignore]|[*]|[kube-system-new]|[*]|TCP 80-88| -||[ibm-system-new]|[*]|[kube-system-new]|[*]|TCP 80-90| -||[default]|[*]|[kube-system-new]|[*]|TCP 85-90| |||0.0.0.0/0|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]||0.0.0.0/0|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| +||[default]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:85-90}| +||[ibm-system-new]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:80-90}| +||[kube-system-new-dummy-to-ignore]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:80-88}| |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_4, config: np3|||||| -||[default]|[*]|[kube-system-new]|[*]|TCP 85-90| |||0.0.0.0/0|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]||0.0.0.0/0|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| +||[default]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:85-90}| diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.txt b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.txt index b5dc62387..cc2522861 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.txt @@ -2,12 +2,12 @@ final fw rules for query: connectivity_map_4, config: np4: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-90 -src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-88 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:80-90} +src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:80-88} final fw rules for query: connectivity_map_4, config: np3: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml index e2c8f52b4..a36e52ad7 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml @@ -4,42 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - kube-system-new-dummy-to-ignore - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 80-88 - - src_ns: - - ibm-system-new - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 80-90 - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 85-90 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -76,12 +40,6 @@ - '*' connection: - All connections -- query: connectivity_map_4 - configs: - - np3 - numerical_result: 0 - explanation: - - rules: - src_ns: - default src_pods: @@ -91,9 +49,39 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 85-90 + - src_ns: + - ibm-system-new + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 80-90 + - src_ns: + - kube-system-new-dummy-to-ignore + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 80-88 +- query: connectivity_map_4 + configs: + - np3 + numerical_result: 0 + explanation: + - rules: - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -130,3 +118,15 @@ - '*' connection: - All connections + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 85-90 diff --git a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt index 81cff8378..9ff81c2ea 100644 --- a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt +++ b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt @@ -3,26 +3,26 @@ src: 0.0.0.0/0 dst_ns: [default,kube-system,local-path-storage,projectcontour] d src: 0.0.0.0/0 dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst: connected-with-mesh.example.com conn: All connections -src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '8443', 'hosts': 'httpbin.example.com'} +src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:8443,hosts:httpbin.example.com} src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections src_ns: [default,kube-system,local-path-storage,projectcontour] src_pods: [*] dst_ns: [default,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [istio-egressgateway] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [istio-ingressgateway] dst_ns: [onlineboutique] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST', 'hosts': 'ob.alwaysupalwayson.com'} +src_ns: [istio-system] src_pods: [istio-egressgateway] dst: httpbin.example.com conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [istio-ingressgateway] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST,hosts:ob.alwaysupalwayson.com} src_ns: [istio-system] src_pods: [istiod] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [istiod] dst: connected-with-mesh.example.com conn: All connections src_ns: [istio-system] src_pods: [istiod] dst_ns: [default,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '8443', 'hosts': 'httpbin.example.com'} +src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:8443,hosts:httpbin.example.com} src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': '/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.EmailService/SendOrderConfirmation'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.PaymentService/Charge'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': '/hipstershop.AdService/GetAds'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': '/hipstershop.CheckoutService/PlaceOrder'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.RecommendationService/ListRecommendations'} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src: 0.0.0.0/0 dst_ns: [default,istio-system,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot index 45e5db22a..66074b235 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
tcp9950e {protocols:TCP,dst_ports:9950,...
tcp9950f {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -64,40 +64,40 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot index 77250fbd0..661be8577 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
tcp9950e {protocols:TCP,dst_ports:9950,...
tcp9950f {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -51,41 +51,41 @@ All"] "example/deploy-gggg(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot index b31b60983..e981426f7 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
tcp9950e {protocols:TCP,dst_ports:9950,...
tcp9950f {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -53,24 +53,24 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot index ccc2023b5..6412b4bd7 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
tcp9950e {protocols:TCP,dst_ports:9950,...
tcp9950f {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -48,24 +48,24 @@ All"] "example/deploy-hhhh(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot index 6655f83f7..990a96d41 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -51,22 +51,22 @@ subgraph cluster_ingress_controller_ns_namespace{ "example/deploy-gggg(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot index 1008b214a..c482b124a 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -44,22 +44,22 @@ All"] "example/deploy-ffff(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-gggg(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot index 860cc180d..e1f5705b7 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3200 {protocols:TCP,dst_ports:3200,...
tcp3456 {protocols:TCP,dst_ports:3456,...
tcp3500 {protocols:TCP,dst_ports:3500,...
tcp4000 {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -51,14 +51,14 @@ subgraph cluster_ingress_controller_ns_namespace{ "example/deploy-gggg(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map.dot index 905ff38f3..597692826 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3200 {protocols:TCP,dst_ports:3200,...
tcp3456 {protocols:TCP,dst_ports:3456,...
tcp3500 {protocols:TCP,dst_ports:3500,...
tcp4000 {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -44,14 +44,14 @@ All"] "example/deploy-ffff(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-gggg(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot index 7d590b81b..d0063e90d 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3200 {protocols:TCP,dst_ports:3200,...
tcp3456 {protocols:TCP,dst_ports:3456,...
tcp3500 {protocols:TCP,dst_ports:3500,...
tcp4000 {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -51,14 +51,14 @@ subgraph cluster_ingress_controller_ns_namespace{ "example/deploy-gggg(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map.dot index bb3b4e5c8..16cb4013c 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3200 {protocols:TCP,dst_ports:3200,...
tcp3456 {protocols:TCP,dst_ports:3456,...
tcp3500 {protocols:TCP,dst_ports:3500,...
tcp4000 {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -44,14 +44,14 @@ All"] "example/deploy-ffff(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-gggg(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" diff --git a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot index ad1caaf8a..328b5da08 100644 --- a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot +++ b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
TCP TCP {'methods': 'GET'}
> shape=box] + dict_box [label=<
Connectivity legend
All All
TCP {protocols:TCP,methods:GET}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -29,13 +29,13 @@ subgraph cluster_istio_system_namespace{ "biclique_All0" -> "istio-system/istio-ingressgateway(Deployment-StatefulSet)"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/details-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/productpage-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1(Deployment-StatefulSet)" -> "default/details-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1(Deployment-StatefulSet)" -> "default/reviews-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1(Deployment-StatefulSet)" -> "default/details-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1(Deployment-StatefulSet)" -> "default/reviews-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/ratings-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/reviews-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/reviews-v1(Deployment-StatefulSet)" -> "default/ratings-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/reviews-v1(Deployment-StatefulSet)" -> "default/ratings-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "default/productpage-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "default/productpage-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot index 9c5005787..089763b4f 100644 --- a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot +++ b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
TCP TCP {'methods': 'GET'}
> shape=box] + dict_box [label=<
Connectivity legend
All All
TCP {protocols:TCP,methods:GET}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -29,13 +29,13 @@ subgraph cluster_istio_system_namespace{ "biclique_All0" -> "istio-system/istio-ingressgateway-55d9fb9f-f4mzz"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/details-v1-79f774bdb9-tw7sj" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/productpage-v1-6b746f74dc-kkzzk" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1-6b746f74dc-kkzzk" -> "default/details-v1-79f774bdb9-tw7sj"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1-6b746f74dc-kkzzk" -> "default/reviews-v1-545db77b95-2ps7q"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1-6b746f74dc-kkzzk" -> "default/details-v1-79f774bdb9-tw7sj"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1-6b746f74dc-kkzzk" -> "default/reviews-v1-545db77b95-2ps7q"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/ratings-v1-b6994bb9-gl27w" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/reviews-v1-545db77b95-2ps7q" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/reviews-v1-545db77b95-2ps7q" -> "default/ratings-v1-b6994bb9-gl27w"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/reviews-v1-545db77b95-2ps7q" -> "default/ratings-v1-b6994bb9-gl27w"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "default/productpage-v1-6b746f74dc-kkzzk"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "default/productpage-v1-6b746f74dc-kkzzk"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt index 3862f41ad..d885e1007 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt @@ -1,15 +1,15 @@ For connections of type TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': '/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.EmailService/SendOrderConfirmation'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.PaymentService/Charge'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': '/hipstershop.AdService/GetAds'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': '/hipstershop.CheckoutService/PlaceOrder'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.RecommendationService/ListRecommendations'} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt index eeab7d57a..54bc6d744 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt @@ -1,18 +1,18 @@ For connections of type TCP, final fw rules for query: connectivity-map-of-onlineboutique-with-istio-gateways, config: onlineboutique-resources-with-istio-gateways: -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com} src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [onlineboutique] src_pods: [*] dst: connected-with-mesh.example.com conn: All connections -src_ns: [onlineboutique] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': '/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.EmailService/SendOrderConfirmation'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.PaymentService/Charge'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': '/hipstershop.AdService/GetAds'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': '/hipstershop.CheckoutService/PlaceOrder'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.RecommendationService/ListRecommendations'} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} +src_ns: [onlineboutique] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:443,hosts:httpbin.example.com} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique-with-istio-gateways, config: onlineboutique-resources-with-istio-gateways: src: 0.0.0.0/0 dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt b/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt index 2460f5ac4..37a464951 100644 --- a/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt +++ b/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt @@ -1,3 +1,3 @@ sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts are not semantically equivalent. Connections allowed in sidecar-with-local-hosts-only which are different in sidecar-with-local-and-dns-hosts: -src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication on [protocols=TCP] while sidecar-with-local-hosts-only does not diff --git a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt index 8ad32ce46..f1db51236 100644 --- a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity, config: fly-istio-ingress-test: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api, istio-ingressgateway] conn: TCP {'dst_ports': '8761', 'paths': '/flights(/*)?'} -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api, istio-ingressgateway] conn: TCP {'dst_ports': '8762', 'paths': '/horas(/*)?'} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api, istio-ingressgateway] conn: {protocols:TCP,dst_ports:8761,paths:/flights(/*)?} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api, istio-ingressgateway] conn: {protocols:TCP,dst_ports:8762,paths:/horas(/*)?} src_ns: [default] src_pods: [fly-api, hora-api] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [fly-api, hora-api] dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt index 37146a98f..d4bb65970 100644 --- a/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt @@ -1,3 +1,3 @@ sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: -src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication on [protocols=TCP] while sidecar-with-local-hosts-only does not diff --git a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt index 2dd1584c9..5e025e2f8 100644 --- a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt @@ -3,8 +3,8 @@ src: 0.0.0.0/0 dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: connected_with_mesh.example.com conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections -src_ns: [default,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} +src_ns: [default,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:443,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com} For connections of type non-TCP, final fw rules for query: connectivity, config: istio-egress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt index b4b269ee0..392f80198 100644 --- a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt @@ -2,9 +2,9 @@ For connections of type TCP, final fw rules for query: connectivity, config: ist src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [details-v1-5f449bdbb9] conn: TCP {'dst_ports': '5555', 'hosts': 'mongosvr.prod.svc.cluster.local'} -src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [ratings-v1-857bb87c57] conn: TCP {'dst_ports': '9080', 'hosts': 'eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local', 'paths': '/reviews(/*)?'} -src_ns: [istio-system] src_pods: [*] dst_ns: [qa] dst_pods: [*] conn: TCP {'dst_ports': '7777', 'hosts': 'eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local'} +src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [details-v1-5f449bdbb9] conn: {protocols:TCP,dst_ports:5555,hosts:mongosvr.prod.svc.cluster.local} +src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [ratings-v1-857bb87c57] conn: {protocols:TCP,dst_ports:9080,hosts:eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local,paths:/reviews(/*)?} +src_ns: [istio-system] src_pods: [*] dst_ns: [qa] dst_pods: [*] conn: {protocols:TCP,dst_ports:7777,hosts:eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local} For connections of type non-TCP, final fw rules for query: connectivity, config: istio-ingress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt index c34b01d7f..51bf629db 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt @@ -2,15 +2,15 @@ For connections of type TCP, final fw rules for query: new_online_boutique_synth src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} For connections of type non-TCP, final fw rules for query: new_online_boutique_synth_res_connectivity_map_with_baseline_rule, config: new_online_boutique_synthesis_res_with_baseline_restrict_access_to_payment_service: src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt index d7d14ccad..c552cbb2a 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt @@ -1,198 +1,198 @@ TCP Connections: -0.0.0.0-255.255.255.255 => asm-ingress/asm-ingressgateway[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/adservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/adservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/checkoutservice[Deployment] => default/cartservice[Deployment] : TCP 7070 -default/checkoutservice[Deployment] => default/currencyservice[Deployment] : TCP 7000 -default/checkoutservice[Deployment] => default/emailservice[Deployment] : TCP 8080 -default/checkoutservice[Deployment] => default/paymentservice[Deployment] : TCP 50051 -default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/checkoutservice[Deployment] => default/shippingservice[Deployment] : TCP 50051 -default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/frontend[Deployment] => default/adservice[Deployment] : TCP 9555 -default/frontend[Deployment] => default/cartservice[Deployment] : TCP 7070 -default/frontend[Deployment] => default/checkoutservice[Deployment] : TCP 5050 -default/frontend[Deployment] => default/currencyservice[Deployment] : TCP 7000 -default/frontend[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/frontend[Deployment] => default/recommendationservice[Deployment] : TCP 8080 -default/frontend[Deployment] => default/shippingservice[Deployment] : TCP 50051 -default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080 -default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections +0.0.0.0-255.255.255.255 => asm-ingress/asm-ingressgateway[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/adservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/adservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/checkoutservice[Deployment] => default/cartservice[Deployment] : {protocols:TCP,dst_ports:7070} +default/checkoutservice[Deployment] => default/currencyservice[Deployment] : {protocols:TCP,dst_ports:7000} +default/checkoutservice[Deployment] => default/emailservice[Deployment] : {protocols:TCP,dst_ports:8080} +default/checkoutservice[Deployment] => default/paymentservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/checkoutservice[Deployment] => default/shippingservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/frontend[Deployment] => default/adservice[Deployment] : {protocols:TCP,dst_ports:9555} +default/frontend[Deployment] => default/cartservice[Deployment] : {protocols:TCP,dst_ports:7070} +default/frontend[Deployment] => default/checkoutservice[Deployment] : {protocols:TCP,dst_ports:5050} +default/frontend[Deployment] => default/currencyservice[Deployment] : {protocols:TCP,dst_ports:7000} +default/frontend[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/frontend[Deployment] => default/recommendationservice[Deployment] : {protocols:TCP,dst_ports:8080} +default/frontend[Deployment] => default/shippingservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/loadgenerator[Deployment] => default/frontend[Deployment] : {protocols:TCP,dst_ports:8080} +default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections non-TCP Connections: -0.0.0.0-255.255.255.255 => asm-ingress/asm-ingressgateway[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/adservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/cartservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/checkoutservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/currencyservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/emailservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/frontend[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/loadgenerator[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/paymentservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/productcatalogservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/recommendationservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/shippingservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/adservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/cartservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/checkoutservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/currencyservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/emailservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/frontend[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/loadgenerator[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/paymentservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/productcatalogservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/recommendationservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/shippingservice[Deployment] : All Connections -default/adservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/adservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/adservice[Deployment] => default/cartservice[Deployment] : All Connections -default/adservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/adservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/adservice[Deployment] => default/emailservice[Deployment] : All Connections -default/adservice[Deployment] => default/frontend[Deployment] : All Connections -default/adservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/adservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/adservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/adservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/adservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/cartservice[Deployment] => default/adservice[Deployment] : All Connections -default/cartservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/cartservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/cartservice[Deployment] => default/emailservice[Deployment] : All Connections -default/cartservice[Deployment] => default/frontend[Deployment] : All Connections -default/cartservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/cartservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/cartservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/cartservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/cartservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/checkoutservice[Deployment] => default/adservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/cartservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/emailservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/frontend[Deployment] : All Connections -default/checkoutservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/checkoutservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/currencyservice[Deployment] => default/adservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/cartservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/emailservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/frontend[Deployment] : All Connections -default/currencyservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/currencyservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/emailservice[Deployment] => default/adservice[Deployment] : All Connections -default/emailservice[Deployment] => default/cartservice[Deployment] : All Connections -default/emailservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/emailservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/emailservice[Deployment] => default/frontend[Deployment] : All Connections -default/emailservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/emailservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/emailservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/emailservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/emailservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/frontend[Deployment] => default/adservice[Deployment] : All Connections -default/frontend[Deployment] => default/cartservice[Deployment] : All Connections -default/frontend[Deployment] => default/checkoutservice[Deployment] : All Connections -default/frontend[Deployment] => default/currencyservice[Deployment] : All Connections -default/frontend[Deployment] => default/emailservice[Deployment] : All Connections -default/frontend[Deployment] => default/loadgenerator[Deployment] : All Connections -default/frontend[Deployment] => default/paymentservice[Deployment] : All Connections -default/frontend[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/frontend[Deployment] => default/recommendationservice[Deployment] : All Connections -default/frontend[Deployment] => default/shippingservice[Deployment] : All Connections -default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/loadgenerator[Deployment] => default/adservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/cartservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/checkoutservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/currencyservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/emailservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/frontend[Deployment] : All Connections -default/loadgenerator[Deployment] => default/paymentservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/recommendationservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/shippingservice[Deployment] : All Connections -default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/paymentservice[Deployment] => default/adservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/cartservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/emailservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/frontend[Deployment] : All Connections -default/paymentservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/paymentservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/adservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/cartservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/emailservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/frontend[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/recommendationservice[Deployment] => default/adservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/cartservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/emailservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/frontend[Deployment] : All Connections -default/recommendationservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/recommendationservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/shippingservice[Deployment] => default/adservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/cartservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/emailservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/frontend[Deployment] : All Connections -default/shippingservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/shippingservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/recommendationservice[Deployment] : All Connections \ No newline at end of file +0.0.0.0-255.255.255.255 => asm-ingress/asm-ingressgateway[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/adservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/cartservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/checkoutservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/currencyservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/emailservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/frontend[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/loadgenerator[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/paymentservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/productcatalogservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/recommendationservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/shippingservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => 0.0.0.0-255.255.255.255 : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/adservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/cartservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/checkoutservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/currencyservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/emailservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/frontend[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/loadgenerator[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/paymentservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/productcatalogservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/recommendationservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/shippingservice[Deployment] : All connections +default/adservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/adservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/adservice[Deployment] => default/cartservice[Deployment] : All connections +default/adservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/adservice[Deployment] => default/currencyservice[Deployment] : All connections +default/adservice[Deployment] => default/emailservice[Deployment] : All connections +default/adservice[Deployment] => default/frontend[Deployment] : All connections +default/adservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/adservice[Deployment] => default/paymentservice[Deployment] : All connections +default/adservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/adservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/adservice[Deployment] => default/shippingservice[Deployment] : All connections +default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/cartservice[Deployment] => default/adservice[Deployment] : All connections +default/cartservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/cartservice[Deployment] => default/currencyservice[Deployment] : All connections +default/cartservice[Deployment] => default/emailservice[Deployment] : All connections +default/cartservice[Deployment] => default/frontend[Deployment] : All connections +default/cartservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/cartservice[Deployment] => default/paymentservice[Deployment] : All connections +default/cartservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/cartservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/cartservice[Deployment] => default/shippingservice[Deployment] : All connections +default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/checkoutservice[Deployment] => default/adservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/cartservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/currencyservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/emailservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/frontend[Deployment] : All connections +default/checkoutservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/checkoutservice[Deployment] => default/paymentservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/shippingservice[Deployment] : All connections +default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/currencyservice[Deployment] => default/adservice[Deployment] : All connections +default/currencyservice[Deployment] => default/cartservice[Deployment] : All connections +default/currencyservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/currencyservice[Deployment] => default/emailservice[Deployment] : All connections +default/currencyservice[Deployment] => default/frontend[Deployment] : All connections +default/currencyservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/currencyservice[Deployment] => default/paymentservice[Deployment] : All connections +default/currencyservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/currencyservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/currencyservice[Deployment] => default/shippingservice[Deployment] : All connections +default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/emailservice[Deployment] => default/adservice[Deployment] : All connections +default/emailservice[Deployment] => default/cartservice[Deployment] : All connections +default/emailservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/emailservice[Deployment] => default/currencyservice[Deployment] : All connections +default/emailservice[Deployment] => default/frontend[Deployment] : All connections +default/emailservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/emailservice[Deployment] => default/paymentservice[Deployment] : All connections +default/emailservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/emailservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/emailservice[Deployment] => default/shippingservice[Deployment] : All connections +default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/frontend[Deployment] => default/adservice[Deployment] : All connections +default/frontend[Deployment] => default/cartservice[Deployment] : All connections +default/frontend[Deployment] => default/checkoutservice[Deployment] : All connections +default/frontend[Deployment] => default/currencyservice[Deployment] : All connections +default/frontend[Deployment] => default/emailservice[Deployment] : All connections +default/frontend[Deployment] => default/loadgenerator[Deployment] : All connections +default/frontend[Deployment] => default/paymentservice[Deployment] : All connections +default/frontend[Deployment] => default/productcatalogservice[Deployment] : All connections +default/frontend[Deployment] => default/recommendationservice[Deployment] : All connections +default/frontend[Deployment] => default/shippingservice[Deployment] : All connections +default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/loadgenerator[Deployment] => default/adservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/cartservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/checkoutservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/currencyservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/emailservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/frontend[Deployment] : All connections +default/loadgenerator[Deployment] => default/paymentservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/productcatalogservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/recommendationservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/shippingservice[Deployment] : All connections +default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/paymentservice[Deployment] => default/adservice[Deployment] : All connections +default/paymentservice[Deployment] => default/cartservice[Deployment] : All connections +default/paymentservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/paymentservice[Deployment] => default/currencyservice[Deployment] : All connections +default/paymentservice[Deployment] => default/emailservice[Deployment] : All connections +default/paymentservice[Deployment] => default/frontend[Deployment] : All connections +default/paymentservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/paymentservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/paymentservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/paymentservice[Deployment] => default/shippingservice[Deployment] : All connections +default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/productcatalogservice[Deployment] => default/adservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/cartservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/currencyservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/emailservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/frontend[Deployment] : All connections +default/productcatalogservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/productcatalogservice[Deployment] => default/paymentservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/shippingservice[Deployment] : All connections +default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/recommendationservice[Deployment] => default/adservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/cartservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/currencyservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/emailservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/frontend[Deployment] : All connections +default/recommendationservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/recommendationservice[Deployment] => default/paymentservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/shippingservice[Deployment] : All connections +default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/shippingservice[Deployment] => default/adservice[Deployment] : All connections +default/shippingservice[Deployment] => default/cartservice[Deployment] : All connections +default/shippingservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/shippingservice[Deployment] => default/currencyservice[Deployment] : All connections +default/shippingservice[Deployment] => default/emailservice[Deployment] : All connections +default/shippingservice[Deployment] => default/frontend[Deployment] : All connections +default/shippingservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/shippingservice[Deployment] => default/paymentservice[Deployment] : All connections +default/shippingservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/shippingservice[Deployment] => default/recommendationservice[Deployment] : All connections diff --git a/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt index b8949af59..fe99152bf 100644 --- a/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt @@ -1,5 +1,5 @@ sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: -src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication on [protocols=TCP] while sidecar-with-local-hosts-only does not sidecar-with-local-hosts-only does not interfere with sidecar-with-local-and-dns-hosts diff --git a/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_input_vs_synth_res.txt b/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_input_vs_synth_res.txt index fc240ed03..93b55a24c 100644 --- a/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_input_vs_synth_res.txt +++ b/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_input_vs_synth_res.txt @@ -1,25 +1,25 @@ new_online_boutique and new_online_boutique_synthesis_res are not semantically equivalent. Added connections between persistent peers (based on topology from config: new_online_boutique_synthesis_res) : -src_ns: [default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 1-8079,8081-65535 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': 'all but /hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'},{'dst_ports': '7070', 'methods': 'all but POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': 'all but /hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'},{'dst_ports': '7000', 'methods': 'all but POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': 'all but /hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'},{'dst_ports': '50051', 'methods': 'all but POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': 'all but /hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'},{'dst_ports': '3550', 'methods': 'all but POST'} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': 'all but /hipstershop.EmailService/SendOrderConfirmation'},{'dst_ports': '8080', 'methods': 'all but POST'} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': 'all but /hipstershop.PaymentService/Charge'},{'dst_ports': '50051', 'methods': 'all but POST'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': 'all but /hipstershop.AdService/GetAds'},{'dst_ports': '9555', 'methods': 'all but POST'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': 'all but /hipstershop.CheckoutService/PlaceOrder'},{'dst_ports': '5050', 'methods': 'all but POST'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': 'all but /hipstershop.RecommendationService/ListRecommendations'},{'dst_ports': '8080', 'methods': 'all but POST'} -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'all but GET, POST'} +src_ns: [default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: {protocols:TCP,dst_ports:1-8079,8081-65535} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070,methods:POST,paths:all but /hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart},{protocols:TCP,dst_ports:7070,methods:all but POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000,methods:POST,paths:all but /hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies},{protocols:TCP,dst_ports:7000,methods:all but POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:all but /hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder},{protocols:TCP,dst_ports:50051,methods:all but POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550,methods:POST,paths:all but /hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts},{protocols:TCP,dst_ports:3550,methods:all but POST} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:all but /hipstershop.EmailService/SendOrderConfirmation},{protocols:TCP,dst_ports:8080,methods:all but POST} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:all but /hipstershop.PaymentService/Charge},{protocols:TCP,dst_ports:50051,methods:all but POST} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555,methods:POST,paths:all but /hipstershop.AdService/GetAds},{protocols:TCP,dst_ports:9555,methods:all but POST} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050,methods:POST,paths:all but /hipstershop.CheckoutService/PlaceOrder},{protocols:TCP,dst_ports:5050,methods:all but POST} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:all but /hipstershop.RecommendationService/ListRecommendations},{protocols:TCP,dst_ports:8080,methods:all but POST} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:all but GET, POST} Removed connections between persistent peers (based on topology from config: new_online_boutique) : -src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: TCP -src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP {'dst_ports': '1-7069,7071-65535', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} +src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: {protocols:TCP} +src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:1-7069,7071-65535,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} Added connections between persistent peers and ipBlocks (based on topology from config: new_online_boutique_synthesis_res) : -src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 1-8079,8081-65535 +src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: {protocols:TCP,dst_ports:1-8079,8081-65535} Removed connections between persistent peers and ipBlocks (based on topology from config: new_online_boutique) : -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: TCP +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: {protocols:TCP} diff --git a/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt b/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt index af64ef425..9c7322927 100644 --- a/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt +++ b/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt @@ -1,4 +1,4 @@ new_online_boutique_synthesis_res and new_online_boutique_synthesis_res_with_baseline_restrict_access_to_payment_service are not semantically equivalent. Removed connections between persistent peers (based on topology from config: new_online_boutique_synthesis_res) : -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051} diff --git a/tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt b/tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt index c10b88b8a..c0b3cf360 100644 --- a/tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt +++ b/tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt @@ -1,5 +1,5 @@ sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts are not semantically equivalent. New connections between persistent peers and added peers (based on topology from config: sidecar-with-local-and-dns-hosts) : -src_ns: [default] src_pods: [*] dst: www.slack.com conn: TCP -src_ns: [default] src_pods: [app!=ratings] dst: www.google.com conn: TCP +src_ns: [default] src_pods: [*] dst: www.slack.com conn: {protocols:TCP} +src_ns: [default] src_pods: [app!=ratings] dst: www.google.com conn: {protocols:TCP} diff --git a/tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt b/tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt index eb8cc3fc7..2bc2b1bd8 100644 --- a/tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt +++ b/tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt @@ -1,4 +1,4 @@ sidecar-with-selector-allows-any and sidecar-with-selector-registery-only are not semantically equivalent. Removed connections between persistent peers and ipBlocks (based on topology from config: sidecar-with-selector-allows-any) : -src_ns: [default] src_pods: [ratings-v1] dst: 0.0.0.0/0 conn: TCP +src_ns: [default] src_pods: [ratings-v1] dst: 0.0.0.0/0 conn: {protocols:TCP} diff --git a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt index ca07f5d08..31261d68e 100644 --- a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt +++ b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt @@ -3,14 +3,14 @@ src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress] src_pods: [*] dst: connected_with_mesh.example.com conn: All connections src_ns: [asm-ingress] src_pods: [*] dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections -src_ns: [asm-ingress] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} +src_ns: [asm-ingress] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:443,hosts:httpbin.example.com} src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst: connected_with_mesh.example.com conn: All connections -src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} +src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:443,hosts:httpbin.example.com} src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app not in (adservice,checkoutservice,frontend,loadgenerator,recommendationservice)] conn: All connections src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [app not in (emailservice,frontend,loadgenerator,paymentservice)] conn: All connections src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: All connections src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: All connections -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com} For connections of type non-TCP, final fw rules for query: onlineboutique-sidecars-connectivity, config: onlineboutique-sidecars-and-gateways: src: 0.0.0.0/0 dst_ns: [asm-ingress,default,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt index c1a3f3b8b..7b92a40d5 100644 --- a/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt @@ -1,3 +1,3 @@ Network configuration sidecar-with-local-hosts-only is a proper subset of sidecar-with-local-and-dns-hosts but sidecar-with-local-and-dns-hosts is not contained in sidecar-with-local-hosts-only Connections allowed in sidecar-with-local-and-dns-hosts which are not a subset of those in sidecar-with-local-hosts-only: -src: ['default/ratings-v1-1'], dst: ['www.slack.com'], conn: Protocol: TCP +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], conn: {'protocols': 'TCP'} diff --git a/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt b/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt index 4d86cece0..b2cfa8750 100644 --- a/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt +++ b/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt @@ -1,470 +1,470 @@ -0.0.0.0-9.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => default/cognetive-agents[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/calico-node-tier[DaemonSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/calico-node[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -10.0.0.0-10.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => default/cognetive-agents[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system/calico-node[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => default/cognetive-agents[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/calico-node-tier[DaemonSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/calico-node[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -172.21.0.0-172.21.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => default/cognetive-agents[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system/calico-node[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => default/cognetive-agents[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/calico-node-tier[DaemonSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/calico-node[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -172.30.0.0-172.30.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => default/cognetive-agents[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system/calico-node[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => default/cognetive-agents[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/calico-node-tier[DaemonSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/calico-node[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cognetive-agents[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/calico-node[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections +0.0.0.0-9.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => default/cognetive-agents[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/calico-node-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/calico-node[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : {protocols:UDP,dst_ports:53} +10.0.0.0-10.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => default/cognetive-agents[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system/calico-node[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => default/cognetive-agents[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/calico-node-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/calico-node[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.21.0.0-172.21.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => default/cognetive-agents[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system/calico-node[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => default/cognetive-agents[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/calico-node-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/calico-node[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.30.0.0-172.30.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => default/cognetive-agents[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system/calico-node[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => default/cognetive-agents[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/calico-node-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/calico-node[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : {protocols:UDP,dst_ports:53} +default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +default/cognetive-agents-agent[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +default/cognetive-agents[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/calico-node[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections diff --git a/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt b/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt index ac683a3d7..6b76fd7f6 100644 --- a/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity, config: test-ingress: src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default,istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,istio-system] src_pods: [*] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'hosts': 'demo.localdev.me', 'paths': '/details(/*)?'} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {protocols:TCP,dst_ports:9080,hosts:demo.localdev.me,paths:/details(/*)?} diff --git a/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt b/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt index 04d20d5e0..03b969c2f 100644 --- a/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt @@ -2,13 +2,13 @@ final fw rules for query: new_online_boutique_connectivity_map, config: new_onli src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} diff --git a/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt b/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt index a7094a55a..02a3b83ca 100644 --- a/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt @@ -1,15 +1,15 @@ final fw rules for query: new_online_boutique_synthesis_res_connectivity_map, config: new_online_synthesis_res: src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/onlineboutique-conn-graph-no-fw-rules.txt b/tests/k8s_testcases/expected_output/onlineboutique-conn-graph-no-fw-rules.txt index 987af4d70..e5289479b 100644 --- a/tests/k8s_testcases/expected_output/onlineboutique-conn-graph-no-fw-rules.txt +++ b/tests/k8s_testcases/expected_output/onlineboutique-conn-graph-no-fw-rules.txt @@ -1,25 +1,25 @@ -0.0.0.0-255.255.255.255 => default/redis-cart[Deployment] : All Connections -0.0.0.0-255.255.255.255 => kube-system/kube-dns-livesim[Pod] : All Connections -default/checkoutservice[Deployment] => default/cartservice[Deployment] : TCP 7070 -default/checkoutservice[Deployment] => default/currencyservice[Deployment] : TCP 7000 -default/checkoutservice[Deployment] => default/emailservice[Deployment] : TCP 8080 -default/checkoutservice[Deployment] => default/paymentservice[Deployment] : TCP 50051 -default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/checkoutservice[Deployment] => default/shippingservice[Deployment] : TCP 50051 -default/checkoutservice[Deployment] => kube-system/kube-dns-livesim[Pod] : UDP 53 -default/frontend[Deployment] => default/adservice[Deployment] : TCP 9555 -default/frontend[Deployment] => default/cartservice[Deployment] : TCP 7070 -default/frontend[Deployment] => default/checkoutservice[Deployment] : TCP 5050 -default/frontend[Deployment] => default/currencyservice[Deployment] : TCP 7000 -default/frontend[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/frontend[Deployment] => default/recommendationservice[Deployment] : TCP 8080 -default/frontend[Deployment] => default/shippingservice[Deployment] : TCP 50051 -default/frontend[Deployment] => kube-system/kube-dns-livesim[Pod] : UDP 53 -default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080 -default/loadgenerator[Deployment] => kube-system/kube-dns-livesim[Pod] : UDP 53 -default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/recommendationservice[Deployment] => kube-system/kube-dns-livesim[Pod] : UDP 53 -default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/redis-cart[Deployment] => kube-system/kube-dns-livesim[Pod] : All Connections -kube-system/kube-dns-livesim[Pod] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/kube-dns-livesim[Pod] => default/redis-cart[Deployment] : All Connections \ No newline at end of file +0.0.0.0-255.255.255.255 => default/redis-cart[Deployment] : All connections +0.0.0.0-255.255.255.255 => kube-system/kube-dns-livesim[Pod] : All connections +default/checkoutservice[Deployment] => default/cartservice[Deployment] : {protocols:TCP,dst_ports:7070} +default/checkoutservice[Deployment] => default/currencyservice[Deployment] : {protocols:TCP,dst_ports:7000} +default/checkoutservice[Deployment] => default/emailservice[Deployment] : {protocols:TCP,dst_ports:8080} +default/checkoutservice[Deployment] => default/paymentservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/checkoutservice[Deployment] => default/shippingservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/checkoutservice[Deployment] => kube-system/kube-dns-livesim[Pod] : {protocols:UDP,dst_ports:53} +default/frontend[Deployment] => default/adservice[Deployment] : {protocols:TCP,dst_ports:9555} +default/frontend[Deployment] => default/cartservice[Deployment] : {protocols:TCP,dst_ports:7070} +default/frontend[Deployment] => default/checkoutservice[Deployment] : {protocols:TCP,dst_ports:5050} +default/frontend[Deployment] => default/currencyservice[Deployment] : {protocols:TCP,dst_ports:7000} +default/frontend[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/frontend[Deployment] => default/recommendationservice[Deployment] : {protocols:TCP,dst_ports:8080} +default/frontend[Deployment] => default/shippingservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/frontend[Deployment] => kube-system/kube-dns-livesim[Pod] : {protocols:UDP,dst_ports:53} +default/loadgenerator[Deployment] => default/frontend[Deployment] : {protocols:TCP,dst_ports:8080} +default/loadgenerator[Deployment] => kube-system/kube-dns-livesim[Pod] : {protocols:UDP,dst_ports:53} +default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/recommendationservice[Deployment] => kube-system/kube-dns-livesim[Pod] : {protocols:UDP,dst_ports:53} +default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/redis-cart[Deployment] => kube-system/kube-dns-livesim[Pod] : All connections +kube-system/kube-dns-livesim[Pod] => 0.0.0.0-255.255.255.255 : All connections +kube-system/kube-dns-livesim[Pod] => default/redis-cart[Deployment] : All connections \ No newline at end of file diff --git a/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt b/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt index 36bffcc45..a806b89f6 100644 --- a/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt @@ -1,21 +1,21 @@ final fw rules for query: orig_online_boutique_synthesis_res_connectivity_map, config: orig_online_boutique_synthesis_res: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst: *.googleapis.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst: accounts.google.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: metadata.google.internal conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt index 13e23ba37..a39e84f83 100644 --- a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt +++ b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt @@ -1,14 +1,14 @@ orig_online_boutique_synthesis_res and new_online_synthesis_res are not semantically equivalent. Lost connections between removed peers and persistent peers (based on topology from config: orig_online_boutique_synthesis_res) : -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} src_ns: [kube-system] src_pods: [*] dst: *.googleapis.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: accounts.google.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: metadata.google.internal conn: All connections Removed connections between persistent peers (based on topology from config: orig_online_boutique_synthesis_res) : -src_ns: [default] src_pods: [cartservice] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [cartservice] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} Removed connections between persistent peers and ipBlocks (based on topology from config: orig_online_boutique_synthesis_res) : -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} diff --git a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt index ed9f13cf3..848171682 100644 --- a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt +++ b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt @@ -8,7 +8,7 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections New connections between persistent peers and added peers (based on topology from config: new_online_synthesis_res) : -src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 +src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} New connections between added peers and ipBlocks (based on topology from config: new_online_synthesis_res) : src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/services1_connectivity_map.txt b/tests/k8s_testcases/expected_output/services1_connectivity_map.txt index 87b77d9fc..7f461ce0a 100644 --- a/tests/k8s_testcases/expected_output/services1_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/services1_connectivity_map.txt @@ -2,13 +2,13 @@ final fw rules for query: connectivity_map, config: ip: src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,kube-system] dst_pods: [*] conn: All connections src_ns: [default,kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system] src_pods: [*] dst_ns: [default,ingress-nginx,kube-system] dst_pods: [*] conn: All connections -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: TCP {'dst_ports': '80', 'hosts': 'demo.localdev.me'} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:80,hosts:demo.localdev.me} final fw rules for query: connectivity_map, config: np0: src: 0.0.0.0/0 dst_ns: [default,kube-system] dst_pods: [*] conn: All connections src_ns: [default,kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system] src_pods: [*] dst_ns: [default,kube-system] dst_pods: [*] conn: All connections -src_ns: [ingress-nginx] src_pods: [ingress-nginx-controller-6d5f55986b] dst_ns: [default] dst_pods: [*] conn: TCP {'dst_ports': '80', 'hosts': 'demo.localdev.me'} +src_ns: [ingress-nginx] src_pods: [ingress-nginx-controller-6d5f55986b] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:80,hosts:demo.localdev.me} final fw rules for query: connectivity_map, config: np1: src: 0.0.0.0/0 dst_ns: [default,kube-system] dst_pods: [*] conn: All connections From 8a443e8a4791f15ad79b0af571f72b39b24436ef Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 19 May 2024 18:43:33 +0300 Subject: [PATCH 76/89] Fixed lint errors. Fixed small error. Signed-off-by: Tanya --- nca/FWRules/DotGraph.py | 1 - nca/FWRules/MinimizeBasic.py | 6 ++-- nca/NetworkConfig/NetworkConfigQuery.py | 9 +++-- nca/NetworkConfig/QueryOutputHandler.py | 15 ++++---- nca/Parsers/K8sPolicyYamlParser.py | 4 +-- ...antic_diff_a_to_b_different_topologies.txt | 34 +++++++++---------- 6 files changed, 32 insertions(+), 37 deletions(-) diff --git a/nca/FWRules/DotGraph.py b/nca/FWRules/DotGraph.py index 66cb4d926..1d983cb3a 100644 --- a/nca/FWRules/DotGraph.py +++ b/nca/FWRules/DotGraph.py @@ -5,7 +5,6 @@ from dataclasses import dataclass from enum import Enum import string -import ast class DotGraph: diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index b25a676bb..8fec8efa3 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -103,13 +103,12 @@ def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): return chosen_rep, remaining_pods @staticmethod - def fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction=None): + def fw_rules_to_conn_props(fw_rules, connectivity_restriction=None): """ Converting FWRules to ConnectivityProperties format. This function is used for comparing FWRules output between original and optimized solutions, when optimized_run == 'debug' :param MinimizeFWRules fw_rules: the given FWRules. - :param PeerContainer peer_container: the peer container param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP , or not :return: the resulting ConnectivityProperties. @@ -126,10 +125,9 @@ def fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction=No return res for fw_rules_list in fw_rules.fw_rules_map.values(): for fw_rule in fw_rules_list: - conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container, relevant_protocols) src_peers = fw_rule.src.get_peer_set() dst_peers = fw_rule.dst.get_peer_set() rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, - "dst_peers": dst_peers}) & conn_props + "dst_peers": dst_peers}) & fw_rule.props res |= rule_props return res diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index bc38d2987..67e2bd724 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -161,9 +161,9 @@ def compare_conn_props(props1, props2, text_prefix): assert False @staticmethod - def compare_fw_rules_to_conn_props(fw_rules, props, peer_container, connectivity_restriction=None): + def compare_fw_rules_to_conn_props(fw_rules, props, connectivity_restriction=None): text_prefix = "Connectivity properties and fw-rules generated from them" - props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction) + props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, connectivity_restriction) BaseNetworkQuery.compare_conn_props(props, props2, text_prefix) @@ -901,8 +901,7 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= self.config.peer_container, connectivity_restriction) if self.config.optimized_run == 'debug': - self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, - connectivity_restriction=connectivity_restriction) + self.compare_fw_rules_to_conn_props(fw_rules, props, connectivity_restriction=connectivity_restriction) formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) return formatted_rules @@ -1142,7 +1141,7 @@ def compute_explanation_for_key(self, key, is_added, props_data, is_first_connec props_data.output_config, props_data.peer_container, None) if self.config1.optimized_run == 'debug': - self.compare_fw_rules_to_conn_props(fw_rules, props_data.props, props_data.peer_container) + self.compare_fw_rules_to_conn_props(fw_rules, props_data.props) conn_graph_explanation = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) if self.output_config.outputFormat in ['json', 'yaml']: diff --git a/nca/NetworkConfig/QueryOutputHandler.py b/nca/NetworkConfig/QueryOutputHandler.py index ad3e206da..11d79ca44 100644 --- a/nca/NetworkConfig/QueryOutputHandler.py +++ b/nca/NetworkConfig/QueryOutputHandler.py @@ -43,7 +43,8 @@ def get_explanation_in_dict(self): # following classes describe possible OutputExplanation patterns (derived from it), each class consists of the # explanation fields that may appear together in one output_explanation and additional info for writing # the explanation if required -# PoliciesWithCommonPods and PeersAndConnectivityProperties classes are helping classes for storing info on some OutputExplanation +# PoliciesWithCommonPods and PeersAndConnectivityProperties classes are helper classes +# for storing info on some OutputExplanation @dataclass class PoliciesWithCommonPods: """ @@ -236,8 +237,8 @@ class PeersAndConnectivityProperties: """ src_peer: str = '' dst_peer: str = '' - conns1: ConnectivityProperties = field(default_factory=ConnectivityProperties) # connections from src to dst in first config - conns2: ConnectivityProperties = field(default_factory=ConnectivityProperties) # connections from src to dst in second config + conns1: ConnectivityProperties = field(default_factory=ConnectivityProperties) # connections in first config + conns2: ConnectivityProperties = field(default_factory=ConnectivityProperties) # connections in second config def __lt__(self, other): if self.src_peer == other.src_peer: @@ -253,8 +254,8 @@ class ConnectionsDiffExplanation(OutputExplanation): peers_diff_connections_list: list = field(default_factory=list) # list of PeersAndConnectivityProperties objects, # storing info of pairs of peers and their connection in the config/s configs: list = field(default_factory=list) # list[str]: configs names, relevant only when we have the - # conns1 and conns2 in PeersAndConnectivityProperties items, so we need them when calling ConnectivityProperties.print_diff - # in get_explanation_in_str + # conns1 and conns2 in PeersAndConnectivityProperties items, + # so we need them when calling ConnectivityProperties.print_diff in get_explanation_in_str conns_diff: bool = False def get_explanation_in_dict(self): @@ -278,8 +279,8 @@ def get_explanation_in_dict(self): def get_explanation_in_str(self): """ returns the explanation result of ConnectionsDiffExplanation and its description in str. - When self.conns_diff is True, i.e. having conns1 and conns2 in PeersAndConnectivityProperties items, the diff between - connection of each pair is printed + When self.conns_diff is True, i.e. having conns1 and conns2 in PeersAndConnectivityProperties items, + the diff between connection of each pair is printed otherwise (having only conns1, connections from first config is printed) :rtype str """ diff --git a/nca/Parsers/K8sPolicyYamlParser.py b/nca/Parsers/K8sPolicyYamlParser.py index 563006860..898ad347f 100644 --- a/nca/Parsers/K8sPolicyYamlParser.py +++ b/nca/Parsers/K8sPolicyYamlParser.py @@ -6,7 +6,6 @@ import re from nca.CoreDS import Peer from nca.CoreDS.PortSet import PortSet -from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.ProtocolNameResolver import ProtocolNameResolver from nca.CoreDS.ProtocolSet import ProtocolSet @@ -344,8 +343,7 @@ def parse_ingress_egress_rule(self, rule, peer_array_key, policy_selected_pods): "dst_peers": dst_pods}) res_props |= conn_props else: - res_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_pods, - "dst_peers": dst_pods}) + res_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_pods, "dst_peers": dst_pods}) if not res_pods: self.warning('Rule selects no pods', rule) diff --git a/tests/k8s_testcases/expected_output/semantic_diff_a_to_b_different_topologies.txt b/tests/k8s_testcases/expected_output/semantic_diff_a_to_b_different_topologies.txt index 361adb211..3bbdbec23 100644 --- a/tests/k8s_testcases/expected_output/semantic_diff_a_to_b_different_topologies.txt +++ b/tests/k8s_testcases/expected_output/semantic_diff_a_to_b_different_topologies.txt @@ -1,27 +1,27 @@ Lost connections between removed peers (based on topology from config: config_a) : -default/cog-agents[DaemonSet] => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => default/cog-agents[DaemonSet] : All connections Lost connections between removed peers and ipBlocks (based on topology from config: config_a) : -0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All Connections -0.0.0.0-255.255.255.255 => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cog-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections +0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All connections +0.0.0.0-255.255.255.255 => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cog-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections Lost connections between removed peers and persistent peers (based on topology from config: config_a) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections -default/cog-agents[DaemonSet] => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections +default/cog-agents[DaemonSet] => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => default/cog-agents[DaemonSet] : All connections Added connections between persistent peers (based on topology from config: config_b) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections Removed connections between persistent peers (based on topology from config: config_a) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections Added connections between persistent peers and ipBlocks (based on topology from config: config_b) : -0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All Connections +0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All connections Removed connections between persistent peers and ipBlocks (based on topology from config: config_a) : -0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All Connections +0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All connections New connections between persistent peers and added peers (based on topology from config: config_b) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections New connections between added peers (based on topology from config: config_b) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections New connections between added peers and ipBlocks (based on topology from config: config_b) : -0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All Connections -default/cog-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections \ No newline at end of file +0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All connections +default/cog-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections From 340d75597a899f603caa2fa0b506c02c507f95f7 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 19 May 2024 19:26:24 +0300 Subject: [PATCH 77/89] Fixed sorting ConnectivityProperties (making stable sort) Consequently, fixed expected results Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 2 +- .../semantic_diff_poc-scheme_output.csv | 16 ++--- .../semantic_diff_poc-scheme_output.md | 16 ++--- .../semantic_diff_poc-scheme_output.yaml | 64 +++++++++---------- 4 files changed, 49 insertions(+), 49 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 48713433b..3fe1e08f6 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -117,7 +117,7 @@ def __hash__(self): return super().__hash__() def __lt__(self, other): - return len(self) < len(other) + return len(self) < len(other) or str(self) < str(other) def get_connectivity_cube(self, cube): """ diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv index 5267134f5..83e1d8988 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv @@ -9,18 +9,18 @@ "","[default]","[loadgenerator]","[default]","[app not in (frontend,loadgenerator)]","All connections", "","[default]","[recommendationservice]","[default]","[app not in (loadgenerator,productcatalogservice,recommendationservice)]","All connections", "","[kube-system]","[*]","[default]","[app not in (frontend,loadgenerator)]","All connections", -"","[default]","[*]","[kube-system]","[*]","All but {protocols:UDP,dst_ports:53}", -"","[default]","[*]","[default]","[app in (emailservice,frontend,loadgenerator,recommendationservice)]","All but {protocols:TCP,dst_ports:8080}", -"","[default]","[loadgenerator]","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", -"","[kube-system]","[*]","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", -"","[default]","[*]","[default]","[adservice]","All but {protocols:TCP,dst_ports:9555}", -"","[default]","[*]","[default]","[checkoutservice]","All but {protocols:TCP,dst_ports:5050}", -"","[default]","[*]","[default]","[cartservice]","All but {protocols:TCP,dst_ports:7070}", -"","[default]","[*]","[default]","[currencyservice]","All but {protocols:TCP,dst_ports:7000}", "","[default]","[*]","[default]","[productcatalogservice]","All but {protocols:TCP,dst_ports:3550}", "","[default]","[recommendationservice]","[default]","[*]","All but {protocols:TCP,dst_ports:3550}", "","[default]","[*]","[default]","[app in (paymentservice,shippingservice)]","All but {protocols:TCP,dst_ports:50051}", +"","[default]","[*]","[default]","[checkoutservice]","All but {protocols:TCP,dst_ports:5050}", "","[default]","[cartservice]","[default]","[*]","All but {protocols:TCP,dst_ports:6379}", +"","[default]","[*]","[default]","[currencyservice]","All but {protocols:TCP,dst_ports:7000}", +"","[default]","[*]","[default]","[cartservice]","All but {protocols:TCP,dst_ports:7070}", +"","[default]","[*]","[default]","[app in (emailservice,frontend,loadgenerator,recommendationservice)]","All but {protocols:TCP,dst_ports:8080}", +"","[default]","[loadgenerator]","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", +"","[kube-system]","[*]","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", +"","[default]","[*]","[default]","[adservice]","All but {protocols:TCP,dst_ports:9555}", +"","[default]","[*]","[kube-system]","[*]","All but {protocols:UDP,dst_ports:53}", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks","","","","","", "","","0.0.0.0/0","[default]","[app!=frontend]","All connections", "","[default]","[*]","","0.0.0.0/0","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md index c5a583351..aba136f55 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md @@ -10,18 +10,18 @@ ||[default]|[loadgenerator]|[default]|[app not in (frontend,loadgenerator)]|All connections| ||[default]|[recommendationservice]|[default]|[app not in (loadgenerator,productcatalogservice,recommendationservice)]|All connections| ||[kube-system]|[*]|[default]|[app not in (frontend,loadgenerator)]|All connections| -||[default]|[*]|[kube-system]|[*]|All but {protocols:UDP,dst_ports:53}| -||[default]|[*]|[default]|[app in (emailservice,frontend,loadgenerator,recommendationservice)]|All but {protocols:TCP,dst_ports:8080}| -||[default]|[loadgenerator]|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| -||[kube-system]|[*]|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| -||[default]|[*]|[default]|[adservice]|All but {protocols:TCP,dst_ports:9555}| -||[default]|[*]|[default]|[checkoutservice]|All but {protocols:TCP,dst_ports:5050}| -||[default]|[*]|[default]|[cartservice]|All but {protocols:TCP,dst_ports:7070}| -||[default]|[*]|[default]|[currencyservice]|All but {protocols:TCP,dst_ports:7000}| ||[default]|[*]|[default]|[productcatalogservice]|All but {protocols:TCP,dst_ports:3550}| ||[default]|[recommendationservice]|[default]|[*]|All but {protocols:TCP,dst_ports:3550}| ||[default]|[*]|[default]|[app in (paymentservice,shippingservice)]|All but {protocols:TCP,dst_ports:50051}| +||[default]|[*]|[default]|[checkoutservice]|All but {protocols:TCP,dst_ports:5050}| ||[default]|[cartservice]|[default]|[*]|All but {protocols:TCP,dst_ports:6379}| +||[default]|[*]|[default]|[currencyservice]|All but {protocols:TCP,dst_ports:7000}| +||[default]|[*]|[default]|[cartservice]|All but {protocols:TCP,dst_ports:7070}| +||[default]|[*]|[default]|[app in (emailservice,frontend,loadgenerator,recommendationservice)]|All but {protocols:TCP,dst_ports:8080}| +||[default]|[loadgenerator]|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| +||[kube-system]|[*]|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| +||[default]|[*]|[default]|[adservice]|All but {protocols:TCP,dst_ports:9555}| +||[default]|[*]|[kube-system]|[*]|All but {protocols:UDP,dst_ports:53}| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks|||||| |||0.0.0.0/0|[default]|[app!=frontend]|All connections| ||[default]|[*]||0.0.0.0/0|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml index f74f51f4b..b39b4eb4d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml @@ -104,66 +104,66 @@ src_pods: - '*' dst_ns: - - kube-system + - default dst_pods: - - '*' + - productcatalogservice connection: - All but: - - protocols: UDP + - protocols: TCP dst_ports: - - 53 + - 3550 - src_ns: - default src_pods: - - '*' + - recommendationservice dst_ns: - default dst_pods: - - app in (emailservice,frontend,loadgenerator,recommendationservice) + - '*' connection: - All but: - protocols: TCP dst_ports: - - 8080 + - 3550 - src_ns: - default src_pods: - - loadgenerator + - '*' dst_ns: - default dst_pods: - - '*' + - app in (paymentservice,shippingservice) connection: - All but: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - - kube-system + - default src_pods: - '*' dst_ns: - default dst_pods: - - '*' + - checkoutservice connection: - All but: - protocols: TCP dst_ports: - - 8080 + - 5050 - src_ns: - default src_pods: - - '*' + - cartservice dst_ns: - default dst_pods: - - adservice + - '*' connection: - All but: - protocols: TCP dst_ports: - - 9555 + - 6379 - src_ns: - default src_pods: @@ -171,12 +171,12 @@ dst_ns: - default dst_pods: - - checkoutservice + - currencyservice connection: - All but: - protocols: TCP dst_ports: - - 5050 + - 7000 - src_ns: - default src_pods: @@ -197,29 +197,29 @@ dst_ns: - default dst_pods: - - currencyservice + - app in (emailservice,frontend,loadgenerator,recommendationservice) connection: - All but: - protocols: TCP dst_ports: - - 7000 + - 8080 - src_ns: - default src_pods: - - '*' + - loadgenerator dst_ns: - default dst_pods: - - productcatalogservice + - '*' connection: - All but: - protocols: TCP dst_ports: - - 3550 + - 8080 - src_ns: - - default + - kube-system src_pods: - - recommendationservice + - '*' dst_ns: - default dst_pods: @@ -228,7 +228,7 @@ - All but: - protocols: TCP dst_ports: - - 3550 + - 8080 - src_ns: - default src_pods: @@ -236,25 +236,25 @@ dst_ns: - default dst_pods: - - app in (paymentservice,shippingservice) + - adservice connection: - All but: - protocols: TCP dst_ports: - - 50051 + - 9555 - src_ns: - default src_pods: - - cartservice + - '*' dst_ns: - - default + - kube-system dst_pods: - '*' connection: - All but: - - protocols: TCP + - protocols: UDP dst_ports: - - 6379 + - 53 - description: Removed connections between persistent peers and ipBlocks rules: - src_ip_block: From 204cea83b699dcef742b8ab0848d47677cf3e3a5 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 21 May 2024 12:42:00 +0300 Subject: [PATCH 78/89] Fixed handling TCP / non-TCP connections output. Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 10 ++----- nca/FWRules/MinimizeBasic.py | 9 ++++-- ...-1-k8s-calico-istio-2_connectivity_map.txt | 2 +- ...alico-istio-ingress-2_connectivity_map.txt | 4 +-- ...-calico-istio-ingress_connectivity_map.txt | 2 +- ...ig-1-k8s-calico-istio_connectivity_map.txt | 2 +- ...g-1-k8s-istio-ingress_connectivity_map.txt | 4 +-- .../calico-testcase15-scheme_output.yaml | 30 +++++++++---------- ...nnectivity_map_denyFirst_query_output.yaml | 18 +++++------ 9 files changed, 40 insertions(+), 41 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 3fe1e08f6..3871552ee 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -584,13 +584,9 @@ def extract_src_dst_peers_from_cube(the_cube, peer_container, relevant_protocols dst_peers = conn_cube["dst_peers"] or all_peers conn_cube.unset_dim("dst_peers") protocols = conn_cube["protocols"] - conn_cube.unset_dim("protocols") - if not conn_cube.has_active_dim() and (protocols == relevant_protocols or protocols.is_whole_range()): - props = ConnectivityProperties.make_all_props() - else: - conn_cube["protocols"] = protocols - assert conn_cube.has_active_dim() - props = ConnectivityProperties.make_conn_props(conn_cube) + if protocols == relevant_protocols: + conn_cube.unset_dim("protocols") + props = ConnectivityProperties.make_conn_props(conn_cube) return props, src_peers, dst_peers def get_simplified_connections_representation(self, is_str, use_complement_simplification=True): diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index 8fec8efa3..cd3a379be 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -113,12 +113,14 @@ def fw_rules_to_conn_props(fw_rules, connectivity_restriction=None): TCP / non-TCP , or not :return: the resulting ConnectivityProperties. """ - relevant_protocols = ProtocolSet() if connectivity_restriction: + relevant_protocols = ProtocolSet() if connectivity_restriction == 'TCP': relevant_protocols.add_protocol('TCP') else: # connectivity_restriction == 'non-TCP' relevant_protocols = ProtocolSet.get_non_tcp_protocols() + else: + relevant_protocols = ProtocolSet(True) res = ConnectivityProperties.make_empty_props() if fw_rules.fw_rules_map is None: @@ -127,7 +129,8 @@ def fw_rules_to_conn_props(fw_rules, connectivity_restriction=None): for fw_rule in fw_rules_list: src_peers = fw_rule.src.get_peer_set() dst_peers = fw_rule.dst.get_peer_set() - rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, - "dst_peers": dst_peers}) & fw_rule.props + rule_props = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, "dst_peers": dst_peers, + "protocols": relevant_protocols}) & fw_rule.props res |= rule_props return res diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt index 15058f99c..90a0d997d 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt index 1dbd701ea..de72db829 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-6, config: testcase26-config-1-k8s-calico-istio-ingress-2: src: 0.0.0.0/0 dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {protocols:TCP,dst_ports:9080,paths:/details(/*)?} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {dst_ports:9080,paths:/details(/*)?} For connections of type non-TCP, final fw rules for query: connectivity-6, config: testcase26-config-1-k8s-calico-istio-ingress-2: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt index ec8799766..2eb4ce2e7 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt index 033ec7d8a..8039b248a 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt index ede1af064..02470117d 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt @@ -6,8 +6,8 @@ src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pod src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [productpage-v1-6b746f74dc] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:TCP,methods:GET} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {protocols:TCP,dst_ports:9080,paths:/details(/*)?} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {dst_ports:9080,paths:/details(/*)?} src_ns: [istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml index 559b0f51c..16eff0c4e 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml @@ -4,21 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - kube-system - src_pods: - - '*' - dst_ns: - - kube-system - dst_pods: - - has_named_port=dns-local - connection: - - protocols: UDP - src_ports: - - 80-100 - dst_ports: - - 1-10052 - - 10054-65535 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -49,3 +34,18 @@ - '*' connection: - All connections + - src_ns: + - kube-system + src_pods: + - '*' + dst_ns: + - kube-system + dst_pods: + - has_named_port=dns-local + connection: + - protocols: UDP + src_ports: + - 80-100 + dst_ports: + - 1-10052 + - 10054-65535 diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml index 01a582004..ed42008f1 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml @@ -7,28 +7,28 @@ - src_ns: - kube-system src_pods: - - tier=frontend + - (has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1)) dst_ns: - kube-system dst_pods: - '*' connection: - - protocols: all but TCP + - All connections - src_ns: - kube-system src_pods: - - (has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1)) - dst_ns: - - kube-system - dst_pods: - '*' + dst_ip_block: + - 0.0.0.0/0 connection: - All connections - src_ns: - kube-system src_pods: + - tier=frontend + dst_ns: + - kube-system + dst_pods: - '*' - dst_ip_block: - - 0.0.0.0/0 connection: - - All connections + - protocols: all but TCP From 7bb71325d874f745a4c0ec3b8c37ece79f976058 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 21 May 2024 12:53:40 +0300 Subject: [PATCH 79/89] More fixed expected results. Signed-off-by: Tanya --- .../expected_output/poc1-scheme_output.csv | 14 +- .../expected_output/poc1-scheme_output.md | 14 +- .../expected_output/poc1-scheme_output.yaml | 70 +++++----- .../expected_output/poc2-scheme_output.yaml | 98 +++++++------- .../expected_output/poc3-scheme_output.yaml | 98 +++++++------- ..._scheme_connectivity_map_query_output.yaml | 126 +++++++++--------- .../expected_output/test23-scheme_output.yaml | 12 +- .../expected_output/test24-scheme_output.yaml | 12 +- 8 files changed, 222 insertions(+), 222 deletions(-) diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv index 5708900c7..326972651 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv @@ -1,14 +1,14 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_csv, config: poc1","","","","","", +"","[default]","[app in (checkoutservice,frontend,recommendationservice)]","[default]","[productcatalogservice]","{protocols:TCP,dst_ports:3550}", +"","[default]","[checkoutservice]","[default]","[app in (paymentservice,shippingservice)]","{protocols:TCP,dst_ports:50051}", +"","[default]","[frontend]","[default]","[shippingservice]","{protocols:TCP,dst_ports:50051}", +"","[default]","[frontend]","[default]","[checkoutservice]","{protocols:TCP,dst_ports:5050}", +"","[default]","[cartservice]","[default]","[redis-cart]","{protocols:TCP,dst_ports:6379}", +"","[default]","[app in (checkoutservice,frontend)]","[default]","[currencyservice]","{protocols:TCP,dst_ports:7000}", +"","[default]","[app in (checkoutservice,frontend)]","[default]","[cartservice]","{protocols:TCP,dst_ports:7070}", "","","0.0.0.0/0","[default]","[frontend]","{protocols:TCP,dst_ports:8080}", "","[default]","[checkoutservice]","[default]","[emailservice]","{protocols:TCP,dst_ports:8080}", "","[default]","[frontend]","[default]","[recommendationservice]","{protocols:TCP,dst_ports:8080}", "","[default]","[loadgenerator]","[default]","[frontend]","{protocols:TCP,dst_ports:8080}", "","[default]","[frontend]","[default]","[adservice]","{protocols:TCP,dst_ports:9555}", -"","[default]","[frontend]","[default]","[checkoutservice]","{protocols:TCP,dst_ports:5050}", -"","[default]","[app in (checkoutservice,frontend)]","[default]","[cartservice]","{protocols:TCP,dst_ports:7070}", -"","[default]","[app in (checkoutservice,frontend)]","[default]","[currencyservice]","{protocols:TCP,dst_ports:7000}", -"","[default]","[app in (checkoutservice,frontend,recommendationservice)]","[default]","[productcatalogservice]","{protocols:TCP,dst_ports:3550}", -"","[default]","[checkoutservice]","[default]","[app in (paymentservice,shippingservice)]","{protocols:TCP,dst_ports:50051}", -"","[default]","[frontend]","[default]","[shippingservice]","{protocols:TCP,dst_ports:50051}", -"","[default]","[cartservice]","[default]","[redis-cart]","{protocols:TCP,dst_ports:6379}", diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md index 9538810bb..dbe4c5b89 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md @@ -1,15 +1,15 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_md, config: poc1|||||| +||[default]|[app in (checkoutservice,frontend,recommendationservice)]|[default]|[productcatalogservice]|{protocols:TCP,dst_ports:3550}| +||[default]|[checkoutservice]|[default]|[app in (paymentservice,shippingservice)]|{protocols:TCP,dst_ports:50051}| +||[default]|[frontend]|[default]|[shippingservice]|{protocols:TCP,dst_ports:50051}| +||[default]|[frontend]|[default]|[checkoutservice]|{protocols:TCP,dst_ports:5050}| +||[default]|[cartservice]|[default]|[redis-cart]|{protocols:TCP,dst_ports:6379}| +||[default]|[app in (checkoutservice,frontend)]|[default]|[currencyservice]|{protocols:TCP,dst_ports:7000}| +||[default]|[app in (checkoutservice,frontend)]|[default]|[cartservice]|{protocols:TCP,dst_ports:7070}| |||0.0.0.0/0|[default]|[frontend]|{protocols:TCP,dst_ports:8080}| ||[default]|[checkoutservice]|[default]|[emailservice]|{protocols:TCP,dst_ports:8080}| ||[default]|[frontend]|[default]|[recommendationservice]|{protocols:TCP,dst_ports:8080}| ||[default]|[loadgenerator]|[default]|[frontend]|{protocols:TCP,dst_ports:8080}| ||[default]|[frontend]|[default]|[adservice]|{protocols:TCP,dst_ports:9555}| -||[default]|[frontend]|[default]|[checkoutservice]|{protocols:TCP,dst_ports:5050}| -||[default]|[app in (checkoutservice,frontend)]|[default]|[cartservice]|{protocols:TCP,dst_ports:7070}| -||[default]|[app in (checkoutservice,frontend)]|[default]|[currencyservice]|{protocols:TCP,dst_ports:7000}| -||[default]|[app in (checkoutservice,frontend,recommendationservice)]|[default]|[productcatalogservice]|{protocols:TCP,dst_ports:3550}| -||[default]|[checkoutservice]|[default]|[app in (paymentservice,shippingservice)]|{protocols:TCP,dst_ports:50051}| -||[default]|[frontend]|[default]|[shippingservice]|{protocols:TCP,dst_ports:50051}| -||[default]|[cartservice]|[default]|[redis-cart]|{protocols:TCP,dst_ports:6379}| diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml index 9c9099b88..ccb03e2b2 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml @@ -4,16 +4,18 @@ numerical_result: 0 explanation: - rules: - - src_ip_block: - - 0.0.0.0/0 + - src_ns: + - default + src_pods: + - app in (checkoutservice,frontend,recommendationservice) dst_ns: - default dst_pods: - - frontend + - productcatalogservice connection: - protocols: TCP dst_ports: - - 8080 + - 3550 - src_ns: - default src_pods: @@ -21,11 +23,11 @@ dst_ns: - default dst_pods: - - emailservice + - app in (paymentservice,shippingservice) connection: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - default src_pods: @@ -33,47 +35,47 @@ dst_ns: - default dst_pods: - - recommendationservice + - shippingservice connection: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - default src_pods: - - loadgenerator + - frontend dst_ns: - default dst_pods: - - frontend + - checkoutservice connection: - protocols: TCP dst_ports: - - 8080 + - 5050 - src_ns: - default src_pods: - - frontend + - cartservice dst_ns: - default dst_pods: - - adservice + - redis-cart connection: - protocols: TCP dst_ports: - - 9555 + - 6379 - src_ns: - default src_pods: - - frontend + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - checkoutservice + - currencyservice connection: - protocols: TCP dst_ports: - - 5050 + - 7000 - src_ns: - default src_pods: @@ -86,63 +88,61 @@ - protocols: TCP dst_ports: - 7070 - - src_ns: - - default - src_pods: - - app in (checkoutservice,frontend) + - src_ip_block: + - 0.0.0.0/0 dst_ns: - default dst_pods: - - currencyservice + - frontend connection: - protocols: TCP dst_ports: - - 7000 + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend,recommendationservice) + - checkoutservice dst_ns: - default dst_pods: - - productcatalogservice + - emailservice connection: - protocols: TCP dst_ports: - - 3550 + - 8080 - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - app in (paymentservice,shippingservice) + - recommendationservice connection: - protocols: TCP dst_ports: - - 50051 + - 8080 - src_ns: - default src_pods: - - frontend + - loadgenerator dst_ns: - default dst_pods: - - shippingservice + - frontend connection: - protocols: TCP dst_ports: - - 50051 + - 8080 - src_ns: - default src_pods: - - cartservice + - frontend dst_ns: - default dst_pods: - - redis-cart + - adservice connection: - protocols: TCP dst_ports: - - 6379 + - 9555 diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml index 2271900a7..9cb961e8f 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml @@ -30,16 +30,18 @@ - '*' connection: - All connections - - src_ip_block: - - 0.0.0.0/0 + - src_ns: + - default + src_pods: + - app in (checkoutservice,frontend,recommendationservice) dst_ns: - default dst_pods: - - frontend + - productcatalogservice connection: - protocols: TCP dst_ports: - - 8080 + - 3550 - src_ns: - default src_pods: @@ -47,11 +49,11 @@ dst_ns: - default dst_pods: - - emailservice + - app in (paymentservice,shippingservice) connection: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - default src_pods: @@ -59,119 +61,117 @@ dst_ns: - default dst_pods: - - recommendationservice + - shippingservice connection: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - default src_pods: - - loadgenerator + - frontend dst_ns: - default dst_pods: - - frontend + - checkoutservice connection: - protocols: TCP dst_ports: - - 8080 + - 5050 - src_ns: - - kube-system + - default src_pods: - - '*' + - cartservice dst_ns: - default dst_pods: - - frontend + - redis-cart connection: - protocols: TCP dst_ports: - - 8080 + - 6379 - src_ns: - default src_pods: - - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + - app in (checkoutservice,frontend) dst_ns: - - kube-system + - default dst_pods: - - '*' + - currencyservice connection: - - protocols: UDP + - protocols: TCP dst_ports: - - 53 + - 7000 - src_ns: - default src_pods: - - frontend + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - adservice + - cartservice connection: - protocols: TCP dst_ports: - - 9555 - - src_ns: - - default - src_pods: - - frontend + - 7070 + - src_ip_block: + - 0.0.0.0/0 dst_ns: - default dst_pods: - - checkoutservice + - frontend connection: - protocols: TCP dst_ports: - - 5050 + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - cartservice + - emailservice connection: - protocols: TCP dst_ports: - - 7070 + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - frontend dst_ns: - default dst_pods: - - currencyservice + - recommendationservice connection: - protocols: TCP dst_ports: - - 7000 + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend,recommendationservice) + - loadgenerator dst_ns: - default dst_pods: - - productcatalogservice + - frontend connection: - protocols: TCP dst_ports: - - 3550 + - 8080 - src_ns: - - default + - kube-system src_pods: - - checkoutservice + - '*' dst_ns: - default dst_pods: - - app in (paymentservice,shippingservice) + - frontend connection: - protocols: TCP dst_ports: - - 50051 + - 8080 - src_ns: - default src_pods: @@ -179,20 +179,20 @@ dst_ns: - default dst_pods: - - shippingservice + - adservice connection: - protocols: TCP dst_ports: - - 50051 + - 9555 - src_ns: - default src_pods: - - cartservice + - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) dst_ns: - - default + - kube-system dst_pods: - - redis-cart + - '*' connection: - - protocols: TCP + - protocols: UDP dst_ports: - - 6379 + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml index 9800bcfe1..16eb1bf0c 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml @@ -4,16 +4,18 @@ numerical_result: 0 explanation: - rules: - - src_ip_block: - - 0.0.0.0/0 + - src_ns: + - default + src_pods: + - app in (checkoutservice,frontend,recommendationservice) dst_ns: - default dst_pods: - - frontend + - productcatalogservice connection: - protocols: TCP dst_ports: - - 8080 + - 3550 - src_ns: - default src_pods: @@ -21,11 +23,11 @@ dst_ns: - default dst_pods: - - emailservice + - app in (paymentservice,shippingservice) connection: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - default src_pods: @@ -33,119 +35,117 @@ dst_ns: - default dst_pods: - - recommendationservice + - shippingservice connection: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - default src_pods: - - loadgenerator + - frontend dst_ns: - default dst_pods: - - frontend + - checkoutservice connection: - protocols: TCP dst_ports: - - 8080 + - 5050 - src_ns: - - kube-system + - default src_pods: - - '*' + - cartservice dst_ns: - default dst_pods: - - frontend + - redis-cart connection: - protocols: TCP dst_ports: - - 8080 + - 6379 - src_ns: - default src_pods: - - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + - app in (checkoutservice,frontend) dst_ns: - - kube-system + - default dst_pods: - - k8s-app=kube-dns + - currencyservice connection: - - protocols: UDP + - protocols: TCP dst_ports: - - 53 + - 7000 - src_ns: - default src_pods: - - frontend + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - adservice + - cartservice connection: - protocols: TCP dst_ports: - - 9555 - - src_ns: - - default - src_pods: - - frontend + - 7070 + - src_ip_block: + - 0.0.0.0/0 dst_ns: - default dst_pods: - - checkoutservice + - frontend connection: - protocols: TCP dst_ports: - - 5050 + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - checkoutservice dst_ns: - default dst_pods: - - cartservice + - emailservice connection: - protocols: TCP dst_ports: - - 7070 + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend) + - frontend dst_ns: - default dst_pods: - - currencyservice + - recommendationservice connection: - protocols: TCP dst_ports: - - 7000 + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend,recommendationservice) + - loadgenerator dst_ns: - default dst_pods: - - productcatalogservice + - frontend connection: - protocols: TCP dst_ports: - - 3550 + - 8080 - src_ns: - - default + - kube-system src_pods: - - checkoutservice + - '*' dst_ns: - default dst_pods: - - app in (paymentservice,shippingservice) + - frontend connection: - protocols: TCP dst_ports: - - 50051 + - 8080 - src_ns: - default src_pods: @@ -153,20 +153,20 @@ dst_ns: - default dst_pods: - - shippingservice + - adservice connection: - protocols: TCP dst_ports: - - 50051 + - 9555 - src_ns: - default src_pods: - - cartservice + - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) dst_ns: - - default + - kube-system dst_pods: - - redis-cart + - k8s-app=kube-dns connection: - - protocols: TCP + - protocols: UDP dst_ports: - - 6379 + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml index a5c8548a4..3d9830ae0 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml @@ -4,18 +4,32 @@ numerical_result: 0 explanation: - rules: + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - kube-system + dst_pods: + - '*' + connection: + - All connections - src_ns: - - default + - kube-system src_pods: - - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections + - src_ns: + - kube-system + src_pods: + - '*' dst_ns: - kube-system dst_pods: - - k8s-app=kube-dns + - '*' connection: - - protocols: UDP - dst_ports: - - 53 + - All connections - src_ns: - default src_pods: @@ -29,16 +43,18 @@ dst_ports: - 23 - 8080 - - src_ip_block: - - 0.0.0.0/0 + - src_ns: + - default + src_pods: + - app in (checkoutservice,frontend,recommendationservice) dst_ns: - default dst_pods: - - frontend + - productcatalogservice connection: - protocols: TCP dst_ports: - - 8080 + - 3550 - src_ns: - default src_pods: @@ -46,11 +62,11 @@ dst_ns: - default dst_pods: - - emailservice + - app in (paymentservice,shippingservice) connection: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - default src_pods: @@ -58,47 +74,47 @@ dst_ns: - default dst_pods: - - recommendationservice + - shippingservice connection: - protocols: TCP dst_ports: - - 8080 + - 50051 - src_ns: - - kube-system + - default src_pods: - - '*' + - frontend dst_ns: - default dst_pods: - - frontend + - checkoutservice connection: - protocols: TCP dst_ports: - - 8080 + - 5050 - src_ns: - default src_pods: - - frontend + - cartservice dst_ns: - default dst_pods: - - adservice + - redis-cart connection: - protocols: TCP dst_ports: - - 9555 + - 6379 - src_ns: - default src_pods: - - frontend + - app in (checkoutservice,frontend) dst_ns: - default dst_pods: - - checkoutservice + - currencyservice connection: - protocols: TCP dst_ports: - - 5050 + - 7000 - src_ns: - default src_pods: @@ -111,89 +127,73 @@ - protocols: TCP dst_ports: - 7070 - - src_ns: - - default - src_pods: - - app in (checkoutservice,frontend) + - src_ip_block: + - 0.0.0.0/0 dst_ns: - default dst_pods: - - currencyservice + - frontend connection: - protocols: TCP dst_ports: - - 7000 + - 8080 - src_ns: - default src_pods: - - app in (checkoutservice,frontend,recommendationservice) + - checkoutservice dst_ns: - default dst_pods: - - productcatalogservice + - emailservice connection: - protocols: TCP dst_ports: - - 3550 + - 8080 - src_ns: - default src_pods: - - checkoutservice + - frontend dst_ns: - default dst_pods: - - app in (paymentservice,shippingservice) + - recommendationservice connection: - protocols: TCP dst_ports: - - 50051 + - 8080 - src_ns: - - default + - kube-system src_pods: - - frontend + - '*' dst_ns: - default dst_pods: - - shippingservice + - frontend connection: - protocols: TCP dst_ports: - - 50051 + - 8080 - src_ns: - default src_pods: - - cartservice + - frontend dst_ns: - default dst_pods: - - redis-cart + - adservice connection: - protocols: TCP dst_ports: - - 6379 - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections + - 9555 - src_ns: - - kube-system + - default src_pods: - - '*' + - app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) dst_ns: - kube-system dst_pods: - - '*' + - k8s-app=kube-dns connection: - - All connections + - protocols: UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml index 6212e0952..663efabc2 100644 --- a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml @@ -7,22 +7,22 @@ - src_ns: - default src_pods: - - '*' + - test=C dst_ns: - default dst_pods: - app=skydive connection: - - protocols: UDP - dst_ports: - - 53 + - All connections - src_ns: - default src_pods: - - test=C + - '*' dst_ns: - default dst_pods: - app=skydive connection: - - All connections + - protocols: UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml index b4ee55b66..eb4720bd4 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml @@ -7,22 +7,22 @@ - src_ns: - default src_pods: - - test in (A,B) + - test=C dst_ns: - default dst_pods: - app=skydive connection: - - protocols: UDP - dst_ports: - - 53 + - All connections - src_ns: - default src_pods: - - test=C + - test in (A,B) dst_ns: - default dst_pods: - app=skydive connection: - - All connections + - protocols: UDP + dst_ports: + - 53 From 3b302282752666ba67bfdb31dc503e4613b4155a Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 21 May 2024 15:58:39 +0300 Subject: [PATCH 80/89] More fixed expected results. Small fix in printing TCP connections in dot format. Signed-off-by: Tanya --- nca/FWRules/DotGraph.py | 3 +- .../livesim_test_all_dot.dot | 6 +- .../livesim_test_all_txt.txt | 4 +- ...vity_test_methods_basic_1_query_output.txt | 2 +- ...ity_test_methods_basic_1_query_output.yaml | 25 ++++--- ...vity_test_methods_basic_2_query_output.txt | 4 +- ...ity_test_methods_basic_2_query_output.yaml | 24 +++---- ...vity_test_methods_paths_1_query_output.txt | 2 +- ...ity_test_methods_paths_1_query_output.yaml | 27 +++---- ...ty_test_operation_allow_1_query_output.txt | 2 +- ...y_test_operation_allow_1_query_output.yaml | 6 +- ...ity_test_operation_deny_1_query_output.txt | 4 +- ...ty_test_operation_deny_1_query_output.yaml | 38 +++++----- .../istio-test1-scheme_query1_output.txt | 4 +- .../istio-test1-scheme_query1_output.yaml | 6 +- .../istio-test1-scheme_query2_output.txt | 6 +- .../istio-test1-scheme_query2_output.yaml | 9 +-- ...scheme_query_connectivity_map_4_output.csv | 4 +- ...-scheme_query_connectivity_map_4_output.md | 4 +- ...cheme_query_connectivity_map_4_output.yaml | 8 +-- ...boutique_multi_layer_from_live_cluster.txt | 28 ++++---- ...est-connectivity-map-missing-resources.dot | 70 +++++++++---------- ...-and-k8s-ingress-test-connectivity-map.dot | 70 +++++++++---------- ...est-connectivity-map-missing-resources.dot | 38 +++++----- ...ex-istio-ingress-test-connectivity-map.dot | 38 +++++----- ...nectivity-bookinfo-demo-by-deployments.dot | 10 +-- .../connectivity-bookinfo-demo-by-pods.dot | 10 +-- ...tivity_map_of_onlineboutique_resources.txt | 20 +++--- ...boutique_resources_with_istio_gateways.txt | 24 +++---- ...ly_istio_ingress_test_connectivity_map.txt | 4 +- .../istio_egress_test_connectivity_map.txt | 4 +- .../istio_ingress_test_connectivity_map.txt | 6 +- ...es_connectivity_map_with_baseline_rule.txt | 18 ++--- ...synth_res_connectivity_map_wo_fw_rules.txt | 30 ++++---- ...ars-and-gateways-test-connectivity-map.txt | 6 +- 35 files changed, 271 insertions(+), 293 deletions(-) diff --git a/nca/FWRules/DotGraph.py b/nca/FWRules/DotGraph.py index 1d983cb3a..0323ea4a4 100644 --- a/nca/FWRules/DotGraph.py +++ b/nca/FWRules/DotGraph.py @@ -232,9 +232,8 @@ def _set_labels_dict(self): # for each label, the short will look like "tcp" if there is a port, or "TCP" if there is no port for label in self.labels: splitted_label = label.replace('{', '').replace('}', '').split(',') - label_type = self.get_val_by_key_from_list(splitted_label, 'protocols') + label_type = self.get_val_by_key_from_list(splitted_label, 'protocols') or 'TCP' label_port = self.get_val_by_key_from_list(splitted_label, 'dst_ports') - assert label == 'All' or label_type # a 'dst_ports' can be too long (like 'port0,port1-port2' ) we trim it to the first port: if len(label_port) > 6: label_port = label_port.split(',')[0].split('-')[0] diff --git a/tests/expected_cmdline_output_files/livesim_test_all_dot.dot b/tests/expected_cmdline_output_files/livesim_test_all_dot.dot index 5223c5e3b..e5812eb26 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_dot.dot +++ b/tests/expected_cmdline_output_files/livesim_test_all_dot.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp5678 {protocols:TCP,dst_ports:5678,...
tcp80 {protocols:TCP,dst_ports:80,ho...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp5678 {dst_ports:5678,paths:/foo(/*)?}
tcp80 {dst_ports:80,hosts:httpbin.ex...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" @@ -42,8 +42,8 @@ subgraph cluster_kube_system_namespace{ "0.0.0.0/0" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "0.0.0.0/0" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/deployment-B(Deployment)" -> "default/deployment-A(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "default/foo-app(Pod)"[label="tcp5678" labeltooltip="{protocols:TCP,dst_ports:5678,paths:/foo(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/httpbin(Deployment)"[label="tcp80" labeltooltip="{protocols:TCP,dst_ports:80,hosts:httpbin.example.com,paths:(/status(/*)?)|(/delay(/*)?)}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "default/foo-app(Pod)"[label="tcp5678" labeltooltip="{dst_ports:5678,paths:/foo(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/httpbin(Deployment)"[label="tcp80" labeltooltip="{dst_ports:80,hosts:httpbin.example.com,paths:(/status(/*)?)|(/delay(/*)?)}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "kube-system/kube-dns-livesim(Pod)" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "default/httpbin(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt index 10663c513..0e714c6eb 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt +++ b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt @@ -3,8 +3,8 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections -src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: {protocols:TCP,dst_ports:5678,paths:/foo(/*)?} -src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com,paths:(/status(/*)?)|(/delay(/*)?)} +src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: {dst_ports:5678,paths:/foo(/*)?} +src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: {dst_ports:80,hosts:httpbin.example.com,paths:(/status(/*)?)|(/delay(/*)?)} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt index d5cd0cce5..5f9b270e7 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-basic-1, config: istio-test-methods-basic-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {protocols:TCP,dst_ports:80,methods:GET} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {dst_ports:80,methods:GET} src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-basic-1, config: istio-test-methods-basic-1: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml index 1a08b2ebd..3d03b0ec3 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml @@ -4,19 +4,6 @@ numerical_result: 0 explanation: - TCP_rules: - - src_ns: - - default - src_pods: - - app=productpage - dst_ns: - - default - dst_pods: - - app=details - connection: - - protocols: TCP - dst_ports: - - 80 - methods: GET - src_ns: - default src_pods: @@ -35,6 +22,18 @@ - app=reviews connection: - All connections + - src_ns: + - default + src_pods: + - app=productpage + dst_ns: + - default + dst_pods: + - app=details + connection: + - dst_ports: + - 80 + methods: GET non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt index 89a233b16..5fe9a2a5f 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-basic-2, config: istio-test-methods-basic-2: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {protocols:TCP,methods:all but GET} -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: {protocols:TCP,methods:PUT} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {methods:all but GET} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: {methods:PUT} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-basic-2, config: istio-test-methods-basic-2: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml index 5e95901d7..ff4bd6931 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml @@ -7,14 +7,11 @@ - src_ns: - default src_pods: - - app=productpage - dst_ns: - - default - dst_pods: - - app=details + - '*' + dst_ip_block: + - 0.0.0.0/0 connection: - - protocols: TCP - methods: all but GET + - All connections - src_ns: - default src_pods: @@ -24,16 +21,17 @@ dst_pods: - app=reviews connection: - - protocols: TCP - methods: PUT + - methods: PUT - src_ns: - default src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 + - app=productpage + dst_ns: + - default + dst_pods: + - app=details connection: - - All connections + - methods: all but GET non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt index 4a5c212e0..3cd82724a 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-paths-1, config: istio-test-methods-paths-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {protocols:TCP,dst_ports:80,methods:GET,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3},{protocols:TCP,dst_ports:80,methods:GET,hosts:all but allowed-host.com, disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{protocols:TCP,dst_ports:80,methods:PUT,hosts:all but disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{protocols:TCP,dst_ports:80,methods:all but GET, PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2},{protocols:TCP,dst_ports:90,methods:GET, PUT,hosts:all but disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{protocols:TCP,dst_ports:100,methods:all but PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2},{protocols:TCP,dst_ports:100,methods:all but PUT,hosts:all but allowed-host.com,paths:/some/path3},{protocols:TCP,dst_ports:100,methods:PUT,paths:/some/path3},{protocols:TCP,dst_ports:1-79,81-89,91-99,101-65535,methods:all but PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {dst_ports:80,methods:GET,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3},{dst_ports:80,methods:GET,hosts:all but allowed-host.com, disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{dst_ports:80,methods:PUT,hosts:all but disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{dst_ports:80,methods:all but GET, PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2},{dst_ports:90,methods:GET, PUT,hosts:all but disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{dst_ports:100,methods:all but PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2},{dst_ports:100,methods:all but PUT,hosts:all but allowed-host.com,paths:/some/path3},{dst_ports:100,methods:PUT,paths:/some/path3},{dst_ports:1-79,81-89,91-99,101-65535,methods:all but PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-paths-1, config: istio-test-methods-paths-1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml index 41f96cef0..cc2f13443 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml @@ -21,55 +21,46 @@ dst_pods: - app=details connection: - - protocols: TCP - dst_ports: + - dst_ports: - 80 methods: GET hosts: allowed-host.com paths: all but /bad/path1, /bad/path3 - - protocols: TCP - dst_ports: + - dst_ports: - 80 methods: GET hosts: all but allowed-host.com, disallowed-host.com paths: /good_path1, /good_path2, /some/path2 - - protocols: TCP - dst_ports: + - dst_ports: - 80 methods: PUT hosts: all but disallowed-host.com paths: /good_path1, /good_path2, /some/path2 - - protocols: TCP - dst_ports: + - dst_ports: - 80 methods: all but GET, PUT hosts: allowed-host.com paths: all but /bad/path1, /bad/path3, /some/path2 - - protocols: TCP - dst_ports: + - dst_ports: - 90 methods: GET, PUT hosts: all but disallowed-host.com paths: /good_path1, /good_path2, /some/path2 - - protocols: TCP - dst_ports: + - dst_ports: - 100 methods: all but PUT hosts: allowed-host.com paths: all but /bad/path1, /bad/path3, /some/path2 - - protocols: TCP - dst_ports: + - dst_ports: - 100 methods: all but PUT hosts: all but allowed-host.com paths: /some/path3 - - protocols: TCP - dst_ports: + - dst_ports: - 100 methods: PUT paths: /some/path3 - - protocols: TCP - dst_ports: + - dst_ports: - 1-79 - 81-89 - 91-99 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt index d0b54ec3b..636c0bb6d 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-operation-allow-1, config: istio-test-operation-allow-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {protocols:TCP,methods:GET,paths:/info*},{protocols:TCP,methods:POST,paths:/data} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {methods:GET,paths:/info*},{methods:POST,paths:/data} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-operation-allow-1, config: istio-test-operation-allow-1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml index 56c44d826..c7b924a3d 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml @@ -21,11 +21,9 @@ dst_pods: - app=details connection: - - protocols: TCP - methods: GET + - methods: GET paths: /info* - - protocols: TCP - methods: POST + - methods: POST paths: /data non-TCP_rules: - src_ip_block: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt index c628dacae..d79f5161a 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt @@ -1,8 +1,8 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-operation-deny-1, config: istio-test-operation-deny-1: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,methods:all but GET} +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: {methods:all but GET} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app!=details] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,methods:all but GET} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {methods:all but GET} src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app!=details] conn: All connections src_ns: [default] src_pods: [app=details] dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml index efd77f3f2..f39692360 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml @@ -4,26 +4,6 @@ numerical_result: 0 explanation: - TCP_rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - default - dst_pods: - - '*' - connection: - - protocols: TCP - methods: all but GET - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - default - dst_pods: - - '*' - connection: - - protocols: TCP - methods: all but GET - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -60,6 +40,24 @@ - '*' connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - default + dst_pods: + - '*' + connection: + - methods: all but GET + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - default + dst_pods: + - '*' + connection: + - methods: all but GET non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt index 76f409cb8..53c48ff2f 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt @@ -1,11 +1,11 @@ For connections of type TCP, final fw rules for query: istio-policy1, config: istio-policy1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections -src: 1.2.3.0/24 dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:26257} +src: 1.2.3.0/24 dst_ns: [default] dst_pods: [*] conn: {dst_ports:26257} src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:26257} +src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {dst_ports:26257} For connections of type non-TCP, final fw rules for query: istio-policy1, config: istio-policy1: src: 0.0.0.0/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml index 0d9aef2ef..fb533b56f 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml @@ -11,8 +11,7 @@ dst_pods: - '*' connection: - - protocols: TCP - dst_ports: + - dst_ports: - 26257 - src_ns: - default @@ -24,8 +23,7 @@ dst_pods: - '*' connection: - - protocols: TCP - dst_ports: + - dst_ports: - 26257 - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt index b3b99f0aa..4330f880c 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt @@ -1,8 +1,8 @@ For connections of type TCP, final fw rules for query: istio-policy2, config: istio-policy2: -src: 1.2.3.0/24,2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:TCP,dst_ports:30,50} +src: 1.2.3.0/24,2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: {dst_ports:30,50} src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:TCP,dst_ports:30,50} -src_ns: [default] src_pods: [app=special_skydive] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:30,50} +src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: {dst_ports:30,50} +src_ns: [default] src_pods: [app=special_skydive] dst_ns: [default] dst_pods: [*] conn: {dst_ports:30,50} For connections of type non-TCP, final fw rules for query: istio-policy2, config: istio-policy2: src: 0.0.0.0/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml index 697a639e2..28af32589 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml @@ -12,8 +12,7 @@ dst_pods: - app=skydive connection: - - protocols: TCP - dst_ports: + - dst_ports: - 30 - 50 - src_ns: @@ -26,8 +25,7 @@ dst_pods: - app=skydive connection: - - protocols: TCP - dst_ports: + - dst_ports: - 30 - 50 - src_ns: @@ -39,8 +37,7 @@ dst_pods: - '*' connection: - - protocols: TCP - dst_ports: + - dst_ports: - 30 - 50 - src_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv index 54731a950..713eb0336 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv @@ -3,9 +3,9 @@ "","","0.0.0.0/0","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","","0.0.0.0/0","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", -"","[default]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:85-90}", -"","[ibm-system-new]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:80-90}", "","[kube-system-new-dummy-to-ignore]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:80-88}", +"","[ibm-system-new]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:80-90}", +"","[default]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:85-90}", "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_4, config: np3","","","","","", diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md index 3a831eb0e..86bb521ce 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md @@ -4,9 +4,9 @@ |||0.0.0.0/0|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]||0.0.0.0/0|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| -||[default]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:85-90}| -||[ibm-system-new]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:80-90}| ||[kube-system-new-dummy-to-ignore]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:80-88}| +||[ibm-system-new]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:80-90}| +||[default]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:85-90}| |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml index a36e52ad7..7e774d8ae 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml @@ -41,7 +41,7 @@ connection: - All connections - src_ns: - - default + - kube-system-new-dummy-to-ignore src_pods: - '*' dst_ns: @@ -51,7 +51,7 @@ connection: - protocols: TCP dst_ports: - - 85-90 + - 80-88 - src_ns: - ibm-system-new src_pods: @@ -65,7 +65,7 @@ dst_ports: - 80-90 - src_ns: - - kube-system-new-dummy-to-ignore + - default src_pods: - '*' dst_ns: @@ -75,7 +75,7 @@ connection: - protocols: TCP dst_ports: - - 80-88 + - 85-90 - query: connectivity_map_4 configs: - np3 diff --git a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt index 9ff81c2ea..fb3c870fd 100644 --- a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt +++ b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt @@ -3,26 +3,26 @@ src: 0.0.0.0/0 dst_ns: [default,kube-system,local-path-storage,projectcontour] d src: 0.0.0.0/0 dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst: connected-with-mesh.example.com conn: All connections -src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:8443,hosts:httpbin.example.com} +src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:8443,hosts:httpbin.example.com} src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections src_ns: [default,kube-system,local-path-storage,projectcontour] src_pods: [*] dst_ns: [default,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [istio-egressgateway] dst: httpbin.example.com conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com} -src_ns: [istio-system] src_pods: [istio-ingressgateway] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST,hosts:ob.alwaysupalwayson.com} +src_ns: [istio-system] src_pods: [istio-egressgateway] dst: httpbin.example.com conn: {dst_ports:80,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [istio-ingressgateway] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST,hosts:ob.alwaysupalwayson.com} src_ns: [istio-system] src_pods: [istiod] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [istiod] dst: connected-with-mesh.example.com conn: All connections src_ns: [istio-system] src_pods: [istiod] dst_ns: [default,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:8443,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:8443,hosts:httpbin.example.com} src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src: 0.0.0.0/0 dst_ns: [default,istio-system,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot index 66074b235..f58ddb8fa 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
tcp9950e {protocols:TCP,dst_ports:9950,...
tcp9950f {protocols:TCP,dst_ports:9950,...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {dst_ports:3000,hosts:aaaa.y.z}
tcp3000b {dst_ports:3000,hosts:iiii.y.z}
tcp3000c {dst_ports:3000,hosts:ooo.y.z,...
tcp3000d {dst_ports:3000,hosts:ooo.y.z,...
tcp3200a {dst_ports:3200,hosts:dddd.y.z}
tcp3200b {dst_ports:3200,hosts:ooo.y.z,...
tcp3456a {dst_ports:3456,hosts:bbbb.y.z}
tcp3456b {dst_ports:3456,hosts:ooo.y.z,...
tcp3500a {dst_ports:3500,hosts:ffff.y.z}
tcp3500b {dst_ports:3500,hosts:ooo.y.z,...
tcp4000a {dst_ports:4000,hosts:gggg.y.z}
tcp4000b {dst_ports:4000,hosts:ooo.y.z,...
tcp9950a {dst_ports:9950,hosts:cccc.y.z}
tcp9950b {dst_ports:9950,hosts:hhhh.y.z}
tcp9950c {dst_ports:9950,hosts:jjjj.y.z}
tcp9950d {dst_ports:9950,hosts:ooo.y.z,...
tcp9950e {dst_ports:9950,hosts:ooo.y.z,...
tcp9950f {dst_ports:9950,hosts:ooo.y.z,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -64,40 +64,40 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot index 661be8577..85f1fad9a 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
tcp9950e {protocols:TCP,dst_ports:9950,...
tcp9950f {protocols:TCP,dst_ports:9950,...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {dst_ports:3000,hosts:aaaa.y.z}
tcp3000b {dst_ports:3000,hosts:iiii.y.z}
tcp3000c {dst_ports:3000,hosts:ooo.y.z,...
tcp3000d {dst_ports:3000,hosts:ooo.y.z,...
tcp3200a {dst_ports:3200,hosts:dddd.y.z}
tcp3200b {dst_ports:3200,hosts:ooo.y.z,...
tcp3456a {dst_ports:3456,hosts:bbbb.y.z}
tcp3456b {dst_ports:3456,hosts:ooo.y.z,...
tcp3500a {dst_ports:3500,hosts:ffff.y.z}
tcp3500b {dst_ports:3500,hosts:ooo.y.z,...
tcp4000a {dst_ports:4000,hosts:gggg.y.z}
tcp4000b {dst_ports:4000,hosts:ooo.y.z,...
tcp9950a {dst_ports:9950,hosts:cccc.y.z}
tcp9950b {dst_ports:9950,hosts:hhhh.y.z}
tcp9950c {dst_ports:9950,hosts:jjjj.y.z}
tcp9950d {dst_ports:9950,hosts:ooo.y.z,...
tcp9950e {dst_ports:9950,hosts:ooo.y.z,...
tcp9950f {dst_ports:9950,hosts:ooo.y.z,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -51,41 +51,41 @@ All"] "example/deploy-gggg(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot index e981426f7..7780b7cf6 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
tcp9950e {protocols:TCP,dst_ports:9950,...
tcp9950f {protocols:TCP,dst_ports:9950,...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {dst_ports:3000,hosts:aaaa.y.z}
tcp3000b {dst_ports:3000,hosts:iiii.y.z}
tcp3000c {dst_ports:3000,hosts:ooo.y.z,...
tcp3000d {dst_ports:3000,hosts:ooo.y.z,...
tcp3200a {dst_ports:3200,hosts:dddd.y.z}
tcp3200b {dst_ports:3200,hosts:ooo.y.z,...
tcp3456a {dst_ports:3456,hosts:bbbb.y.z}
tcp3456b {dst_ports:3456,hosts:ooo.y.z,...
tcp3500a {dst_ports:3500,hosts:ffff.y.z}
tcp3500b {dst_ports:3500,hosts:ooo.y.z,...
tcp4000a {dst_ports:4000,hosts:gggg.y.z}
tcp4000b {dst_ports:4000,hosts:ooo.y.z,...
tcp9950a {dst_ports:9950,hosts:cccc.y.z}
tcp9950b {dst_ports:9950,hosts:hhhh.y.z}
tcp9950c {dst_ports:9950,hosts:jjjj.y.z}
tcp9950d {dst_ports:9950,hosts:ooo.y.z,...
tcp9950e {dst_ports:9950,hosts:ooo.y.z,...
tcp9950f {dst_ports:9950,hosts:ooo.y.z,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -53,24 +53,24 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot index 6412b4bd7..f31bcfab0 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
tcp9950e {protocols:TCP,dst_ports:9950,...
tcp9950f {protocols:TCP,dst_ports:9950,...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {dst_ports:3000,hosts:aaaa.y.z}
tcp3000b {dst_ports:3000,hosts:iiii.y.z}
tcp3000c {dst_ports:3000,hosts:ooo.y.z,...
tcp3000d {dst_ports:3000,hosts:ooo.y.z,...
tcp3200a {dst_ports:3200,hosts:dddd.y.z}
tcp3200b {dst_ports:3200,hosts:ooo.y.z,...
tcp3456a {dst_ports:3456,hosts:bbbb.y.z}
tcp3456b {dst_ports:3456,hosts:ooo.y.z,...
tcp3500a {dst_ports:3500,hosts:ffff.y.z}
tcp3500b {dst_ports:3500,hosts:ooo.y.z,...
tcp4000a {dst_ports:4000,hosts:gggg.y.z}
tcp4000b {dst_ports:4000,hosts:ooo.y.z,...
tcp9950a {dst_ports:9950,hosts:cccc.y.z}
tcp9950b {dst_ports:9950,hosts:hhhh.y.z}
tcp9950c {dst_ports:9950,hosts:jjjj.y.z}
tcp9950d {dst_ports:9950,hosts:ooo.y.z,...
tcp9950e {dst_ports:9950,hosts:ooo.y.z,...
tcp9950f {dst_ports:9950,hosts:ooo.y.z,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -48,24 +48,24 @@ All"] "example/deploy-hhhh(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot index 328b5da08..c707cc09f 100644 --- a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot +++ b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
TCP {protocols:TCP,methods:GET}
> shape=box] + dict_box [label=<
Connectivity legend
All All
TCP {methods:GET}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -29,13 +29,13 @@ subgraph cluster_istio_system_namespace{ "biclique_All0" -> "istio-system/istio-ingressgateway(Deployment-StatefulSet)"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/details-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/productpage-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1(Deployment-StatefulSet)" -> "default/details-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1(Deployment-StatefulSet)" -> "default/reviews-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1(Deployment-StatefulSet)" -> "default/details-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1(Deployment-StatefulSet)" -> "default/reviews-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/ratings-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/reviews-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/reviews-v1(Deployment-StatefulSet)" -> "default/ratings-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/reviews-v1(Deployment-StatefulSet)" -> "default/ratings-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "default/productpage-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "default/productpage-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot index 089763b4f..420b40f25 100644 --- a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot +++ b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
TCP {protocols:TCP,methods:GET}
> shape=box] + dict_box [label=<
Connectivity legend
All All
TCP {methods:GET}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -29,13 +29,13 @@ subgraph cluster_istio_system_namespace{ "biclique_All0" -> "istio-system/istio-ingressgateway-55d9fb9f-f4mzz"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/details-v1-79f774bdb9-tw7sj" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/productpage-v1-6b746f74dc-kkzzk" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1-6b746f74dc-kkzzk" -> "default/details-v1-79f774bdb9-tw7sj"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1-6b746f74dc-kkzzk" -> "default/reviews-v1-545db77b95-2ps7q"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1-6b746f74dc-kkzzk" -> "default/details-v1-79f774bdb9-tw7sj"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1-6b746f74dc-kkzzk" -> "default/reviews-v1-545db77b95-2ps7q"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/ratings-v1-b6994bb9-gl27w" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/reviews-v1-545db77b95-2ps7q" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/reviews-v1-545db77b95-2ps7q" -> "default/ratings-v1-b6994bb9-gl27w"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/reviews-v1-545db77b95-2ps7q" -> "default/ratings-v1-b6994bb9-gl27w"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "default/productpage-v1-6b746f74dc-kkzzk"[label="TCP" labeltooltip="{protocols:TCP,methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "default/productpage-v1-6b746f74dc-kkzzk"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt index d885e1007..448d9387d 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt @@ -1,15 +1,15 @@ For connections of type TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt index 54bc6d744..14d6ec1c6 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt @@ -1,18 +1,18 @@ For connections of type TCP, final fw rules for query: connectivity-map-of-onlineboutique-with-istio-gateways, config: onlineboutique-resources-with-istio-gateways: -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {dst_ports:80,hosts:httpbin.example.com} src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [onlineboutique] src_pods: [*] dst: connected-with-mesh.example.com conn: All connections -src_ns: [onlineboutique] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:443,hosts:httpbin.example.com} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST} +src_ns: [onlineboutique] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:443,hosts:httpbin.example.com} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique-with-istio-gateways, config: onlineboutique-resources-with-istio-gateways: src: 0.0.0.0/0 dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt index f1db51236..ef2a666df 100644 --- a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity, config: fly-istio-ingress-test: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api, istio-ingressgateway] conn: {protocols:TCP,dst_ports:8761,paths:/flights(/*)?} -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api, istio-ingressgateway] conn: {protocols:TCP,dst_ports:8762,paths:/horas(/*)?} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api, istio-ingressgateway] conn: {dst_ports:8761,paths:/flights(/*)?} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api, istio-ingressgateway] conn: {dst_ports:8762,paths:/horas(/*)?} src_ns: [default] src_pods: [fly-api, hora-api] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [fly-api, hora-api] dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt index 5e025e2f8..7ea97a315 100644 --- a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt @@ -3,8 +3,8 @@ src: 0.0.0.0/0 dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: connected_with_mesh.example.com conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections -src_ns: [default,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:443,hosts:httpbin.example.com} -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com} +src_ns: [default,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:443,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {dst_ports:80,hosts:httpbin.example.com} For connections of type non-TCP, final fw rules for query: connectivity, config: istio-egress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt index 392f80198..981d47e7e 100644 --- a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt @@ -2,9 +2,9 @@ For connections of type TCP, final fw rules for query: connectivity, config: ist src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [details-v1-5f449bdbb9] conn: {protocols:TCP,dst_ports:5555,hosts:mongosvr.prod.svc.cluster.local} -src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [ratings-v1-857bb87c57] conn: {protocols:TCP,dst_ports:9080,hosts:eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local,paths:/reviews(/*)?} -src_ns: [istio-system] src_pods: [*] dst_ns: [qa] dst_pods: [*] conn: {protocols:TCP,dst_ports:7777,hosts:eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local} +src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [details-v1-5f449bdbb9] conn: {dst_ports:5555,hosts:mongosvr.prod.svc.cluster.local} +src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [ratings-v1-857bb87c57] conn: {dst_ports:9080,hosts:eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local,paths:/reviews(/*)?} +src_ns: [istio-system] src_pods: [*] dst_ns: [qa] dst_pods: [*] conn: {dst_ports:7777,hosts:eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local} For connections of type non-TCP, final fw rules for query: connectivity, config: istio-ingress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt index 51bf629db..ab2ad8a90 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt @@ -2,15 +2,15 @@ For connections of type TCP, final fw rules for query: new_online_boutique_synth src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: {dst_ports:50051} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {dst_ports:8080} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {dst_ports:8080} For connections of type non-TCP, final fw rules for query: new_online_boutique_synth_res_connectivity_map_with_baseline_rule, config: new_online_boutique_synthesis_res_with_baseline_restrict_access_to_payment_service: src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt index c552cbb2a..47e6a5be9 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt @@ -7,35 +7,35 @@ default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections -default/checkoutservice[Deployment] => default/cartservice[Deployment] : {protocols:TCP,dst_ports:7070} -default/checkoutservice[Deployment] => default/currencyservice[Deployment] : {protocols:TCP,dst_ports:7000} -default/checkoutservice[Deployment] => default/emailservice[Deployment] : {protocols:TCP,dst_ports:8080} -default/checkoutservice[Deployment] => default/paymentservice[Deployment] : {protocols:TCP,dst_ports:50051} -default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} -default/checkoutservice[Deployment] => default/shippingservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/checkoutservice[Deployment] => default/cartservice[Deployment] : {dst_ports:7070} +default/checkoutservice[Deployment] => default/currencyservice[Deployment] : {dst_ports:7000} +default/checkoutservice[Deployment] => default/emailservice[Deployment] : {dst_ports:8080} +default/checkoutservice[Deployment] => default/paymentservice[Deployment] : {dst_ports:50051} +default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : {dst_ports:3550} +default/checkoutservice[Deployment] => default/shippingservice[Deployment] : {dst_ports:50051} default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections -default/frontend[Deployment] => default/adservice[Deployment] : {protocols:TCP,dst_ports:9555} -default/frontend[Deployment] => default/cartservice[Deployment] : {protocols:TCP,dst_ports:7070} -default/frontend[Deployment] => default/checkoutservice[Deployment] : {protocols:TCP,dst_ports:5050} -default/frontend[Deployment] => default/currencyservice[Deployment] : {protocols:TCP,dst_ports:7000} -default/frontend[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} -default/frontend[Deployment] => default/recommendationservice[Deployment] : {protocols:TCP,dst_ports:8080} -default/frontend[Deployment] => default/shippingservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/frontend[Deployment] => default/adservice[Deployment] : {dst_ports:9555} +default/frontend[Deployment] => default/cartservice[Deployment] : {dst_ports:7070} +default/frontend[Deployment] => default/checkoutservice[Deployment] : {dst_ports:5050} +default/frontend[Deployment] => default/currencyservice[Deployment] : {dst_ports:7000} +default/frontend[Deployment] => default/productcatalogservice[Deployment] : {dst_ports:3550} +default/frontend[Deployment] => default/recommendationservice[Deployment] : {dst_ports:8080} +default/frontend[Deployment] => default/shippingservice[Deployment] : {dst_ports:50051} default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections -default/loadgenerator[Deployment] => default/frontend[Deployment] : {protocols:TCP,dst_ports:8080} +default/loadgenerator[Deployment] => default/frontend[Deployment] : {dst_ports:8080} default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections -default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : {dst_ports:3550} default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections diff --git a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt index 31261d68e..d774569b0 100644 --- a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt +++ b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt @@ -3,14 +3,14 @@ src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress] src_pods: [*] dst: connected_with_mesh.example.com conn: All connections src_ns: [asm-ingress] src_pods: [*] dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections -src_ns: [asm-ingress] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:443,hosts:httpbin.example.com} +src_ns: [asm-ingress] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:443,hosts:httpbin.example.com} src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst: connected_with_mesh.example.com conn: All connections -src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst_ns: [istio-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:443,hosts:httpbin.example.com} +src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:443,hosts:httpbin.example.com} src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app not in (adservice,checkoutservice,frontend,loadgenerator,recommendationservice)] conn: All connections src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [app not in (emailservice,frontend,loadgenerator,paymentservice)] conn: All connections src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: All connections src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: All connections -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {protocols:TCP,dst_ports:80,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {dst_ports:80,hosts:httpbin.example.com} For connections of type non-TCP, final fw rules for query: onlineboutique-sidecars-connectivity, config: onlineboutique-sidecars-and-gateways: src: 0.0.0.0/0 dst_ns: [asm-ingress,default,istio-system] dst_pods: [*] conn: All connections From b7690964d6332c06389db02fbb5b73df16de18fa Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 21 May 2024 16:12:31 +0300 Subject: [PATCH 81/89] Added some doc Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 3871552ee..8b939a640 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -577,6 +577,15 @@ def _reorder_list_by_map(orig_list, new_to_old_map): @staticmethod def extract_src_dst_peers_from_cube(the_cube, peer_container, relevant_protocols=ProtocolSet(True)): + """ + Remove src_peers and dst_peers from the given cube, and return those sets of peers + and the resulting properties without the peers. + :param ConnectivityCube the_cube: the given cube + :param PeerContainer peer_container: the peer container + :param relevant_protocols: the relevant protocols used to represent all protocols + :return: tuple(ConnectivityProperties, PeerSet, PeerSet) - the resulting properties after removing + src_peers and dst_peers, src_peers, dst_peers + """ all_peers = peer_container.get_all_peers_group(True) conn_cube = the_cube.copy() src_peers = conn_cube["src_peers"] or all_peers From c1dc05bc2b3c06de2cf427808ef0602906cee915 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 21 May 2024 19:05:28 +0300 Subject: [PATCH 82/89] Removed no longer used named_ports and excluded_named_ports in ConnectivityProperties. Removed outdated unit tests. Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 121 +----------------- .../testConnectivityPropertiesNamedPorts.py | 90 ------------- 2 files changed, 6 insertions(+), 205 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 8b939a640..09b37119c 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -24,8 +24,6 @@ class ConnectivityProperties(CanonicalHyperCubeSet): ConnectivityProperties potentially hold all the dimensions, including sets of source peers and destination peers. The connectivity properties are built at the parse time for every policy. - The named ports are resolved during the construction, therefore in the optimized solution named_ports and - excluded_named_ports fields are not used. The src_peers and dst_peers dimensions are special dimensions, they do not have constant domain. Their domain depends on the current set of peers in the system (as appears in BasePeerSet singleton). This set grows when @@ -36,23 +34,9 @@ class ConnectivityProperties(CanonicalHyperCubeSet): and to set it to relevant values per query, and to make a special treatment of these dimensions in the above operators. - Also, including support for (included and excluded) named ports (relevant for dest ports only). - - The representation with named ports is considered a mid-representation, and is required due to the late binding - of the named ports to real ports numbers. - The method convert_named_ports is responsible for applying this late binding, and is called by a policy's method - allowed_connections() to get policy's allowed connections, given peers and direction ingress/egress - Given a specific dest-peer context, the pod's named ports mapping is known, and used for the named ports conversion. - Some of the operators for ConnectivityProperties are not supported for objects with (included and excluded) named ports. - For example, in the general case, the result for (all but port "x") | (all but port 10) has 2 options: - (1) if the dest pod has named port "x" mapped to 10 -> the result would be: (all but port 10) - (2) otherwise, the result would be: (all ports) - Thus, for the 'or' operator, the assumption is that excluded named ports is empty for both input objects. - Some methods, such as bool(), str(), may not return accurate results on objects with named ports (included/excluded) - since they depend on the late binding with actual dest pod context. - The current actual flow for using named ports is limited for the following: - (1) k8s: only +ve named ports, no src named ports, and only use of 'or' operators between these objects. - (2) calico: +ve and -ve named ports, no src named ports, and no use of operators between these objects. + Also, including support for (included and excluded) named ports (relevant for dest ports only), which are + resolved during the construction of ConnectivityProperties. + """ def __init__(self, dimensions_list=None, create_all=False): @@ -61,8 +45,6 @@ def __init__(self, dimensions_list=None, create_all=False): :param create_all: whether to create full connectivity properties. """ super().__init__(dimensions_list if dimensions_list else ConnectivityCube.all_dimensions_list) - self.named_ports = {} # a mapping from dst named port (String) to src ports interval set - self.excluded_named_ports = {} # a mapping from dst named port (String) to src ports interval set if create_all: self.set_all() @@ -88,16 +70,9 @@ def _make_conn_props_no_named_ports_resolution(conn_cube): src_ports = conn_cube["src_ports"] dst_ports = conn_cube["dst_ports"] assert not src_ports.named_ports and not src_ports.excluded_named_ports - all_ports = PortSet.all_ports_interval.copy() - for port_name in dst_ports.named_ports: - res.named_ports[port_name] = src_ports.port_set - for port_name in dst_ports.excluded_named_ports: - res.excluded_named_ports[port_name] = all_ports + assert not dst_ports.named_ports and not dst_ports.excluded_named_ports return res - def __bool__(self): - return super().__bool__() or bool(self.named_ports) - def __str__(self): if self.is_all(): return 'All connections' @@ -183,9 +158,7 @@ def get_properties_obj(self): def __eq__(self, other): if isinstance(other, ConnectivityProperties): - res = super().__eq__(other) and self.named_ports == other.named_ports and \ - self.excluded_named_ports == other.excluded_named_ports - return res + return super().__eq__(other) return False def __and__(self, other): @@ -203,85 +176,6 @@ def __sub__(self, other): res -= other return res - def __iand__(self, other): - assert not self.has_named_ports() - assert not isinstance(other, ConnectivityProperties) or not other.has_named_ports() - super().__iand__(other) - return self - - def __ior__(self, other): - assert not self.excluded_named_ports - assert not isinstance(other, ConnectivityProperties) or not other.excluded_named_ports - super().__ior__(other) - if isinstance(other, ConnectivityProperties): - res_named_ports = dict({}) - for port_name in self.named_ports: - res_named_ports[port_name] = self.named_ports[port_name] - for port_name in other.named_ports: - if port_name in res_named_ports: - res_named_ports[port_name] |= other.named_ports[port_name] - else: - res_named_ports[port_name] = other.named_ports[port_name] - self.named_ports = res_named_ports - return self - - def __isub__(self, other): - assert not self.has_named_ports() - assert not isinstance(other, ConnectivityProperties) or not other.has_named_ports() - super().__isub__(other) - return self - - def contained_in(self, other): - """ - :param ConnectivityProperties other: another connectivity properties - :return: Whether all (source port, target port) pairs in self also appear in other - :rtype: bool - """ - assert not self.has_named_ports() - assert not other.has_named_ports() - return super().contained_in(other) - - def has_named_ports(self): - return self.named_ports or self.excluded_named_ports - - def get_named_ports(self): - res = set() - res |= set(self.named_ports.keys()) - res |= set(self.excluded_named_ports.keys()) - return res - - def convert_named_ports(self, named_ports, protocol): - """ - Replaces all references to named ports with actual ports, given a mapping - NOTE: that this function modifies self - :param dict[str, (int, int)] named_ports: The mapping from a named to port (str) to the actual port number - :param int protocol: The relevant protocol - :return: None - """ - if not named_ports: - named_ports = {} - - my_named_ports = self.named_ports - self.named_ports = {} - my_excluded_named_ports = self.excluded_named_ports - self.excluded_named_ports = {} - - active_dims = ["src_ports", "dst_ports"] - for port in my_named_ports: - real_port = named_ports.get(port) - if real_port and real_port[1] == protocol: - real_port_number = real_port[0] - rectangle = [my_named_ports[port], - CanonicalIntervalSet.get_interval_set(real_port_number, real_port_number)] - self.add_cube(rectangle, active_dims) - for port in my_excluded_named_ports: - real_port = named_ports.get(port) - if real_port and real_port[1] == protocol: - real_port_number = real_port[0] - rectangle = [my_excluded_named_ports[port], - CanonicalIntervalSet.get_interval_set(real_port_number, real_port_number)] - self.add_hole(rectangle, active_dims) - def copy(self): """ :rtype: ConnectivityProperties @@ -290,9 +184,6 @@ def copy(self): for layer in self.layers: res.layers[self._copy_layer_elem(layer)] = self.layers[layer].copy() res.active_dimensions = self.active_dimensions.copy() - - res.named_ports = self.named_ports.copy() - res.excluded_named_ports = self.excluded_named_ports.copy() return res def print_diff(self, other, self_name, other_name): @@ -403,7 +294,7 @@ def make_conn_props(conn_cube): return ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube) # Should resolve named ports - assert conn_cube.is_active_dim("dst_peers") +# assert conn_cube.is_active_dim("dst_peers") # Initialize conn_properties if dst_ports.port_set: dst_ports_no_named_ports = PortSet() diff --git a/tests/classes_unit_tests/testConnectivityPropertiesNamedPorts.py b/tests/classes_unit_tests/testConnectivityPropertiesNamedPorts.py index ee9d1b684..c2ac6e1c5 100644 --- a/tests/classes_unit_tests/testConnectivityPropertiesNamedPorts.py +++ b/tests/classes_unit_tests/testConnectivityPropertiesNamedPorts.py @@ -1,5 +1,4 @@ import unittest -from nca.CoreDS.CanonicalIntervalSet import CanonicalIntervalSet from nca.CoreDS.PortSet import PortSet from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties @@ -9,93 +8,6 @@ class TestNamedPorts(unittest.TestCase): - def test_k8s_flow(self): - """ - dest ports with named ports, and 'or' between Tcp properties with named ports - """ - src_res_ports = PortSet(True) - dst_res_ports = PortSet() - dst_res_ports.add_port("x") - conn_cube = ConnectivityCube.make_from_dict({"src_ports": src_res_ports, "dst_ports": dst_res_ports}) - tcp_properties1 = ConnectivityProperties.make_conn_props(conn_cube) - dst_res_ports2 = PortSet() - dst_res_ports2.add_port("y") - conn_cube["dst_ports"] = dst_res_ports2 - tcp_properties2 = ConnectivityProperties.make_conn_props(conn_cube) - tcp_properties_res = tcp_properties1 | tcp_properties2 - named_ports_dict = {"x": (15, 6), "z": (20, 6), "y": (16, 6)} - tcp_properties_res.convert_named_ports(named_ports_dict, 6) - # print(tcp_properties_res) - cubes_list = tcp_properties_res._get_cubes_list_from_layers() - expected_res_cubes = [[CanonicalIntervalSet.get_interval_set(15, 16)]] - self.assertEqual(expected_res_cubes, cubes_list) - - def test_calico_flow_1(self): - """ - dest ports containing only positive named ports - """ - src_res_ports = PortSet() - dst_res_ports = PortSet() - src_res_ports.add_port_range(1, 100) - dst_res_ports.add_port("x") - dst_res_ports.add_port("y") - dst_res_ports.add_port("z") - dst_res_ports.add_port("w") - conn_cube = ConnectivityCube.make_from_dict({"src_ports": src_res_ports, "dst_ports": dst_res_ports}) - tcp_properties = ConnectivityProperties.make_conn_props(conn_cube) - tcp_properties_2 = tcp_properties.copy() - - self.assertTrue(tcp_properties.has_named_ports()) - self.assertEqual(tcp_properties.get_named_ports(), {"x","y","z", "w"}) - named_ports_dict = {"x": (15, 6), "z": (20, 6), "y": (200, 17)} - tcp_properties.convert_named_ports(named_ports_dict, 6) - #print(tcp_properties) - expected_res_cubes = {(CanonicalIntervalSet.get_interval_set(1,100), CanonicalIntervalSet.get_interval_set(15,15) | CanonicalIntervalSet.get_interval_set(20,20))} - self.assertEqual(expected_res_cubes, tcp_properties._get_cubes_set()) - - self.assertTrue(tcp_properties_2.has_named_ports()) - self.assertEqual(tcp_properties_2.get_named_ports(), {"x","y","z", "w"}) - tcp_properties_2.convert_named_ports(named_ports_dict, 17) - #print(tcp_properties_2) - expected_res_cubes = {(CanonicalIntervalSet.get_interval_set(1,100), CanonicalIntervalSet.get_interval_set(200,200))} - self.assertEqual(expected_res_cubes, tcp_properties_2._get_cubes_set()) - - def test_calico_flow_2(self): - """ - dest ports containing only negative named ports - """ - src_res_ports = PortSet() - not_ports = PortSet() - not_ports.add_port("x") - not_ports.add_port("y") - not_ports.add_port("z") - not_ports.add_port("w") - dst_res_ports = PortSet(True) - dst_res_ports -= not_ports - src_res_ports.add_port_range(1, 100) - conn_cube = ConnectivityCube.make_from_dict({"src_ports": src_res_ports, "dst_ports": dst_res_ports}) - tcp_properties = ConnectivityProperties.make_conn_props(conn_cube) - tcp_properties_2 = tcp_properties.copy() - - self.assertTrue(tcp_properties.has_named_ports()) - self.assertEqual(tcp_properties.get_named_ports(), {"x","y","z", "w"}) - named_ports_dict = {"x": (15, 6), "z": (20, 6), "y": (200, 17)} - tcp_properties.convert_named_ports(named_ports_dict, 6) - #print(tcp_properties) - expected_res_cubes = {(CanonicalIntervalSet.get_interval_set(1,100), - CanonicalIntervalSet.get_interval_set(1,14) | - CanonicalIntervalSet.get_interval_set(16,19) | - CanonicalIntervalSet.get_interval_set(21,65535))} - self.assertEqual(expected_res_cubes, tcp_properties._get_cubes_set()) - - self.assertTrue(tcp_properties_2.has_named_ports()) - self.assertEqual(tcp_properties_2.get_named_ports(), {"x","y","z", "w"}) - tcp_properties_2.convert_named_ports(named_ports_dict, 17) - #print(tcp_properties_2) - expected_res_cubes = {(CanonicalIntervalSet.get_interval_set(1,100), - CanonicalIntervalSet.get_interval_set(1,199) | - CanonicalIntervalSet.get_interval_set(201,65535))} - self.assertEqual(expected_res_cubes, tcp_properties_2._get_cubes_set()) def test_optimized_flow(self): default_namespace = K8sNamespace("default") @@ -127,7 +39,6 @@ def test_optimized_flow(self): "src_ports": src_ports, "dst_ports": dst_ports, "protocols": ProtocolSet.get_protocol_set_with_single_protocol("TCP")}) props_with_tcp = ConnectivityProperties.make_conn_props(conn_cube) - self.assertFalse(props_with_tcp.has_named_ports()) tcp_ports_for_pod_a = PortSet.make_port_set_with_range(200, 300) tcp_ports_for_pod_a.add_port_range(600, 600) tcp_ports_for_pod_b = PortSet.make_port_set_with_range(200, 300) @@ -156,7 +67,6 @@ def test_optimized_flow(self): "src_ports": src_ports, "dst_ports": dst_ports, "protocols": ProtocolSet.get_protocol_set_with_single_protocol("UDP")}) props_with_udp = ConnectivityProperties.make_conn_props(conn_cube) - self.assertFalse(props_with_udp.has_named_ports()) udp_ports_for_pod_a = PortSet.make_port_set_with_range(200, 300) udp_ports_for_pod_a.add_port_range(400, 400) udp_ports_for_pod_b = PortSet.make_port_set_with_range(200, 300) From 4926dd9dabfc2019dfcd805304e6f919cac888d5 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 21 May 2024 19:16:00 +0300 Subject: [PATCH 83/89] Small fixes Signed-off-by: Tanya --- nca/CoreDS/ConnectivityProperties.py | 1 - .../policies/calico-testcase14-scheme.yaml | 14 +++++++------- .../calico-testcase14-scheme_output.txt | 2 +- 3 files changed, 8 insertions(+), 9 deletions(-) diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 09b37119c..038d4a90c 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -3,7 +3,6 @@ # SPDX-License-Identifier: Apache2.0 # -from .CanonicalIntervalSet import CanonicalIntervalSet from .CanonicalHyperCubeSet import CanonicalHyperCubeSet from .DimensionsManager import DimensionsManager from .PortSet import PortSet diff --git a/tests/fw_rules_tests/policies/calico-testcase14-scheme.yaml b/tests/fw_rules_tests/policies/calico-testcase14-scheme.yaml index 5023a0b85..99a6c4f6a 100644 --- a/tests/fw_rules_tests/policies/calico-testcase14-scheme.yaml +++ b/tests/fw_rules_tests/policies/calico-testcase14-scheme.yaml @@ -7,13 +7,13 @@ networkConfigList: - calico-policy-deny-all.yaml expectedWarnings: 0 queries: -#- name: match-icmp-also-within-default-test -# connectivityMap: -# - match-icmp-also-within-default -# expected: 0 -# outputConfiguration: -# fwRulesRunInTestMode: false -# expectedOutput: expected_output/calico-testcase14-scheme_output.txt +- name: match-icmp-also-within-default-test + connectivityMap: + - match-icmp-also-within-default + expected: 0 + outputConfiguration: + fwRulesRunInTestMode: false + expectedOutput: expected_output/calico-testcase14-scheme_output.txt - name: match-icmp-also-within-default-test-yaml connectivityMap: - match-icmp-also-within-default diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt index ba1d8db4d..d72899e33 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt @@ -1,2 +1,2 @@ final fw rules for query: match-icmp-also-within-default-test, config: match-icmp-also-within-default: -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [app=keepalived-watcher] conn: {'protocols': 'ICMP', 'icmp_type': '100', 'icmp_code': '230'} +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [app=keepalived-watcher] conn: {protocols:ICMP,icmp_type:100,icmp_code:230} From 16869e8e986ed965ccb26eb7cfffb5a9d6a962d3 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 2 Jun 2024 11:11:56 +0300 Subject: [PATCH 84/89] Updates of some more expected results. Removed --optimized_run flag. Removed ConnectionSet class. Signed-off-by: Tanya --- nca/CoreDS/ConnectionSet.py | 584 ------------------ nca/CoreDS/ConnectivityProperties.py | 13 +- nca/FWRules/MinimizeBasic.py | 6 +- nca/NetworkConfig/NetworkConfig.py | 6 +- nca/NetworkConfig/NetworkConfigQuery.py | 35 +- nca/NetworkConfig/PoliciesFinder.py | 9 +- nca/NetworkConfig/ResourcesHandler.py | 23 +- nca/Parsers/CalicoPolicyYamlParser.py | 3 +- nca/Parsers/K8sPolicyYamlParser.py | 3 +- nca/SchemeRunner.py | 28 +- nca/nca_cli.py | 26 +- ...nfig-1-calico-ingress-config-allow-all.txt | 2 +- .../testcase8-semantic-diff-query.txt | 2 +- .../calico-testcase13-scheme_output.txt | 2 +- ...onnectivity_map_denyFirst_query_output.txt | 2 +- .../online_boutique/connectivity-scheme.yaml | 34 +- .../new_online_boutique_connectivity_map.txt | 26 +- ...ne_boutique_synth_res_connectivity_map.txt | 20 +- tests/run_all_tests.py | 67 +- 19 files changed, 140 insertions(+), 751 deletions(-) delete mode 100644 nca/CoreDS/ConnectionSet.py diff --git a/nca/CoreDS/ConnectionSet.py b/nca/CoreDS/ConnectionSet.py deleted file mode 100644 index 42d44d26c..000000000 --- a/nca/CoreDS/ConnectionSet.py +++ /dev/null @@ -1,584 +0,0 @@ -# -# Copyright 2020- IBM Inc. All rights reserved -# SPDX-License-Identifier: Apache2.0 -# - -from .CanonicalIntervalSet import CanonicalIntervalSet -from .ConnectivityProperties import ConnectivityProperties -from .ProtocolNameResolver import ProtocolNameResolver -from .ProtocolSet import ProtocolSet - - -class ConnectionSet: - """ - This class holds a set of connections and allows several manipulations on this set such as union, intersection, ... - """ - _icmp_protocols = {1, 58} - port_supporting_protocols = {6, 17, 132} - _max_protocol_num = 255 - _min_protocol_num = 0 - - def __init__(self, allow_all=False): - self.allowed_protocols = {} # a map from protocol number (0-255) to allowed properties (ports, icmp) - self.allow_all = allow_all # Shortcut to represent all connections, and then allowed_protocols is to be ignored - - def __bool__(self): - return self.allow_all or bool(self.allowed_protocols) - - def __eq__(self, other): - if isinstance(other, ConnectionSet): - return self.allow_all == other.allow_all and self.allowed_protocols == other.allowed_protocols - return False - - def __lt__(self, other): - if self.allow_all: - return False - if other.allow_all: - return True - if len(self.allowed_protocols) != len(other.allowed_protocols): - return len(self.allowed_protocols) < len(other.allowed_protocols) - return str(self) < str(other) - - def __hash__(self): - return hash((frozenset(self.allowed_protocols.keys()), self.allow_all)) - - def get_simplified_connections_representation(self, is_str, use_complement_simplification=True): - """ - Get a simplified representation of the connection set - choose shorter version between self and its complement. - representation as str is a string representation, and not str is representation as list of objects. - The representation is used at fw-rules representation of the connection. - :param bool is_str: should get str representation (True) or list representation (False) - :param bool use_complement_simplification: should choose shorter rep between self and complement - :return: the required representation of the connection set - :rtype Union[str, list] - """ - if self.allow_all or not self.allowed_protocols: - return self._get_connections_representation(is_str) - self_rep = self._get_connections_representation(is_str) - if not use_complement_simplification: - return self_rep - # check the alternative of the complement - complement = ConnectionSet(True) - self - complement_rep = complement._get_connections_representation(is_str) - if len(complement_rep) < len(self_rep): - return f'All but {complement_rep}' if is_str else [{"All but": complement_rep}] - return self_rep - - def _get_connections_representation(self, is_str): - """ - get the required representation of the connection set (str or list) for fw-rules output - :param bool is_str: should get str representation (True) or list representation (False) - :return: the required representation of the connection set - :rtype Union[str, list] - """ - if self.allow_all or not self.allowed_protocols: - return str(self) if is_str else [str(self)] - res = [] - protocols_ranges = CanonicalIntervalSet() - protocols = self.allowed_protocols - if is_str: - # aggregate specific representations: - protocols, aggregated_properties_txt = self._aggregate_connection_representation(self.allowed_protocols) - if aggregated_properties_txt != '': - res.append(aggregated_properties_txt) - for protocol in sorted(protocols): - if ProtocolNameResolver.is_standard_protocol(protocol): - protocol_text = ProtocolNameResolver.get_protocol_name(protocol) - properties = protocols[protocol] - res.append(self._get_protocol_with_properties_representation(is_str, protocol_text, properties)) - else: - # collect allowed protocols numbers into ranges - # assuming no properties objects for protocols numbers - protocols_ranges.add_interval(CanonicalIntervalSet.Interval(protocol, protocol)) - if protocols_ranges: - res += self._get_protocols_ranges_representation(is_str, protocols_ranges) - return ','.join(s for s in res) if is_str else res - - @staticmethod - def _aggregate_connection_representation(protocols): - """ - Aggregate shared properties of the protocols, for better human understanding. - :param dict protocols: a map from protocol number (1-255) to allowed properties - :return: dict protocols_not_aggregated: the rest of the protocol data that was not aggregated. - :return: str aggregation_results: a string of the aggregated representation - """ - protocols_not_aggregated = protocols - aggregation_results = '' - - # handle TCP+UDP ports aggregation (do not handle range segmentation overlapping) - tcp_protocol_number = ProtocolNameResolver.get_protocol_number('TCP') - udp_protocol_number = ProtocolNameResolver.get_protocol_number('UDP') - tcp_protocol = protocols_not_aggregated.get(tcp_protocol_number) - udp_protocol = protocols_not_aggregated.get(udp_protocol_number) - if tcp_protocol and udp_protocol and tcp_protocol.active_dimensions and \ - udp_protocol.active_dimensions == tcp_protocol.active_dimensions: - aggregation_results, protocols_not_aggregated = ConnectionSet._aggregate_pair_protocols(protocols_not_aggregated, - tcp_protocol_number, - udp_protocol_number) - if aggregation_results != '': # can be empty when all properties are allowed for both protocols - aggregation_results = 'TCP+UDP ' + aggregation_results - - # handle future aggregations here - - return protocols_not_aggregated, aggregation_results - - @staticmethod - def _aggregate_pair_protocols(protocols, protocol_number1, protocol_number2): - """ - Handles aggregation of 2 protocols' properties - :param protocols: The protocol dictionary so we can remove empty protocols after aggregation - :param protocol_number1: first protocol number to aggregate with the second - :param protocol_number2: second protocol number to aggregate - :return: str aggregated_properties: a string of the aggregated properties - :return: dict protocols_not_aggregated: the rest of the protocol data that was not aggregated. - """ - protocols_not_aggregated = protocols - aggregated_properties = protocols_not_aggregated[protocol_number1] & protocols_not_aggregated[protocol_number2] - if not aggregated_properties: - return '', protocols_not_aggregated - - protocol1_dif = protocols_not_aggregated[protocol_number1] - protocols_not_aggregated[protocol_number2] - protocol2_dif = protocols_not_aggregated[protocol_number2] - protocols_not_aggregated[protocol_number1] - protocols_not_aggregated = protocols.copy() - if protocol1_dif: - protocols_not_aggregated[protocol_number1] = protocol1_dif - else: - del protocols_not_aggregated[protocol_number1] - - if protocol2_dif: - protocols_not_aggregated[protocol_number2] = protocol2_dif - else: - del protocols_not_aggregated[protocol_number2] - - return str(aggregated_properties), protocols_not_aggregated - - @staticmethod - def _get_protocol_with_properties_representation(is_str, protocol_text, properties): - """ - :param bool is_str: should get str representation (True) or list representation (False) - :param str protocol_text: str description of protocol - :param Union[bool, ConnectivityProperties] properties: properties object of the protocol - :return: representation required for a given pair of protocol and its properties - :rtype: Union[dict, str] - """ - if not is_str: - protocol_obj = {'Protocol': protocol_text} - if not isinstance(properties, bool): - protocol_obj.update(properties.get_properties_obj()) - return protocol_obj - # for str representation: - return protocol_text if isinstance(properties, bool) else ' '.join(filter(None, [protocol_text, str(properties)])) - - @staticmethod - def _get_protocols_ranges_representation(is_str, protocols_ranges): - """ - :param bool is_str: should get str representation (True) or list representation (False) - :param protocols_ranges: - :return: - :rtype: list - """ - if is_str: - return [f'protocols numbers: {protocols_ranges}'] - res = [] - for protocols_range in protocols_ranges.get_interval_set_list_numbers_and_ranges(): - res.append({'Protocol': protocols_range}) - return res - - def __str__(self): - if self.allow_all: - return "All connections" - if not self.allowed_protocols: - return 'No connections' - - if len(self.allowed_protocols) == 1: - protocol_num = next(iter(self.allowed_protocols)) - protocol_text = 'Protocol: ' + ProtocolNameResolver.get_protocol_name(protocol_num) - properties = self.allowed_protocols[protocol_num] - properties_text = '' - if not isinstance(properties, bool) and str(properties): - properties_text = ', ' + str(properties) - return protocol_text + properties_text - - protocol_text = 'Protocols: ' - for idx, protocol in enumerate(self.allowed_protocols.keys()): - if idx > 0: - protocol_text += ', ' - protocol_text += ProtocolNameResolver.get_protocol_name(protocol) - - # add properties: - properties = self.allowed_protocols[protocol] - properties_text = '' - if not isinstance(properties, bool): - properties_text = ', ' + str(properties) - protocol_text += properties_text - return protocol_text - - def __and__(self, other): - if other.allow_all: - return self.copy() - if self.allow_all: - return other.copy() - - res = ConnectionSet() - for key, properties in self.allowed_protocols.items(): - if key in other.allowed_protocols: - conjunction = properties & other.allowed_protocols[key] - if conjunction: - res.allowed_protocols[key] = conjunction - - return res - - def __or__(self, other): - res = ConnectionSet() - if self.allow_all or other.allow_all: - res.allow_all = True - return res - - for key, properties in self.allowed_protocols.items(): - if key in other.allowed_protocols: - res.allowed_protocols[key] = properties | other.allowed_protocols[key] - else: - res.allowed_protocols[key] = self.copy_properties(properties) - - for key, properties in other.allowed_protocols.items(): - if key not in res.allowed_protocols: - res.allowed_protocols[key] = self.copy_properties(properties) - - res.check_if_all_connections() - return res - - def __sub__(self, other): - if other.allow_all: - return ConnectionSet() - if self.allow_all: - res = self.copy() - res -= other - return res - - res = ConnectionSet() - for key, properties in self.allowed_protocols.items(): - if key in other.allowed_protocols: - if isinstance(properties, bool): - continue - diff = properties - other.allowed_protocols[key] - if diff: - res.allowed_protocols[key] = diff - else: - res.allowed_protocols[key] = self.copy_properties(properties) - - return res - - def __iand__(self, other): - if other.allow_all: - return self - if self.allow_all: - self.allow_all = False - for protocol, properties in other.allowed_protocols.items(): - self.allowed_protocols[protocol] = self.copy_properties(properties) - return self - - for key in list(self.allowed_protocols.keys()): # we need a copy of the keys because we delete while iterating - if key not in other.allowed_protocols: - del self.allowed_protocols[key] - else: - self.allowed_protocols[key] &= other.allowed_protocols[key] - if not self.allowed_protocols[key]: - del self.allowed_protocols[key] # became empty - return self - - def __ior__(self, other): - if self.allow_all or not bool(other): - return self - if other.allow_all: - self.allow_all = True - self.allowed_protocols.clear() - return self - - for key in self.allowed_protocols: - if key in other.allowed_protocols: - self.allowed_protocols[key] |= other.allowed_protocols[key] - - for key in other.allowed_protocols.keys(): - if key not in self.allowed_protocols: - self.allowed_protocols[key] = self.copy_properties(other.allowed_protocols[key]) - - self.check_if_all_connections() - return self - - def __isub__(self, other): - if not bool(other): - return self # nothing to subtract - if other.allow_all: - self.allowed_protocols.clear() # subtract everything - self.allow_all = False - return self - - if self.allow_all: - self.add_all_connections() - self.allow_all = False # We are about to subtract something - - for key in list(self.allowed_protocols.keys()): - if key in other.allowed_protocols: - other_features = other.allowed_protocols[key] - if isinstance(other_features, bool): - del self.allowed_protocols[key] - else: - self.allowed_protocols[key] -= other_features - if not self.allowed_protocols[key]: - del self.allowed_protocols[key] - - return self - - def contained_in(self, other): - """ - Check whether the 'self' set of connections is contained in the 'other' set of connections - :param ConnectionSet other: The other set of connections - :return: True if it 'self' is contained in 'other', False otherwise - :rtype: bool - """ - if other.allow_all: - return True - if self.allow_all: # BUGBUG: What if other allows all implicitly - return False - - for protocol, properties in self.allowed_protocols.items(): - if protocol not in other.allowed_protocols: - return False - if isinstance(properties, bool): - continue - if not properties.contained_in(other.allowed_protocols[protocol]): - return False - - return True - - @staticmethod - def copy_properties(properties): - """ - :param properties: protocol properties - :return: A (deep) copy of the given properties - """ - if isinstance(properties, bool): - return properties - return properties.copy() - - def copy(self): - """ - :return: A deep copy of self - :rtype: ConnectionSet - """ - res = ConnectionSet(self.allow_all) - for protocol, properties in self.allowed_protocols.items(): - res.allowed_protocols[protocol] = self.copy_properties(properties) - return res - - @staticmethod - def protocol_supports_ports(protocol): - """ - :param protocol: Protocol number or name - :return: Whether the given protocol has ports - :rtype: bool - """ - prot = protocol - if isinstance(protocol, str): - prot = ProtocolNameResolver.get_protocol_number(protocol) - return prot in ConnectionSet.port_supporting_protocols - - @staticmethod - def protocol_is_icmp(protocol): - """ - :param protocol: Protocol number or name - :return: Whether the protocol is icmp or icmpv6 - :rtype: bool - """ - prot = protocol - if isinstance(protocol, str): - prot = ProtocolNameResolver.get_protocol_number(protocol) - return prot in ConnectionSet._icmp_protocols - - def add_connections(self, protocol, properties=True): - """ - Add connections to the set of connections - :param int,str protocol: protocol number of the connections to add - :param properties: an object with protocol properties (e.g., ports), if relevant - :type properties: Union[bool, ConnectivityProperties] - :return: None - """ - if isinstance(protocol, str): - protocol = ProtocolNameResolver.get_protocol_number(protocol) - if not ProtocolNameResolver.is_valid_protocol(protocol): - raise Exception('Protocol must be in the range 0-255') - if not bool(properties): # if properties are empty, there is nothing to add - return - if protocol in self.allowed_protocols: - self.allowed_protocols[protocol] |= properties - else: - self.allowed_protocols[protocol] = properties if isinstance(properties, bool) else properties.copy() - - def remove_protocol(self, protocol): - """ - Remove a protocol from the set of connections - :param int,str protocol: The protocol to remove - :return: None - """ - if isinstance(protocol, str): - protocol = ProtocolNameResolver.get_protocol_number(protocol) - if not ProtocolNameResolver.is_valid_protocol(protocol): - raise Exception('Protocol must be in the range 0-255') - if protocol not in self.allowed_protocols: - return - del self.allowed_protocols[protocol] - - def _add_all_connections_of_protocol(self, protocol): - """ - Add all possible connections to the connection set for a given protocol - :param protocol: the given protocol number - :return: None - """ - if self.protocol_supports_ports(protocol) or self.protocol_is_icmp(protocol): - self.allowed_protocols[protocol] = ConnectivityProperties.make_all_props() - else: - self.allowed_protocols[protocol] = True - - def add_all_connections(self, excluded_protocols=None): - """ - Add all possible connections to the connection set - :param list[int] excluded_protocols: (optional) list of protocol numbers to exclude - :return: None - """ - for protocol in range(ConnectionSet._min_protocol_num, ConnectionSet._max_protocol_num + 1): - if excluded_protocols and protocol in excluded_protocols: - continue - self._add_all_connections_of_protocol(protocol) - - def check_if_all_connections(self): - """ - update self if it allows all connections but not flagged with allow_all - """ - if self.is_all_connections_without_allow_all(): - self.allow_all = True - self.allowed_protocols.clear() - - def is_all_connections_without_allow_all(self): - """ - check if self is not flagged with allow_all, but still allows all connections, and thus should - be replaced with allow_all flag - :rtype: bool - """ - if self.allow_all: - return False - num_protocols = ConnectionSet._max_protocol_num - ConnectionSet._min_protocol_num + 1 - if len(self.allowed_protocols) < num_protocols: - return False - for protocol in ConnectionSet.port_supporting_protocols | ConnectionSet._icmp_protocols: - if not self.allowed_protocols[protocol].is_all(): - return False - return True - - def has_named_ports(self): - """ - :return: True if any of the port-supporting protocols refers to a named port, False otherwise - :rtype: bool - """ - for protocol, properties in self.allowed_protocols.items(): - if self.protocol_supports_ports(protocol) and properties.has_named_ports(): - return True - return False - - def get_named_ports(self): - """ - :return: A list of (protocol, set-of-named-ports) pairs for every protocol that supports ports - :rtype: list[(int, set[str])] - """ - res = [] - for protocol, properties in self.allowed_protocols.items(): - if self.protocol_supports_ports(protocol) and properties.has_named_ports(): - res.append((protocol, properties.get_named_ports())) - return res - - def convert_named_ports(self, named_ports): - """ - Replaces all references to named ports with actual ports, given a mapping - NOTE: that this function modifies self - :param dict[str, (int, int)] named_ports: mapping from a named to port (str) to actual port number + protocol - :return: None - """ - for protocol, properties in list(self.allowed_protocols.items()): - if self.protocol_supports_ports(protocol): - properties.convert_named_ports(named_ports, ProtocolNameResolver.get_protocol_name(protocol)) - if not properties: - del self.allowed_protocols[protocol] - - def print_diff(self, other, self_name, other_name): - """ - Prints a single diff between two sets of connections ('self' and 'other') - :param ConnectionSet other: The connections to compare against - :param self_name: the name of 'self' connection set - :param other_name: The name of 'other' connection set - :return: A string with the diff details (if any) - :rtype: str - """ - if self.allow_all and other.allow_all: - return 'No diff.' - if self.allow_all and not other.allow_all: - return self_name + ' allows all connections while ' + other_name + ' does not.' - if not self.allow_all and other.allow_all: - return other_name + ' allows all connections while ' + self_name + ' does not.' - for protocol, properties in self.allowed_protocols.items(): - if protocol not in other.allowed_protocols: - res = self_name + ' allows communication using protocol ' + \ - ProtocolNameResolver.get_protocol_name(protocol) - if not isinstance(properties, bool) and not properties.is_all(): - res += ' on ' + properties._get_first_item_str() - res += ' while ' + other_name + ' does not.' - return res - other_properties = other.allowed_protocols[protocol] - if properties != other_properties: - return ProtocolNameResolver.get_protocol_name(protocol) + ' protocol - ' + \ - properties.print_diff(other_properties, self_name, other_name) - - for protocol in other.allowed_protocols: - if protocol not in self.allowed_protocols: - return other_name + ' allows communication using protocol ' + \ - ProtocolNameResolver.get_protocol_name(protocol) + ' while ' + self_name + ' does not.' - - return 'No diff.' - - def convert_to_connectivity_properties(self, peer_container, relevant_protocols=ProtocolSet()): - """ - Convert the current ConnectionSet to ConnectivityProperties format. - This function is used for comparing fw-rules output between original and optimized implementation, - when optimized_run == 'debug' - :param PeerContainer peer_container: the peer container - :param ProtocolSet relevant_protocols: specify if all protocols refer to TCP / non-TCP protocols - :return: the connection set in ConnectivityProperties format - """ - if self.allow_all: - if relevant_protocols: - protocols_conn = ConnectivityProperties.make_conn_props_from_dict({"protocols": relevant_protocols}) - else: - protocols_conn = ConnectivityProperties(create_all=True) - return ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container) & protocols_conn - - res = ConnectivityProperties.make_empty_props() - for protocol, properties in self.allowed_protocols.items(): - protocols = ProtocolSet.get_protocol_set_with_single_protocol(protocol) - this_prop = ConnectivityProperties.make_conn_props_from_dict({"protocols": protocols}) - if isinstance(properties, bool): - if properties: - res |= this_prop - else: - res |= (this_prop & properties) - return res - - @staticmethod - def get_all_tcp_connections(): - tcp_conns = ConnectionSet() - tcp_conns.add_connections('TCP', ConnectivityProperties.make_all_props()) - return tcp_conns - - @staticmethod - def get_non_tcp_connections(): - res = ConnectionSet() - res.add_all_connections([ProtocolNameResolver.get_protocol_number('TCP')]) - return res - # return ConnectionSet(True) - ConnectionSet.get_all_TCP_connections() diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 038d4a90c..2acd2117d 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -504,12 +504,17 @@ def get_simplified_connections_representation(self, is_str, use_complement_simpl if not super().__bool__(): return "No connections" if is_str else ["No connections"] - compl = ConnectivityProperties.make_all_props() - self - if len(self) > len(compl) and use_complement_simplification: + rep = self._get_connections_representation(is_str) + if use_complement_simplification and 'protocols' in self.active_dimensions: + # The following 'minus' operation is heavy, try to avoid it as much as possible. + compl = ConnectivityProperties.make_all_props() - self compl_rep = compl._get_connections_representation(is_str) - return f'All but {compl_rep}' if is_str else [{"All but": compl_rep}] + if len(rep) > len(compl_rep): + return f'All but {compl_rep}' if is_str else [{"All but": compl_rep}] + else: + return rep else: - return self._get_connections_representation(is_str) + return rep def _get_connections_representation(self, is_str): cubes_list = [self.get_cube_dict(cube, is_str) for cube in self] diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py index cd3a379be..daf45c827 100644 --- a/nca/FWRules/MinimizeBasic.py +++ b/nca/FWRules/MinimizeBasic.py @@ -106,10 +106,10 @@ def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): def fw_rules_to_conn_props(fw_rules, connectivity_restriction=None): """ Converting FWRules to ConnectivityProperties format. - This function is used for comparing FWRules output between original and optimized solutions, - when optimized_run == 'debug' + This function is used for checking that the generated FWRules are semantically equal to connectivity properties + from which they were generated. This check is activated when running in the debug mode :param MinimizeFWRules fw_rules: the given FWRules. - param Union[str,None] connectivity_restriction: specify if connectivity is restricted to + :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP , or not :return: the resulting ConnectivityProperties. """ diff --git a/nca/NetworkConfig/NetworkConfig.py b/nca/NetworkConfig/NetworkConfig.py index 84227741b..dbe2b8f03 100644 --- a/nca/NetworkConfig/NetworkConfig.py +++ b/nca/NetworkConfig/NetworkConfig.py @@ -48,7 +48,7 @@ class NetworkConfig: The class also contains the core algorithm of computing allowed connections between two endpoints. """ - def __init__(self, name, peer_container, policies_container, optimized_run='false'): + def __init__(self, name, peer_container, policies_container, debug=False): """ :param str name: A name for this config :param PeerContainer peer_container: The set of endpoints and their namespaces @@ -56,7 +56,7 @@ def __init__(self, name, peer_container, policies_container, optimized_run='fals self.name = name self.peer_container = peer_container self.policies_container = policies_container - self.optimized_run = optimized_run + self.debug = debug self.allowed_labels = None def __eq__(self, other): @@ -106,7 +106,7 @@ def clone_without_policies(self, name): """ policies_container = PoliciesContainer() res = NetworkConfig(name, peer_container=self.peer_container, policies_container=policies_container, - optimized_run=self.optimized_run) + debug=self.debug) return res def clone_without_policy(self, policy_to_exclude): diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 67e2bd724..f2a3d863b 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -85,12 +85,11 @@ def execute_and_compute_output_in_required_format(self, cmd_line_flag=False): BasePeerSet().get_peer_interval_of(peer_set)) DimensionsManager().set_domain("dst_peers", DimensionsManager.DimensionType.IntervalSet, BasePeerSet().get_peer_interval_of(peer_set)) - if self.get_configs()[0].optimized_run != 'false': - # update all optimized connectivity properties by reducing full src_peers/dst_peers dimensions - # according to their updated domains (above) - for config in self.get_configs(): - for policy in config.policies_container.policies.values(): - policy.reorganize_props_by_new_domains() + # update all optimized connectivity properties by reducing full src_peers/dst_peers dimensions + # according to their updated domains (above) + for config in self.get_configs(): + for policy in config.policies_container.policies.values(): + policy.reorganize_props_by_new_domains() # run the query query_answer = self.execute(cmd_line_flag) # restore peers domains and connectivity properties original values @@ -900,7 +899,7 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props, cluster_info, self.output_config, self.config.peer_container, connectivity_restriction) - if self.config.optimized_run == 'debug': + if self.config.debug: self.compare_fw_rules_to_conn_props(fw_rules, props, connectivity_restriction=connectivity_restriction) formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) return formatted_rules @@ -1140,7 +1139,7 @@ def compute_explanation_for_key(self, key, is_added, props_data, is_first_connec fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props_data.props, props_data.cluster_info, props_data.output_config, props_data.peer_container, None) - if self.config1.optimized_run == 'debug': + if self.config1.debug: self.compare_fw_rules_to_conn_props(fw_rules, props_data.props) conn_graph_explanation = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) @@ -1258,6 +1257,8 @@ def compute_diff(self): # noqa: C901 new_conns = self.config2.allowed_connections(res_conns_filter=res_conns_filter) old_props, new_props = self.filter_conns_by_input_or_internal_constraints(old_conns.all_allowed_conns, new_conns.all_allowed_conns) + old_minus_new_props = old_props - new_props + new_minus_old_props = new_props - old_props # 1.1. lost connections between removed peers key = 'Lost connections between removed peers' @@ -1302,13 +1303,11 @@ def compute_diff(self): # noqa: C901 "dst_peers": intersected_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": intersected_peers, "dst_peers": captured_pods}) - props1 = old_props & props - props1 = props1.props_without_auto_conns() - props2 = new_props & props - props2 = props2.props_without_auto_conns() - removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, props1 - props2, + removed_props = (old_minus_new_props & props).props_without_auto_conns() + added_props = (new_minus_old_props & props).props_without_auto_conns() + removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, removed_props, self.config1.peer_container) - added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, props2 - props1, + added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, added_props, self.config2.peer_container) # 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels @@ -1318,11 +1317,11 @@ def compute_diff(self): # noqa: C901 "dst_peers": all_ip_blocks}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_ip_blocks, "dst_peers": captured_pods}) - props1 = old_props & props - props2 = new_props & props - removed_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, False, props1 - props2, + removed_props = old_minus_new_props & props + added_props = new_minus_old_props & props + removed_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, False, removed_props, self.config1.peer_container) - added_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, True, props2 - props1, + added_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, True, added_props, self.config2.peer_container) # 4.1. new connections between intersected peers and added peers diff --git a/nca/NetworkConfig/PoliciesFinder.py b/nca/NetworkConfig/PoliciesFinder.py index e9c3dfadb..9fa6e3a14 100644 --- a/nca/NetworkConfig/PoliciesFinder.py +++ b/nca/NetworkConfig/PoliciesFinder.py @@ -24,11 +24,10 @@ class PoliciesFinder: This class is responsible for finding the network policies in the relevant input resources The class contains several ways to build the set of policies (from cluster, from file-system, from GitHub). """ - def __init__(self, optimized_run='false'): + def __init__(self): self.policies_container = PoliciesContainer() self._parse_queue = deque() self.peer_container = None - self.optimized_run = optimized_run # following missing resources fields are relevant for "livesim" mode, # where certain resources are added to enable the analysis self.missing_istio_gw_pods_with_labels = set() @@ -73,11 +72,11 @@ def parse_policies_in_parse_queue(self): # noqa: C901 for policy, file_name, policy_type in self._parse_queue: parsed_policy = None if policy_type == NetworkPolicy.PolicyType.CalicoProfile: - parsed_element = CalicoPolicyYamlParser(policy, self.peer_container, file_name, self.optimized_run) + parsed_element = CalicoPolicyYamlParser(policy, self.peer_container, file_name) # only during parsing adding extra labels from profiles (not supporting profiles with rules) parsed_policy = parsed_element.parse_policy() elif policy_type == NetworkPolicy.PolicyType.K8sNetworkPolicy: - parsed_element = K8sPolicyYamlParser(policy, self.peer_container, file_name, self.optimized_run) + parsed_element = K8sPolicyYamlParser(policy, self.peer_container, file_name) parsed_policy = parsed_element.parse_policy() self._add_policy(parsed_policy) # add info about missing resources @@ -109,7 +108,7 @@ def parse_policies_in_parse_queue(self): # noqa: C901 istio_vs_parser = IstioVirtualServiceYamlParser(self.peer_container) istio_vs_parser.parse_virtual_service(policy, file_name) else: - parsed_element = CalicoPolicyYamlParser(policy, self.peer_container, file_name, self.optimized_run) + parsed_element = CalicoPolicyYamlParser(policy, self.peer_container, file_name) parsed_policy = parsed_element.parse_policy() self._add_policy(parsed_policy) # the name is sometimes modified when parsed, like in the ingress case, when "allowed" is added diff --git a/nca/NetworkConfig/ResourcesHandler.py b/nca/NetworkConfig/ResourcesHandler.py index 6f9f1d76f..741bfa165 100644 --- a/nca/NetworkConfig/ResourcesHandler.py +++ b/nca/NetworkConfig/ResourcesHandler.py @@ -44,7 +44,7 @@ def __init__(self): self.global_pods_finder = None self.global_ns_finder = None - def set_global_peer_container(self, global_ns_list, global_pod_list, global_resource_list, optimized_run='false'): + def set_global_peer_container(self, global_ns_list, global_pod_list, global_resource_list): """ builds the global peer container based on global input resources, it also saves the global pods and namespaces finder, to use in case specific configs missing one of them. @@ -54,7 +54,7 @@ def set_global_peer_container(self, global_ns_list, global_pod_list, global_reso :param Union[list[str], None] global_resource_list: list of global entries of namespaces/pods to handle in case specific list is None """ - global_resources_parser = ResourcesParser(optimized_run) + global_resources_parser = ResourcesParser() self._set_config_peer_container(global_ns_list, global_pod_list, global_resource_list, 'global', True, global_resources_parser) @@ -122,7 +122,7 @@ def analyze_livesim(policy_finder): return livesim_configuration_addons - def parse_elements(self, ns_list, pod_list, resource_list, config_name, save_flag, np_list, optimized_run): + def parse_elements(self, ns_list, pod_list, resource_list, config_name, save_flag, np_list): """ Parse the elements and build peer container. :param Union[list[str], None] ns_list: namespaces entries @@ -135,7 +135,7 @@ def parse_elements(self, ns_list, pod_list, resource_list, config_name, save_fla :param Union[list[str], None] np_list: networkPolicies entries :return: PeerContainer, ResourcesParser, str """ - resources_parser = ResourcesParser(optimized_run) + resources_parser = ResourcesParser() # build peer container peer_container = \ self._set_config_peer_container(ns_list, pod_list, resource_list, config_name, save_flag, resources_parser) @@ -146,7 +146,7 @@ def parse_elements(self, ns_list, pod_list, resource_list, config_name, save_fla return peer_container, resources_parser, cfg def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_name='global', save_flag=False, - optimized_run='false'): + debug=False): """ First tries to build a peer_container using the input resources (NetworkConfigs's resources) If fails, it uses the global peer container. @@ -158,6 +158,7 @@ def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_n if the specific list is None :param str config_name: name of the config :param bool save_flag: used in cmdline queries with two configs, if save flag is True + :param bool debug: for performing some correctness checks will save the peer container as global to use it for base config's peer resources in case are missing :rtype NetworkConfig """ @@ -167,8 +168,7 @@ def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_n resource_list, config_name, save_flag, - np_list, - optimized_run) + np_list) NcaLogger().unmute() # check if LiveSim can add anything. livesim_addons = self.analyze_livesim(resources_parser.policies_finder) @@ -189,8 +189,7 @@ def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_n resource_list, config_name, save_flag, - np_list, - optimized_run) + np_list) else: # no relevant livesim resources to add NcaLogger().flush_messages() @@ -201,7 +200,7 @@ def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_n # build and return the networkConfig return NetworkConfig(name=config_name, peer_container=peer_container, policies_container=resources_parser.policies_finder.policies_container, - optimized_run=optimized_run) + debug=debug) def _set_config_peer_container(self, ns_list, pod_list, resource_list, config_name, save_flag, resources_parser): success, res_type = resources_parser.parse_lists_for_topology(ns_list, pod_list, resource_list) @@ -253,8 +252,8 @@ class ResourcesParser: """ This class parses the input resources for topology (pods, namespaces, services) and policies. """ - def __init__(self, optimized_run='false'): - self.policies_finder = PoliciesFinder(optimized_run) + def __init__(self): + self.policies_finder = PoliciesFinder() self.pods_finder = PodsFinder() self.ns_finder = NamespacesFinder() self.services_finder = ServicesFinder() diff --git a/nca/Parsers/CalicoPolicyYamlParser.py b/nca/Parsers/CalicoPolicyYamlParser.py index 1eb497b4d..fef0949b8 100644 --- a/nca/Parsers/CalicoPolicyYamlParser.py +++ b/nca/Parsers/CalicoPolicyYamlParser.py @@ -21,7 +21,7 @@ class CalicoPolicyYamlParser(GenericYamlParser): A parser for Calico NetworkPolicy/GlobalNetworkPolicy/Profile objects """ - def __init__(self, policy, peer_container, policy_file_name='', optimized_run='false'): + def __init__(self, policy, peer_container, policy_file_name=''): """ :param dict policy: The policy object as provided by the yaml parser :param PeerContainer peer_container: The policy will be evaluated against this set of peers @@ -33,7 +33,6 @@ def __init__(self, policy, peer_container, policy_file_name='', optimized_run='f self.namespace = None # collecting labels used in calico network policy for fw-rules computation self.referenced_labels = set() - self.optimized_run = optimized_run def _parse_selector_expr(self, expr, origin_map, namespace, is_namespace_selector): """ diff --git a/nca/Parsers/K8sPolicyYamlParser.py b/nca/Parsers/K8sPolicyYamlParser.py index 898ad347f..9921280d8 100644 --- a/nca/Parsers/K8sPolicyYamlParser.py +++ b/nca/Parsers/K8sPolicyYamlParser.py @@ -19,7 +19,7 @@ class K8sPolicyYamlParser(GenericYamlParser): A parser for k8s NetworkPolicy objects """ - def __init__(self, policy, peer_container, policy_file_name='', optimized_run='false'): + def __init__(self, policy, peer_container, policy_file_name=''): """ :param dict policy: The policy object as provided by the yaml parser :param PeerContainer peer_container: The policy will be evaluated against this set of peers @@ -30,7 +30,6 @@ def __init__(self, policy, peer_container, policy_file_name='', optimized_run='f self.peer_container = peer_container self.namespace = None self.referenced_labels = set() - self.optimized_run = optimized_run # a set of (key, value) pairs (note, the set may contain pods with labels having same keys but different values self.missing_pods_with_labels = set() diff --git a/nca/SchemeRunner.py b/nca/SchemeRunner.py index f936345d1..c42fa7b6b 100644 --- a/nca/SchemeRunner.py +++ b/nca/SchemeRunner.py @@ -18,11 +18,7 @@ class SchemeRunner(GenericYamlParser): This class takes a scheme file, build all its network configurations and runs all its queries """ - implemented_opt_queries = {'connectivityMap', 'equivalence', 'vacuity', 'redundancy', 'strongEquivalence', - 'containment', 'twoWayContainment', 'permits', 'interferes', 'pairwiseInterferes', - 'forbids', 'emptiness', 'disjointness', 'allCaptured', 'sanity', 'semanticDiff'} - - def __init__(self, scheme_file_name, output_format=None, output_path=None, optimized_run='true'): + def __init__(self, scheme_file_name, output_format=None, output_path=None, debug=False): GenericYamlParser.__init__(self, scheme_file_name) self.network_configs = {} self.global_res = 0 @@ -31,7 +27,7 @@ def __init__(self, scheme_file_name, output_format=None, output_path=None, optim self.output_config_from_cli_args['outputFormat'] = output_format if output_path is not None: self.output_config_from_cli_args['outputPath'] = output_path - self.optimized_run = optimized_run + self.debug = debug scanner = TreeScannerFactory.get_scanner(scheme_file_name) for yaml_file in scanner.get_yamls(): @@ -40,10 +36,6 @@ def __init__(self, scheme_file_name, output_format=None, output_path=None, optim if not isinstance(self.scheme, dict): self.syntax_error("The scheme's top-level object must be a map") - @staticmethod - def has_implemented_opt_queries(queries): - return SchemeRunner.implemented_opt_queries.intersection(queries) - def _get_input_file(self, given_path, out_flag=False): """ Attempts to locate a file specified in the scheme file (possibly relatively to the scheme file) @@ -83,7 +75,7 @@ def _handle_resources_list(self, resources_list): input_file_list.append(resource_path) return input_file_list - def _add_config(self, config_entry, resources_handler, optimized_run): + def _add_config(self, config_entry, resources_handler): """ Produces a NetworkConfig object for a given entry in the scheme file. Increases self.global_res if the number of warnings/error in the config does not match the expected number. @@ -111,7 +103,7 @@ def _add_config(self, config_entry, resources_handler, optimized_run): expected_error = config_entry.get('expectedError') try: network_config = resources_handler.get_network_config(np_list, ns_list, pod_list, resource_list, - config_name, optimized_run=optimized_run) + config_name, debug=self.debug) if not network_config: self.warning(f'networkPolicyList {network_config.name} contains no networkPolicies', np_list) @@ -153,13 +145,12 @@ def run_scheme(self): query_array = self.scheme.get('queries', []) if not self.activate_exp_tracker(query_array): return - resources_handler.set_global_peer_container(global_ns_list, global_pod_list, global_resource_list, - self.optimized_run) + resources_handler.set_global_peer_container(global_ns_list, global_pod_list, global_resource_list) # specified configs (non-global) start = time.time() for config_entry in self.scheme.get('networkConfigList', []): - self._add_config(config_entry, resources_handler, self.optimized_run) + self._add_config(config_entry, resources_handler) end_parse = time.time() print(f'Finished parsing in {(end_parse - start):6.2f} seconds') self.run_queries(query_array) @@ -199,7 +190,7 @@ def activate_exp_tracker(self, query_array): n_need_exp = len([needs_exp for needs_exp in need_exp if needs_exp]) if n_need_exp == 0: return True - elif n_need_exp == 1 and need_exp[0] and self.optimized_run == 'true': + elif n_need_exp == 1 and need_exp[0]: ExplTracker().activate(out_configs[0]['outputFormat']) return True elif n_need_exp == 1 and need_exp[0]: @@ -236,11 +227,6 @@ def run_queries(self, query_array): not_executed = 0 self.check_fields_validity(query, 'query', allowed_elements) query_name = query['name'] - if self.optimized_run == 'debug' or self.optimized_run == 'true': - # TODO - update/remove the optimization below when all queries are supported in optimized implementation - if not self.has_implemented_opt_queries(set(query.keys())): - print(f'Skipping query {query_name} since it does not have optimized implementation yet') - continue print('Running query', query_name) output_config_obj = self.get_query_output_config_obj(query) expected_output = self._get_input_file(query.get('expectedOutput', None), True) diff --git a/nca/nca_cli.py b/nca/nca_cli.py index 53cc558f4..a605518d0 100644 --- a/nca/nca_cli.py +++ b/nca/nca_cli.py @@ -146,7 +146,7 @@ def run_args(args): # noqa: C901 # so that configs from certain run do not affect a potential following run. BasePeerSet.reset() if args.scheme: - return SchemeRunner(args.scheme, args.output_format, args.file_out, args.optimized_run).run_scheme() + return SchemeRunner(args.scheme, args.output_format, args.file_out, args.debug).run_scheme() ns_list = args.ns_list pod_list = args.pod_list resource_list = args.resource_list @@ -185,16 +185,12 @@ def run_args(args): # noqa: C901 all_labels.append(lbl_dict) output_config['subset'].update({'label_subset': all_labels}) - if args.explain is not None and args.optimized_run == 'true': + if args.explain is not None: output_config['explain'] = args.explain ExplTracker().activate(output_config.outputEndpoints) if args.output_format == 'html': - if args.optimized_run == 'true': - ExplTracker().activate(output_config.outputEndpoints) - else: - print('Not creating html format. html format has only optimized implementation') - return _compute_return_value(0, 0, 1) + ExplTracker().activate(output_config.outputEndpoints) if args.equiv is not None: np_list = args.equiv if args.equiv != [''] else None @@ -230,16 +226,10 @@ def run_args(args): # noqa: C901 pair_query_flag = True expected_output = args.expected_output or None - if args.optimized_run == 'debug' or args.optimized_run == 'true': - # TODO - update/remove the optimization below when all queries are supported in optimized implementation - if not SchemeRunner.has_implemented_opt_queries({query_name}): - print(f'Not running query {query_name} since it does not have optimized implementation yet') - return _compute_return_value(0, 0, 1) - resources_handler = ResourcesHandler() network_config = resources_handler.get_network_config(_make_recursive(np_list), _make_recursive(ns_list), _make_recursive(pod_list), _make_recursive(resource_list), - save_flag=pair_query_flag, optimized_run=args.optimized_run) + save_flag=pair_query_flag) if pair_query_flag: base_np_list = args.base_np_list base_resource_list = args.base_resource_list @@ -248,8 +238,7 @@ def run_args(args): # noqa: C901 base_network_config = resources_handler.get_network_config(_make_recursive(base_np_list), _make_recursive(base_ns_list), _make_recursive(base_pod_list), - _make_recursive(base_resource_list), - optimized_run=args.optimized_run) + _make_recursive(base_resource_list)) if base_as_second: network_configs_array = [network_config, base_network_config] else: @@ -339,12 +328,9 @@ def nca_main(argv=None): parser.add_argument('--pr_url', type=str, help='The full api url for adding a PR comment') parser.add_argument('--return_0', action='store_true', help='Force a return value 0') parser.add_argument('--version', '-v', action='store_true', help='Print version and exit') - parser.add_argument('--debug', '-d', action='store_true', help='Print debug information') + parser.add_argument('--debug', '-d', action='store_true', help='Run correctness checks and print debug information') parser.add_argument('--output_endpoints', choices=['pods', 'deployments'], help='Choose endpoints type in output (pods/deployments)', default='deployments') - parser.add_argument('--optimized_run', '-opt', type=str, - help='Whether to run optimized run (-opt=true) - the default, original run (-opt=false) ' - 'or the comparison of the both (debug)', default='true') parser.add_argument('--print_ipv6', action='store_true', help='Display IPv6 addresses connections too. ' 'If the policy reference IPv6 addresses, ' 'their connections will be printed anyway') diff --git a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt index febcd85ac..a85e676a0 100644 --- a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt +++ b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt @@ -1,7 +1,7 @@ testcase26-config-1-calico-ingress and allow-all-config are not semantically equivalent. Added connections between persistent peers (based on topology from config: allow-all-config) : -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:all but TCP, UDP} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All but {protocols:TCP, UDP} src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:9080,paths:/details(/*)?} diff --git a/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt b/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt index 196395dbf..95d7ffd87 100644 --- a/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt +++ b/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt @@ -3,7 +3,7 @@ np1/kube-system/ingress-networkpolicy-with-conflict-destination and global-allow Added connections between persistent peers (based on topology from config: global-allow-all) : src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [app=kube-fluentd] conn: All connections src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:all but TCP} +src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:TCP} Added connections between persistent peers and ipBlocks (based on topology from config: global-allow-all) : src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [app=kube-fluentd] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt index 9b0bcbc0c..bd82bb51b 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt @@ -1,2 +1,2 @@ final fw rules for query: open-default-TCP-test, config: open-default-TCP: -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:all but UDPLite} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but {protocols:UDPLite} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt index 71ddde80e..ec4191004 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt @@ -1,4 +1,4 @@ final fw rules for query: connectivity_map, config: np_denyFirst: src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:all but TCP} +src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:TCP} diff --git a/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml b/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml index ad6aa3842..dae0fc255 100644 --- a/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml +++ b/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml @@ -24,23 +24,23 @@ networkConfigList: expectedWarnings: 0 queries: -# - name: new_online_boutique_connectivity_map -# connectivityMap: -# - new_online_boutique -# expected: 0 -# #outputConfiguration: -# # outputFormat: dot -# # outputPath: online_boutique_new_istio_policies.dot -# expectedOutput: ../../expected_output/new_online_boutique_connectivity_map.txt -# -# - name: new_online_boutique_synth_res_connectivity_map -# connectivityMap: -# - new_online_boutique_synthesis_res -# expected: 0 -# #outputConfiguration: -# # outputFormat: dot -# # outputPath: online_boutique_new_istio_policies_synthesis_res.dot -# expectedOutput: ../../expected_output/new_online_boutique_synth_res_connectivity_map.txt + - name: new_online_boutique_connectivity_map + connectivityMap: + - new_online_boutique + expected: 0 + #outputConfiguration: + # outputFormat: dot + # outputPath: online_boutique_new_istio_policies.dot + expectedOutput: ../../expected_output/new_online_boutique_connectivity_map.txt + + - name: new_online_boutique_synth_res_connectivity_map + connectivityMap: + - new_online_boutique_synthesis_res + expected: 0 + #outputConfiguration: + # outputFormat: dot + # outputPath: online_boutique_new_istio_policies_synthesis_res.dot + expectedOutput: ../../expected_output/new_online_boutique_synth_res_connectivity_map.txt - name: new_online_boutique_synth_res_connectivity_map_wo_fw_rules connectivityMap: diff --git a/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt b/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt index 668db7aef..f7a042e15 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt @@ -1,20 +1,20 @@ For connections of type TCP, final fw rules for query: new_online_boutique_connectivity_map, config: new_online_boutique: -src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: {dst_ports:8080} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 +src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: {dst_ports:8080} src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections -src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP {'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': '/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.EmailService/SendOrderConfirmation'} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.PaymentService/Charge'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': '/hipstershop.AdService/GetAds'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': '/hipstershop.CheckoutService/PlaceOrder'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.RecommendationService/ListRecommendations'} -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} +src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: new_online_boutique_connectivity_map, config: new_online_boutique: src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt index 69807048e..32a4b46fa 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt @@ -2,16 +2,16 @@ For connections of type TCP, final fw rules for query: new_online_boutique_synth src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {dst_ports:8080} For connections of type non-TCP, final fw rules for query: new_online_boutique_synth_res_connectivity_map, config: new_online_boutique_synthesis_res: src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections diff --git a/tests/run_all_tests.py b/tests/run_all_tests.py index 1cf34efca..46bd522a7 100644 --- a/tests/run_all_tests.py +++ b/tests/run_all_tests.py @@ -32,6 +32,7 @@ HELM cli tests should start with "helm_" so they can be skipped when HELM is not installed. """ +BENCHMARKING = False # set True for running benchmarks class TestArgs: def __init__(self, args, base_dir=None): @@ -48,7 +49,6 @@ def _fix_path_args_with_base_dir(self, base_dir): full_path = os.path.join(base_dir, arg) self.args[idx] = full_path - def get_arg_value(self, arg_str_list): for index, arg in enumerate(self.args): if arg in arg_str_list: @@ -58,17 +58,25 @@ def get_arg_value(self, arg_str_list): class CliQuery: - def __init__(self, test_dict, cli_tests_base_dir, test_name, hc_opt): + def __init__(self, test_dict, cli_tests_base_dir, test_name): self.test_dict = test_dict self.query_name = self.test_dict['name'] self.test_name = test_name - self.args_obj = TestArgs(['-opt='+hc_opt] + test_dict['args'].split(), cli_tests_base_dir) + if BENCHMARKING: + self.args_obj = TestArgs(test_dict['args'].split(), cli_tests_base_dir) + else: + self.args_obj = TestArgs(['-d '] + test_dict['args'].split(), cli_tests_base_dir) + class SchemeFile: - def __init__(self, scheme_filename, hc_opt): + def __init__(self, scheme_filename): self.test_name = scheme_filename - test_args = ['--scheme', self.test_name, '-opt='+hc_opt] + if BENCHMARKING: + test_args = ['--scheme', self.test_name] + else: + test_args = ['--scheme', self.test_name, '-d'] + self.args_obj = TestArgs(test_args) def update_arg_at_scheme_file_output_config(self, arg_name, arg_value): @@ -88,7 +96,8 @@ def update_arg_at_scheme_file_output_config(self, arg_name, arg_value): # most of the test flow is common to other tests types class GeneralTest: - def __init__(self, test_name, test_queries_obj, expected_result, check_run_time, required_output_config_flag, test_category=None): + def __init__(self, test_name, test_queries_obj, expected_result, check_run_time, required_output_config_flag, + test_category=None): self.test_name = test_name # str self.test_queries_obj = test_queries_obj # SchemeFile or CliQuery self.result = None # tuple of (numerical result, test runtime, performance issue indicator) @@ -109,20 +118,21 @@ def initialize_test(self): def run_all_test_flow(self, all_results): # should be overriden by inheriting classes - tmp_opt = [i for i in self.test_queries_obj.args_obj.args if '-opt=' in i] - opt = tmp_opt[0].split('=')[1] if tmp_opt else 'false' - if isinstance(self.test_queries_obj, CliQuery) and (opt == 'debug' or opt == 'true'): - implemented_opt_queries = {'--connectivity', '--equiv', '--permits', '--interferes', '--forbids', - '--sanity', '--semantic_diff'} - # TODO - update/remove the optimization below when all queries are supported in optimized implementation - if not implemented_opt_queries.intersection(set(self.test_queries_obj.args_obj.args)): - print(f'Skipping {self.test_queries_obj.test_name} since it does not have optimized implementation yet') - return 0, 0 - self.initialize_test() self.run_test() self.evaluate_test_results() - self.finalize_test() + run_time = self.finalize_test() + if BENCHMARKING: + write_header = False + benchmark_file = './benchmarks.csv' + if not os.path.isfile(benchmark_file): + write_header = True + with open(benchmark_file, 'a', newline='') as csv_file: + csv_writer = csv.writer(csv_file) + if write_header: + csv_writer.writerow(['test_name', 'run time (seconds)']) + csv_writer.writerow([self.test_name, f'{run_time:.2f}']) + csv_file.close() all_results[self.test_name] = self.result return self.numerical_result, self.new_tests_error @@ -182,6 +192,7 @@ def finalize_test(self): performance_error = self._execute_run_time_compare(actual_run_time) self.result = (self.numerical_result, actual_run_time, performance_error) self._update_required_scheme_file_config_args(False) + return actual_run_time def _update_required_scheme_file_config_args(self, before_test_run): if self.required_output_config_flag is not None: @@ -222,7 +233,7 @@ def __getattr__(self, name): class TestsRunner: - def __init__(self, spec_file, tests_type, check_run_time, category, hc_opt): + def __init__(self, spec_file, tests_type, check_run_time, category): self.spec_file = spec_file self.all_results = {} self.global_res = 0 @@ -231,7 +242,6 @@ def __init__(self, spec_file, tests_type, check_run_time, category, hc_opt): self.test_files_spec = None self.check_run_time = check_run_time self.category = category - self.hc_opt = hc_opt self.helm_path = shutil.which('helm') @staticmethod @@ -388,9 +398,10 @@ def _test_file_matches_category_general_tests(test_file, category): # given a scheme file or a cmdline file, run all relevant tests def run_test_per_file(self, test_file): if self.test_files_spec.type == 'scheme': - if self.tests_type == 'general' and not TestsRunner._test_file_matches_category_general_tests(test_file, self.category): + if self.tests_type == 'general' and \ + not TestsRunner._test_file_matches_category_general_tests(test_file, self.category): return # test file does not match the running category - self.create_and_run_test_obj(SchemeFile(test_file, self.hc_opt), 0) + self.create_and_run_test_obj(SchemeFile(test_file), 0) elif self.test_files_spec.type == 'cmdline': with open(test_file) as doc: code = yaml.load_all(doc, Loader=yaml.CSafeLoader) @@ -401,7 +412,7 @@ def run_test_per_file(self, test_file): print(f'Skipping {query_name} - HELM is not installed') continue cli_test_name = f'{os.path.basename(test_file)}, query name: {query_name}' - cli_query = CliQuery(test, self.test_files_spec.root, cli_test_name, self.hc_opt) + cli_query = CliQuery(test, self.test_files_spec.root, cli_test_name) if self.category == '' or cli_test_name.startswith(self.category): self.create_and_run_test_obj(cli_query, test.get('expected', 0)) @@ -414,9 +425,6 @@ def main(argv=None): parser.add_argument('--type', choices=['general', 'k8s_live_general', 'fw_rules_assertions'], help='Choose test types to run', default='general') - parser.add_argument('--hc_opt', choices=['false', 'true', 'debug'], - help='Choose non-optimized/optimized/comparison run', - default='true') parser.add_argument('--category', choices=['k8s', 'calico', 'istio'], help='Choose category of tests', default='') parser.add_argument('--create_expected_output_files', action='store_true', help='Add missing expected output files') @@ -428,7 +436,6 @@ def main(argv=None): args = parser.parse_args(argv) test_type = args.type category = args.category - hc_opt = args.hc_opt check_run_time = args.check_run_time OutputFilesFlags().create_expected_files = args.create_expected_output_files OutputFilesFlags().update_expected_files = args.override_expected_output_files @@ -437,15 +444,9 @@ def main(argv=None): if check_run_time and test_type != 'general': print(f'check_run_time flag is not supported with test type: {test_type}') sys.exit(1) - if hc_opt == 'false': - print('Running original (non-optimized) implementation') - elif hc_opt == 'true': - print('Running optimized implementation') - elif hc_opt == 'debug': - print('Comparing original and optimized implementations') spec_file = 'all_tests_spec.yaml' - tests_runner = TestsRunner(spec_file, test_type, check_run_time, category, hc_opt) + tests_runner = TestsRunner(spec_file, test_type, check_run_time, category) tests_runner.run_tests() return tests_runner.global_res or tests_runner.new_tests_error From e7cd7ae4708cfd668233458fbdbecefe0e134cf8 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 2 Jun 2024 11:35:40 +0300 Subject: [PATCH 85/89] Fixed lint errors. Removed original-to-optimized-comparison workflows from test-push. Signed-off-by: Tanya --- .github/workflows/test-push.yml | 53 ---------------------------- nca/CoreDS/ConnectivityProperties.py | 2 +- 2 files changed, 1 insertion(+), 54 deletions(-) diff --git a/.github/workflows/test-push.yml b/.github/workflows/test-push.yml index fd8aa7a12..04ce53c6c 100644 --- a/.github/workflows/test-push.yml +++ b/.github/workflows/test-push.yml @@ -87,27 +87,6 @@ jobs: name: k8s-failed-run-time-check-file path: ./tests/k8s_tests_failed_runtime_check.csv if-no-files-found: ignore - k8s-tests-orig-vs-opt-comparison: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - uses: ./.github/actions/setup-nca-env - - name: install helm - run: | - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - chmod 700 get_helm.sh - sudo ./get_helm.sh - - name: Run k8s tests - env: - GHE_TOKEN: ${{ github.token }} - PYTHONPATH: . - run: python tests/run_all_tests.py --type=general --category=k8s --hc_opt=debug | tee tests/k8s_cmp_log.txt ; test ${PIPESTATUS[0]} -eq 0 - - name: upload run_k8s_tests log - if: ${{ always() }} - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 - with: - name: k8s-cmp-log - path: tests/k8s_cmp_log.txt calico-tests: runs-on: ubuntu-latest steps: @@ -131,22 +110,6 @@ jobs: name: calico-failed-run-time-check-file path: ./tests/calico_tests_failed_runtime_check.csv if-no-files-found: ignore - calico-tests-orig-vs-opt-comparison: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - uses: ./.github/actions/setup-nca-env - - name: Run calico tests - env: - GHE_TOKEN: ${{ github.token }} - PYTHONPATH: . - run: python tests/run_all_tests.py --type=general --category=calico --hc_opt=debug | tee tests/calico_cmp_log.txt ; test ${PIPESTATUS[0]} -eq 0 - - name: upload run_calico_tests log - if: ${{ always() }} - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 - with: - name: calico-cmp-log - path: tests/calico_cmp_log.txt istio-tests: runs-on: ubuntu-latest steps: @@ -170,22 +133,6 @@ jobs: name: istio-failed-run-time-check-file path: ./tests/istio_tests_failed_runtime_check.csv if-no-files-found: ignore - istio-tests-orig-vs-opt-comparison: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - uses: ./.github/actions/setup-nca-env - - name: Run istio tests - env: - GHE_TOKEN: ${{ github.token }} - PYTHONPATH: . - run: python tests/run_all_tests.py --type=general --category=istio --hc_opt=debug | tee tests/istio_cmp_log.txt ; test ${PIPESTATUS[0]} -eq 0 - - name: upload run_istio_tests log - if: ${{ always() }} - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 - with: - name: istio-cmp-log - path: tests/istio_cmp_log.txt fw-rules-assertion-tests: runs-on: ubuntu-latest steps: diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 2acd2117d..cbba09b59 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -504,7 +504,7 @@ def get_simplified_connections_representation(self, is_str, use_complement_simpl if not super().__bool__(): return "No connections" if is_str else ["No connections"] - rep = self._get_connections_representation(is_str) + rep = self._get_connections_representation(is_str) if use_complement_simplification and 'protocols' in self.active_dimensions: # The following 'minus' operation is heavy, try to avoid it as much as possible. compl = ConnectivityProperties.make_all_props() - self From 1d3ffe1794d6388539dd90f74709ff1eb9fc836f Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 2 Jun 2024 11:38:21 +0300 Subject: [PATCH 86/89] Small fix. Signed-off-by: Tanya --- tests/run_all_tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/run_all_tests.py b/tests/run_all_tests.py index 46bd522a7..f1127846b 100644 --- a/tests/run_all_tests.py +++ b/tests/run_all_tests.py @@ -65,7 +65,7 @@ def __init__(self, test_dict, cli_tests_base_dir, test_name): if BENCHMARKING: self.args_obj = TestArgs(test_dict['args'].split(), cli_tests_base_dir) else: - self.args_obj = TestArgs(['-d '] + test_dict['args'].split(), cli_tests_base_dir) + self.args_obj = TestArgs(['-d'] + test_dict['args'].split(), cli_tests_base_dir) From 1d9b1be8a048800f2cf0ea0900f0ee17e0a80f9a Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 2 Jun 2024 12:00:01 +0300 Subject: [PATCH 87/89] Small fix. Signed-off-by: Tanya --- tests/k8s_cmdline_tests.yaml | 7 ------- 1 file changed, 7 deletions(-) diff --git a/tests/k8s_cmdline_tests.yaml b/tests/k8s_cmdline_tests.yaml index b00423bcc..b74d0f2c5 100644 --- a/tests/k8s_cmdline_tests.yaml +++ b/tests/k8s_cmdline_tests.yaml @@ -429,7 +429,6 @@ --ns_list fw_rules_tests/podlist/test_subset_topology.yaml --pod_list fw_rules_tests/podlist/test_subset_topology.yaml --explain default/Pod1[Pod],ns2/deployment-D[Deployment] - -opt=true -d --expected_output expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt expected: 0 @@ -440,7 +439,6 @@ --ns_list fw_rules_tests/podlist/test_subset_topology.yaml --pod_list fw_rules_tests/podlist/test_subset_topology.yaml --explain ALL - -opt=true -d --expected_output expected_cmdline_output_files/basic_connectivity_expl_output.txt expected: 0 @@ -451,7 +449,6 @@ --ns_list fw_rules_tests/podlist/poc_ns_list.json --pod_list fw_rules_tests/podlist/kubernetes-manifests.yaml --explain ALL - -opt=true -d --expected_output expected_cmdline_output_files/poc1_expl_output.txt expected: 0 @@ -463,7 +460,6 @@ --pod_list fw_rules_tests/podlist/test_subset_topology.yaml --deployment_subset deployment-A,deployment-D --explain ALL - -opt=true -d --expected_output expected_cmdline_output_files/subset_deployment_expl_output.txt expected: 0 @@ -474,7 +470,6 @@ --ns_list fw_rules_tests/podlist/test_fw_rules_pod_list.yaml --pod_list fw_rules_tests/podlist/test_fw_rules_pod_list.yaml --explain ALL - -opt=true -d --expected_output expected_cmdline_output_files/test25_expl_output.txt expected: 0 @@ -485,7 +480,6 @@ --ns_list fw_rules_tests/podlist/ns_list.json --pod_list fw_rules_tests/podlist/pods_list_4.json --explain kube-system-new/calico-node(DaemonSet),0.0.0.0/0 - -opt=true -d --expected_output expected_cmdline_output_files/test4_expl_output.txt expected: 0 @@ -496,7 +490,6 @@ --ns_list istio_testcases/example_policies/istio-ingress-test --pod_list istio_testcases/example_policies/istio-ingress-test --explain ALL - -opt=true -d # temporarily commenting out expected results, until new Ingress/Egress implementation is completed. # --expected_output expected_cmdline_output_files/istio-ingress_expl_output.txt From 13affc8603fac55415bc94fac7599d5a5f04f577 Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 4 Jun 2024 12:52:47 +0300 Subject: [PATCH 88/89] Some more refactoring of FWRule minimization code. Signed-off-by: Tanya --- nca/FWRules/MinimizeBasic.py | 136 --------------- ...zeCsFWRulesOpt.py => MinimizeCsFWRules.py} | 160 ++++++++++-------- nca/FWRules/MinimizeFWRules.py | 39 ++++- nca/NetworkConfig/NetworkConfigQuery.py | 3 +- 4 files changed, 126 insertions(+), 212 deletions(-) delete mode 100644 nca/FWRules/MinimizeBasic.py rename nca/FWRules/{MinimizeCsFWRulesOpt.py => MinimizeCsFWRules.py} (81%) diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py deleted file mode 100644 index daf45c827..000000000 --- a/nca/FWRules/MinimizeBasic.py +++ /dev/null @@ -1,136 +0,0 @@ -# -# Copyright 2020- IBM Inc. All rights reserved -# SPDX-License-Identifier: Apache2.0 -# - -from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.Peer import PeerSet -from nca.CoreDS.ProtocolSet import ProtocolSet - - -class MinimizeBasic: - """ - This is a base class for minimizing fw-rules/peer sets - """ - def __init__(self, cluster_info, output_config): - self.cluster_info = cluster_info - self.output_config = output_config - - def _get_pods_grouping_by_labels_main(self, pods_set, extra_pods_set): - """ - The main function to implement pods grouping by labels. - This function splits the pods into namespaces, and per ns calls get_pods_grouping_by_labels(). - :param pods_set: the pods for grouping - :param extra_pods_set: additional pods that can be used for grouping - :return: - res_chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. - res_remaining_pods: set of pods from pods_set that are not included in the grouping result (could not be grouped). - """ - ns_context_options = set(pod.namespace for pod in pods_set) - res_chosen_rep = [] - res_remaining_pods = set() - # grouping by pod-labels per each namespace separately - for ns in ns_context_options: - pods_set_per_ns = pods_set & PeerSet(self.cluster_info.ns_dict[ns]) - extra_pods_set_per_ns = extra_pods_set & self.cluster_info.ns_dict[ns] - chosen_rep, remaining_pods = self._get_pods_grouping_by_labels(pods_set_per_ns, ns, extra_pods_set_per_ns) - res_chosen_rep.extend(chosen_rep) - res_remaining_pods |= remaining_pods - return res_chosen_rep, res_remaining_pods - - def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): - """ - Implements pods grouping by labels in a single namespace. - :param pods_set: the set of pods for grouping. - :param ns: the namespace - :param extra_pods_set: additional pods that can be used for completing the grouping - (originated in containing connections). - :return: - chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. - remaining_pods: set of pods from pods_list that are not included in the grouping result - """ - if self.output_config.fwRulesDebug: - print('get_pods_grouping_by_labels:') - print('pods_list: ' + ','.join([str(pod) for pod in pods_set])) - print('extra_pods_list: ' + ','.join([str(pod) for pod in extra_pods_set])) - all_pods_set = pods_set | extra_pods_set - allowed_labels = self.cluster_info.allowed_labels - pods_per_ns = self.cluster_info.ns_dict[ns] - # labels_rep_options is a list of tuples (key, (values, pods-set)), where each tuple in this list is a valid - # grouping of pods-set by "key in values" - labels_rep_options = [] - for key in allowed_labels: - values_for_key = self.cluster_info.get_all_values_set_for_key_per_namespace(key, {ns}) - fully_covered_label_values = set() - pods_with_fully_covered_label_values = set() - for v in values_for_key: - all_pods_per_label_val = self.cluster_info.pods_labels_map[(key, v)] & pods_per_ns - if not all_pods_per_label_val: - continue - pods_with_label_val_from_pods_list = all_pods_per_label_val & all_pods_set - pods_with_label_val_from_original_pods_list = all_pods_per_label_val & pods_set - # allow to "borrow" from extra_pods_set only if at least one pod is also in original pods_set - if all_pods_per_label_val == pods_with_label_val_from_pods_list and \ - pods_with_label_val_from_original_pods_list: - fully_covered_label_values |= {v} - pods_with_fully_covered_label_values |= pods_with_label_val_from_pods_list - # TODO: is it OK to ignore label-grouping if only one pod is involved? - if self.output_config.fwRulesGroupByLabelSinglePod: - if fully_covered_label_values and len( - pods_with_fully_covered_label_values) >= 1: # don't ignore label-grouping if only one pod is involved - labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) - else: - if fully_covered_label_values and len( - pods_with_fully_covered_label_values) > 1: # ignore label-grouping if only one pod is involved - labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) - - chosen_rep = [] - remaining_pods = pods_set.copy() - # sort labels_rep_options by length of pods_with_fully_covered_label_values, to prefer label-grouping that - # covers more pods - sorted_rep_options = sorted(labels_rep_options, key=lambda x: len(x[1][1]), reverse=True) - if self.output_config.fwRulesDebug: - print('sorted rep options:') - for (key, (label_vals, pods)) in sorted_rep_options: - print(key, label_vals, len(pods)) - ns_info = {ns} - for (k, (vals, pods)) in sorted_rep_options: - if (pods & pods_set).issubset(remaining_pods): - chosen_rep.append((k, vals, ns_info)) - remaining_pods -= PeerSet(pods) - if not remaining_pods: - break - return chosen_rep, remaining_pods - - @staticmethod - def fw_rules_to_conn_props(fw_rules, connectivity_restriction=None): - """ - Converting FWRules to ConnectivityProperties format. - This function is used for checking that the generated FWRules are semantically equal to connectivity properties - from which they were generated. This check is activated when running in the debug mode - :param MinimizeFWRules fw_rules: the given FWRules. - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to - TCP / non-TCP , or not - :return: the resulting ConnectivityProperties. - """ - if connectivity_restriction: - relevant_protocols = ProtocolSet() - if connectivity_restriction == 'TCP': - relevant_protocols.add_protocol('TCP') - else: # connectivity_restriction == 'non-TCP' - relevant_protocols = ProtocolSet.get_non_tcp_protocols() - else: - relevant_protocols = ProtocolSet(True) - - res = ConnectivityProperties.make_empty_props() - if fw_rules.fw_rules_map is None: - return res - for fw_rules_list in fw_rules.fw_rules_map.values(): - for fw_rule in fw_rules_list: - src_peers = fw_rule.src.get_peer_set() - dst_peers = fw_rule.dst.get_peer_set() - rule_props = \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, "dst_peers": dst_peers, - "protocols": relevant_protocols}) & fw_rule.props - res |= rule_props - return res diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRules.py similarity index 81% rename from nca/FWRules/MinimizeCsFWRulesOpt.py rename to nca/FWRules/MinimizeCsFWRules.py index 8b5f31086..e53cee03b 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRules.py @@ -6,13 +6,13 @@ from collections import defaultdict from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet, Pod +from nca.CoreDS.ProtocolSet import ProtocolSet from nca.Resources.OtherResources.K8sNamespace import K8sNamespace from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ DNSElement -from .MinimizeBasic import MinimizeBasic -class MinimizeCsFwRulesOpt(MinimizeBasic): +class MinimizeCsFwRules: """ This is a class for minimizing fw-rules within a specific connection-set """ @@ -24,7 +24,8 @@ def __init__(self, cluster_info, output_config): :param output_config: an OutputConfiguration object """ - super().__init__(cluster_info, output_config) + self.cluster_info = cluster_info + self.output_config = output_config self.peer_props = ConnectivityProperties() self.props = ConnectivityProperties() self.peer_props_in_containing_props = ConnectivityProperties() @@ -276,22 +277,6 @@ def _add_to_map_if_covered(self, dim_name, dim_peers, other_dim_name, other_dim_ if curr_covered & self.peer_props_without_ns_expr: peers_to_peers_map[frozenset(dim_peers)] |= other_dim_peers - def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): - """ - create a fw-rule from a fixed-elem and a set of namespaces - :param is_src_fixed: a flag indicating if the fixed elem is src (True) or dst (False) - :param ns_set: a set of namespaces - :param fixed_elem: the fixed element - :return: a list with created FWRule - """ - # currently no grouping of ns-list by labels of namespaces - grouped_elem = FWRuleElement(ns_set, self.cluster_info) - if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.props) - else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.props) - return [fw_rule] - def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): """ Group a given set of pods by labels, and create FWRuleElements according to the grouping @@ -309,50 +294,6 @@ def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): res.append(PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments')) return res - def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set, - make_peer_sets=False): - """ - Implements grouping in the level of pods labels. - :param is_src_fixed: a bool flag to indicate if fixed_elem is at src or dst. - :param pods_set: the set of pods to be grouped - :param fixed_elem: the fixed element of the original fw-rules - :param extra_pods_set: an additional pods set from containing connections (with same fixed_elem) that can be - used for grouping (completing for a set of pods to cover some label grouping). - :return: a set of fw-rules result after grouping - """ - res = [] - # (1) try grouping by pods-labels: - chosen_rep, remaining_pods = self._get_pods_grouping_by_labels_main(pods_set, extra_pods_set) - for (key, values, ns_info) in chosen_rep: - map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) - all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) - pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) - grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) - if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.props) - else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.props) - res.append(fw_rule) - - # TODO: should avoid having single pods remaining without labels grouping - # (2) add rules for remaining single pods: - if make_peer_sets and remaining_pods: - peer_set_elem = PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments') - if is_src_fixed: - fw_rule = FWRule(fixed_elem, peer_set_elem, self.props) - else: - fw_rule = FWRule(peer_set_elem, fixed_elem, self.props) - res.append(fw_rule) - else: - for pod in remaining_pods: - single_pod_elem = PodElement(pod, self.output_config.outputEndpoints == 'deployments') - if is_src_fixed: - fw_rule = FWRule(fixed_elem, single_pod_elem, self.props) - else: - fw_rule = FWRule(single_pod_elem, fixed_elem, self.props) - res.append(fw_rule) - return res - def _create_fw_rules_from_base_elements_list(self, base_elems_pairs): """ creating initial fw-rules from base elements @@ -448,14 +389,91 @@ def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_ # unknown base-elem type return None - def _get_peers_paired_with_given_peer(self, peer, is_src_peer): - this_dim = "src_peers" if is_src_peer else "dst_peers" - other_dim = "dst_peers" if is_src_peer else "src_peers" - props = self.covered_peer_props & ConnectivityProperties.make_conn_props_from_dict({this_dim: PeerSet({peer})}) - return props.project_on_one_dimension(other_dim) - - # --------------------------------------------------------------------------------------------------------- - # below functions are for debugging : + def _get_pods_grouping_by_labels_main(self, pods_set, extra_pods_set): + """ + The main function to implement pods grouping by labels. + This function splits the pods into namespaces, and per ns calls get_pods_grouping_by_labels(). + :param pods_set: the pods for grouping + :param extra_pods_set: additional pods that can be used for grouping + :return: + res_chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. + res_remaining_pods: set of pods from pods_set that are not included in the grouping result (could not be grouped). + """ + ns_context_options = set(pod.namespace for pod in pods_set) + res_chosen_rep = [] + res_remaining_pods = set() + # grouping by pod-labels per each namespace separately + for ns in ns_context_options: + pods_set_per_ns = pods_set & PeerSet(self.cluster_info.ns_dict[ns]) + extra_pods_set_per_ns = extra_pods_set & self.cluster_info.ns_dict[ns] + chosen_rep, remaining_pods = self._get_pods_grouping_by_labels(pods_set_per_ns, ns, extra_pods_set_per_ns) + res_chosen_rep.extend(chosen_rep) + res_remaining_pods |= remaining_pods + return res_chosen_rep, res_remaining_pods + + def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): + """ + Implements pods grouping by labels in a single namespace. + :param pods_set: the set of pods for grouping. + :param ns: the namespace + :param extra_pods_set: additional pods that can be used for completing the grouping + (originated in containing connections). + :return: + chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. + remaining_pods: set of pods from pods_list that are not included in the grouping result + """ + if self.output_config.fwRulesDebug: + print('get_pods_grouping_by_labels:') + print('pods_list: ' + ','.join([str(pod) for pod in pods_set])) + print('extra_pods_list: ' + ','.join([str(pod) for pod in extra_pods_set])) + all_pods_set = pods_set | extra_pods_set + allowed_labels = self.cluster_info.allowed_labels + pods_per_ns = self.cluster_info.ns_dict[ns] + # labels_rep_options is a list of tuples (key, (values, pods-set)), where each tuple in this list is a valid + # grouping of pods-set by "key in values" + labels_rep_options = [] + for key in allowed_labels: + values_for_key = self.cluster_info.get_all_values_set_for_key_per_namespace(key, {ns}) + fully_covered_label_values = set() + pods_with_fully_covered_label_values = set() + for v in values_for_key: + all_pods_per_label_val = self.cluster_info.pods_labels_map[(key, v)] & pods_per_ns + if not all_pods_per_label_val: + continue + pods_with_label_val_from_pods_list = all_pods_per_label_val & all_pods_set + pods_with_label_val_from_original_pods_list = all_pods_per_label_val & pods_set + # allow to "borrow" from extra_pods_set only if at least one pod is also in original pods_set + if all_pods_per_label_val == pods_with_label_val_from_pods_list and \ + pods_with_label_val_from_original_pods_list: + fully_covered_label_values |= {v} + pods_with_fully_covered_label_values |= pods_with_label_val_from_pods_list + # TODO: is it OK to ignore label-grouping if only one pod is involved? + if self.output_config.fwRulesGroupByLabelSinglePod: + if fully_covered_label_values and len( + pods_with_fully_covered_label_values) >= 1: # don't ignore label-grouping if only one pod is involved + labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) + else: + if fully_covered_label_values and len( + pods_with_fully_covered_label_values) > 1: # ignore label-grouping if only one pod is involved + labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) + + chosen_rep = [] + remaining_pods = pods_set.copy() + # sort labels_rep_options by length of pods_with_fully_covered_label_values, to prefer label-grouping that + # covers more pods + sorted_rep_options = sorted(labels_rep_options, key=lambda x: len(x[1][1]), reverse=True) + if self.output_config.fwRulesDebug: + print('sorted rep options:') + for (key, (label_vals, pods)) in sorted_rep_options: + print(key, label_vals, len(pods)) + ns_info = {ns} + for (k, (vals, pods)) in sorted_rep_options: + if (pods & pods_set).issubset(remaining_pods): + chosen_rep.append((k, vals, ns_info)) + remaining_pods -= PeerSet(pods) + if not remaining_pods: + break + return chosen_rep, remaining_pods def _print_results_info(self): print('----------------') diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index d74a14846..92a253475 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -8,7 +8,7 @@ from nca.CoreDS.Peer import IpBlock from nca.CoreDS.ProtocolSet import ProtocolSet from .FWRule import FWRule -from .MinimizeCsFWRulesOpt import MinimizeCsFwRulesOpt +from .MinimizeCsFWRules import MinimizeCsFwRules class MinimizeFWRules: @@ -166,7 +166,7 @@ def minimize_firewall_rules(cluster_info, output_config, props_sorted_by_size): props_containment_map = MinimizeFWRules._build_props_containment_map(props_sorted_by_size) fw_rules_map = defaultdict(list) results_map = dict() - minimize_cs_opt = MinimizeCsFwRulesOpt(cluster_info, output_config) + minimize_cs = MinimizeCsFwRules(cluster_info, output_config) # build fw_rules_map: per connection - a set of its minimized fw rules for props, peer_props in props_sorted_by_size: # currently skip "no connections" @@ -174,7 +174,7 @@ def minimize_firewall_rules(cluster_info, output_config, props_sorted_by_size): continue # TODO: figure out why we have pairs with (ip,ip) ? peer_props_in_containing_props = props_containment_map[props] - fw_rules, results_per_info = minimize_cs_opt.compute_minimized_fw_rules_per_prop( + fw_rules, results_per_info = minimize_cs.compute_minimized_fw_rules_per_prop( props, peer_props, peer_props_in_containing_props) fw_rules_map[props] = fw_rules results_map[props] = results_per_info @@ -204,3 +204,36 @@ def _build_props_containment_map(props_sorted_by_size): if other_props != props and props.contained_in(other_props): props_containment_map[props] |= peer_pairs return props_containment_map + + @staticmethod + def fw_rules_to_conn_props(fw_rules, connectivity_restriction=None): + """ + Converting FWRules to ConnectivityProperties format. + This function is used for checking that the generated FWRules are semantically equal to connectivity properties + from which they were generated. This check is activated when running in the debug mode + :param MinimizeFWRules fw_rules: the given FWRules. + :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to + TCP / non-TCP , or not + :return: the resulting ConnectivityProperties. + """ + if connectivity_restriction: + relevant_protocols = ProtocolSet() + if connectivity_restriction == 'TCP': + relevant_protocols.add_protocol('TCP') + else: # connectivity_restriction == 'non-TCP' + relevant_protocols = ProtocolSet.get_non_tcp_protocols() + else: + relevant_protocols = ProtocolSet(True) + + res = ConnectivityProperties.make_empty_props() + if fw_rules.fw_rules_map is None: + return res + for fw_rules_list in fw_rules.fw_rules_map.values(): + for fw_rule in fw_rules_list: + src_peers = fw_rule.src.get_peer_set() + dst_peers = fw_rule.dst.get_peer_set() + rule_props = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, "dst_peers": dst_peers, + "protocols": relevant_protocols}) & fw_rule.props + res |= rule_props + return res diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index f2a3d863b..c4b8507ef 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -13,7 +13,6 @@ from nca.CoreDS.DimensionsManager import DimensionsManager from nca.FWRules.ConnectivityGraph import ConnectivityGraph from nca.FWRules.MinimizeFWRules import MinimizeFWRules -from nca.FWRules.MinimizeBasic import MinimizeBasic from nca.FWRules.ClusterInfo import ClusterInfo from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnectionsFilter from nca.Resources.PolicyResources.CalicoNetworkPolicy import CalicoNetworkPolicy @@ -162,7 +161,7 @@ def compare_conn_props(props1, props2, text_prefix): @staticmethod def compare_fw_rules_to_conn_props(fw_rules, props, connectivity_restriction=None): text_prefix = "Connectivity properties and fw-rules generated from them" - props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, connectivity_restriction) + props2 = MinimizeFWRules.fw_rules_to_conn_props(fw_rules, connectivity_restriction) BaseNetworkQuery.compare_conn_props(props, props2, text_prefix) From 019cf3e6ff46275c3615830dea6f7acffe85aa4a Mon Sep 17 00:00:00 2001 From: Tanya Date: Tue, 4 Jun 2024 12:54:12 +0300 Subject: [PATCH 89/89] Fixed lint error. Signed-off-by: Tanya --- nca/FWRules/MinimizeCsFWRules.py | 1 - 1 file changed, 1 deletion(-) diff --git a/nca/FWRules/MinimizeCsFWRules.py b/nca/FWRules/MinimizeCsFWRules.py index e53cee03b..72d820dd0 100644 --- a/nca/FWRules/MinimizeCsFWRules.py +++ b/nca/FWRules/MinimizeCsFWRules.py @@ -6,7 +6,6 @@ from collections import defaultdict from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet, Pod -from nca.CoreDS.ProtocolSet import ProtocolSet from nca.Resources.OtherResources.K8sNamespace import K8sNamespace from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ DNSElement