Release v1.9.6

Changes in this Release:

• Bug fix: "Recursion limit exceeded" error when reading a json with a list of strings

Release v1.9.5

Changes in this Release:

• Two more queries, interferes and pairwiseInterferes, can now benefit from optimized mode (run with -opt=true).
• Bug fix: rarely, some diffs were not reported by semanticDiff query
• Bug fix: Issue #569 - some warnings printed to stdout instead of stderr
• Bug fix: Issue #573 - crash when hitting an illegal JSON file

Release v1.9.4

Changes in this Release:

• Two more queries, equivalence and permits, can now benefit from optimized mode (run with -opt=true).
• Fixed Issue #557: The exportTo field in VirtualService should be an array, not a string

Release v1.9.3

Changes in this Release:

• Many improvements to the generated graphviz-based graph:
  • Endpoints sharing the same connectivity and the same namespace are grouped together to reduce the total number of edges.
  • If the graph contains a large-enough set of endpoints, in which each pair of endpoints is connected in exactly the same way, a Clique node will be created, and all endpoints in the set will connect to this (meta-)node. This also reduces the total number of edges
  • If the graph contains two large-enough sets of endpoints A and B, where the allowed connectivity from any endpoint in A to any endpoint in B is the same, a Bi-Clique node will be created, and every endpoint in A will connect to this (meta-)node, and the Bi-Clique will connect to every node in B.
  • Labels on edges are shortened, and a legend explains what each shortening means.
• Explainability: A new flag, --explain, appends to connectivity reports the exact set of resources that take part in setting the allowed connectivity between endpoints. Such explanation can be provided for the connectivity between a given set of endpoint, e.g., --explain default/Pod1[Pod],ns2/deployment-D[Deployment] or between every pair of endpoints by specifying --explain ALL.
• Istio traffic management: Supporting ServiceEntries as hosts in the spec of Sidecar egress.
• Improved performance via a new data-structure. This is currently under a feature flag: -opt=true.
• Graphviz added to docker images
• Various bug fixes

Release v1.9.2

Changes in this Release:

• Reporting much simpler regular expressions in connectivity reports and in connectivity-diff reports
• Adding the jpeg format to the list of allowed formats for connectivity reports (when using the --output_format command-line flag or the outputConfiguration.outputFormat scheme object). This will automatically convert a dot graph to a jpeg image file. Requires GraphViz to be preinstalled and PATH to include its bin directory.
• Fixed: Exit code should be 7 if an handled exception made it to nca_main
• Added OpenSSF Scorecard badge to repo
• Removed dependency on ruamel.yaml
• Minor bug fixes

Release v1.9.1

Changes in this Release:

• Fixing PyPI package to also include required YAML files

Release v1.9.0

Changes in this Release:

• Most queries can now output their results in JSON/YAML formats. In a scheme file set outputConfiguration.outputFormat to either json or yaml. From the command-line, use the -o flag with either json or yaml value.
• Query results will no longer refer to IPv6 address space, unless there are network-connectivity resources (e.g., NetworkPolicy) that explicitly refer to such addresses. To force including IPv6 addresses in query results, use the --print_ipv6 command line flag. Alternatively, set outputConfiguration.excludeIPv6Range to false in your scheme file.
• Improved connectivity-map output whenever Istio resources are present. Two connectivity maps will be produced now: one for TCP connections and another one for all other protocols.
• Improved usability for shift-left analysis: when policies refer to certain resources missing from the input config, check if they can be added to enable the analysis. Taking into account resources that are usually visible in a live cluster mode: Ingress-controller pod, Istio ingress gateway pod, and kube-dns pod. Documentation is available here.
• Queries will not execute if there are no endpoints in a given network configuration. An error message is printed in such a case.
• Removed support for running as a REST-API server (the --daemon flag). Instead, use nca-rest-server.
• Not printing back-trace on errors such as syntax errors.
• Avoiding crash on a malformed yaml
• Avoiding crash in the presence of helm charts if helm executable cannot be found.
• Handle YAML files with UTF-8 characters
• Ingress resource parsing: issue warning instead of error when service referenced by backed is missing
• Query all-captured output: consider Istio layer as well

Release v1.8.2

Changes in this Release:

• Using ubi8/ubi-minimal base-image instead of ubi8/python39

Release v1.8.1

Changes in this Release:

• Running yum update in the build of the new ubi-based Docker image to fix security issues.
• Added SECURITY.md file

Release v1.8.0

Changes in this Release:

• Most queries can now provide their results in a YAML format. If using NCA command-line, simply add --output_format yaml. If using a scheme file, the value of outputConfiguration.outputFormat should be yaml.
• Replaced the dependency on PyGithub with ghapi which has a more permissive license.
• Releasing a Docker image, based on Red Hat ubi8 base image (in addition to the image based on python:3.8-slim, as before).
• Updated CONTRIBUTING.md file.
• Several bugs fixed (issues #267, #351, #368, #371)