Skip to content

Commit

Permalink
Merge pull request #270 from huntergregory/lingering-pola
Browse files Browse the repository at this point in the history
chore: [Policy Assistant] lingering pola references
  • Loading branch information
k8s-ci-robot authored Nov 12, 2024
2 parents cc23bf1 + 8d40382 commit 9e2692c
Show file tree
Hide file tree
Showing 11 changed files with 52 additions and 54 deletions.
4 changes: 2 additions & 2 deletions cmd/policy-assistant/.github/workflows/kind_antrea.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Kind Antrea policy-assistant
on:
workflow_dispatch:
inputs:
pola_args:
policy_assistant_args:
description: "args to pass on to policy-assistant"
required: false
default: "generate --include conflict --job-timeout-seconds 2 --server-protocol=tcp,udp"
Expand All @@ -23,4 +23,4 @@ jobs:
go-version: 1.18
- name: Run policy-assistant
working-directory: hack/kind
run: CNI=antrea RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh
run: CNI=antrea RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh
4 changes: 2 additions & 2 deletions cmd/policy-assistant/.github/workflows/kind_calico.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Kind Calico policy-assistant
on:
workflow_dispatch:
inputs:
pola_args:
policy_assistant_args:
description: "args to pass on to policy-assistant"
required: false
default: "generate --include conflict --job-timeout-seconds 2"
Expand All @@ -22,4 +22,4 @@ jobs:
go-version: 1.18
- name: Run policy-assistant
working-directory: hack/kind
run: CNI=calico RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh
run: CNI=calico RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh
4 changes: 2 additions & 2 deletions cmd/policy-assistant/.github/workflows/kind_cilium.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Kind Cilium policy-assistant
on:
workflow_dispatch:
inputs:
pola_args:
policy_assistant_args:
description: "args to pass on to policy-assistant"
required: false
default: "generate --include conflict --job-timeout-seconds 2 --server-protocol=tcp,udp --ignore-loopback=true"
Expand All @@ -22,4 +22,4 @@ jobs:
go-version: 1.18
- name: Run policy-assistant
working-directory: hack/kind
run: CNI=cilium RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh
run: CNI=cilium RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ on:
cni:
description: "name of CNI to use"
required: true
pola_args:
policy_assistant_args:
description: "args to pass on to policy-assistant"
required: false
default: "generate include --conflict --job-timeout-seconds 2"
Expand All @@ -24,4 +24,4 @@ jobs:

- name: Run policy-assistant
working-directory: hack/kind
run: CNI=${{ github.event.inputs.cni }} RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh
run: CNI=${{ github.event.inputs.cni }} RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh
4 changes: 2 additions & 2 deletions cmd/policy-assistant/.github/workflows/kind_ovn.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: Kind Ovn policy-assistant
on:
workflow_dispatch:
inputs:
pola_args:
policy_assistant_args:
description: "args to pass on to policy-assistant"
required: false
default: "generate --include conflict --job-timeout-seconds 2 --exclude=named-port,multi-peer,upstream-e2e,example --ignore-loopback=true"
Expand All @@ -24,4 +24,4 @@ jobs:
go-version: 1.18
- name: Run policy-assistant
working-directory: hack/kind
run: CNI=ovn-kubernetes RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh
run: CNI=ovn-kubernetes RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh
2 changes: 1 addition & 1 deletion cmd/policy-assistant/.goreleaser.yml
Original file line number Diff line number Diff line change
Expand Up @@ -57,5 +57,5 @@ archives:
- README*
- CHANGELOG*
checksum:
name_template: "pola_{{ .RawVersion }}_checksums.txt"
name_template: "policy_assistant_{{ .RawVersion }}_checksums.txt"
algorithm: sha256
8 changes: 4 additions & 4 deletions cmd/policy-assistant/Makefile
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# TODO: create an actual image registry + image

# constants
# FIXME: update POLA_IMAGE to the actual image name
POLA_IMAGE = policy-assistant
# FIXME: update POLICY_ASSISTANT_IMAGE to the actual image name
POLICY_ASSISTANT_IMAGE = policy-assistant

# variables
# FIXME: update IMAGE_REGISTRY to the actual image registry
IMAGE_REGISTRY ?= docker.io
POLA_TAG ?= latest
POLICY_ASSISTANT_TAG ?= latest

test:
go test ./pkg/...
Expand All @@ -25,4 +25,4 @@ policy-assistant-binary:
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o ./cmd/policy-assistant/policy-assistant ./cmd/policy-assistant

policy-assistant-image: policy-assistant-binary
docker build -t $(IMAGE_REGISTRY)/$(POLA_IMAGE):$(POLA_TAG) ./cmd/policy-assistant
docker build -t $(IMAGE_REGISTRY)/$(POLICY_ASSISTANT_IMAGE):$(POLICY_ASSISTANT_TAG) ./cmd/policy-assistant
52 changes: 25 additions & 27 deletions cmd/policy-assistant/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,30 +18,28 @@ Policy Assistant is a static analysis tool which ***simulates the action of netw
For instance, Policy Assistant can simulate and walk through which policies impact cluster traffic:

```shell
$ policy-assistant analyze --namespace demo --mode walkthrough
$ policy-assistant analyze --mode walkthrough --policy-path policies/ --traffic-path traffic.json
verdict walkthrough:
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
| TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH |
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
| demo/[pod=a] -> demo/[pod=b]:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress |
+---------------------------------------+---------+-------------------------------------------------------------+ +
| demo/[pod=a] -> demo/[pod=b]:81 (TCP) | Denied | [ANP] Pass (pass-81) -> [BANP] Deny (baseline-deny) | |
+---------------------------------------+---------+-------------------------------------------------------------+ +
| demo/[pod=b] -> demo/[pod=a]:80 (TCP) | Allowed | [ANP] Allow (allow-80) | |
+---------------------------------------+---------+-------------------------------------------------------------+ +
| demo/[pod=b] -> demo/[pod=a]:81 (TCP) | Denied | [ANP] Pass (pass-81) -> [NPv1] Dropped (demo/deny-to-pod-a) | |
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
+-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+
| TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH |
+-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+
| demo/deployment/a -> demo/pod/b:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress |
+-------------------------------------------------+---------+-----------------------------------------------------------------------------+ +
| demo/deployment/a -> demo/pod/b:81 (TCP) | Denied | [ANP] No-Op -> [BANP] Deny (baseline-deny) | |
+-------------------------------------------------+ +-----------------------------------------------------------------------------+ +
| demo2/[app=nginx] -> demo/deployment/a:81 (TCP) | | [ANP] Pass (development-ns) -> [NPv1] Dropped (demo/deny-anything-to-pod-a) | |
+-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+
```

### Quick Install

Download the latest `policy-assistant` release either from GitHub ([web page](https://github.com/kubernetes-sigs/network-policy-api/releases/v0.0.1-policy-assistant)) or via these bash commands:

```bash
curl -O https://github.com/kubernetes-sigs/network-policy-api/releases/download/v0.0.1-policy-assistant/pola_linux_amd64.tar.gz
curl -O https://github.com/kubernetes-sigs/network-policy-api/releases/download/v0.0.1-policy-assistant/policy-assistant_linux_amd64.tar.gz
# optionally verify check sum
tar -xvf pola_linux_amd64.tar.gz
./policy-assistant --help
tar -xvf policy-assistant_linux_amd64.tar.gz
./policy-assistant analyze --help
```

Alternatively, [install from source](#make-from-source).
Expand Down Expand Up @@ -167,20 +165,20 @@ Combined:

Visualize how traffic would be allowed/denied and which policies are causing the verdict.

For more information, see the [walkthrough demo](./examples/demos/walkthrough/README.md).

```shell
$ policy-assistant analyze --mode walkthrough --policy-path cmd/policy-assistant/examples/demos/kubecon-eu-2024/policies/
$ policy-assistant analyze --mode walkthrough --policy-path policies/ --traffic-path traffic.json
verdict walkthrough:
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
| TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH |
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
| demo/[pod=a] -> demo/[pod=b]:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress |
+---------------------------------------+---------+-------------------------------------------------------------+ +
| demo/[pod=a] -> demo/[pod=b]:81 (TCP) | Denied | [ANP] Pass (pass-81) -> [BANP] Deny (baseline-deny) | |
+---------------------------------------+---------+-------------------------------------------------------------+ +
| demo/[pod=b] -> demo/[pod=a]:80 (TCP) | Allowed | [ANP] Allow (allow-80) | |
+---------------------------------------+---------+-------------------------------------------------------------+ +
| demo/[pod=b] -> demo/[pod=a]:81 (TCP) | Denied | [ANP] Pass (pass-81) -> [NPv1] Dropped (demo/deny-to-pod-a) | |
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
+-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+
| TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH |
+-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+
| demo/deployment/a -> demo/pod/b:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress |
+-------------------------------------------------+---------+-----------------------------------------------------------------------------+ +
| demo/deployment/a -> demo/pod/b:81 (TCP) | Denied | [ANP] No-Op -> [BANP] Deny (baseline-deny) | |
+-------------------------------------------------+ +-----------------------------------------------------------------------------+ +
| demo2/[app=nginx] -> demo/deployment/a:81 (TCP) | | [ANP] Pass (development-ns) -> [NPv1] Dropped (demo/deny-anything-to-pod-a) | |
+-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+
```

## Development
Expand Down
16 changes: 8 additions & 8 deletions cmd/policy-assistant/examples/run.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
set -euo pipefail
set -xv

POLA_OUTPUT_DIR=${POLA_OUTPUT_DIR:-"./policy-assistant-output"}
POLICY_ASSISTANT_OUTPUT_DIR=${POLICY_ASSISTANT_OUTPUT_DIR:-"./policy-assistant-output"}

mkdir -p "$POLA_OUTPUT_DIR"
mkdir -p "$POLICY_ASSISTANT_OUTPUT_DIR"

# run all 5
printf "\n\n********************** run all 5 modes **************************\n\n"
Expand All @@ -15,42 +15,42 @@ go run ../cmd/policy-assistant/main.go analyze \
--target-pod-path ./targets-example.json \
--traffic-path ./traffic-example.json \
--probe-path ./probe-example.json \
> "$POLA_OUTPUT_DIR"/analyze-all-five.txt
> "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-all-five.txt

# run just the explainer
printf "\n\n********************** run just the explainer **************************\n\n"
go run ../cmd/policy-assistant/main.go analyze \
--mode explain \
--policy-path ../networkpolicies/simple-example/ \
> "$POLA_OUTPUT_DIR"/analyze-explain.txt
> "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-explain.txt

# run just the targets
printf "\n\n********************** run just the targets **************************\n\n"
go run ../cmd/policy-assistant/main.go analyze \
--mode query-target \
--policy-path ../networkpolicies/simple-example/ \
--target-pod-path ./targets.json \
> "$POLA_OUTPUT_DIR"/analyze-query-target.txt
> "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-query-target.txt

# run just the traffic
printf "\n\n********************** run just the traffic **************************\n\n"
go run ../cmd/policy-assistant/main.go analyze \
--mode query-traffic \
--policy-path ../networkpolicies/simple-example/ \
--traffic-path ./traffic.json \
> "$POLA_OUTPUT_DIR"/analyze-query-traffic.txt
> "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-query-traffic.txt

# run just the probe
printf "\n\n********************** run just the probe **************************\n\n"
go run ../cmd/policy-assistant/main.go analyze \
--mode probe \
--policy-path ../networkpolicies/simple-example/ \
--probe-path ./probe.json \
> "$POLA_OUTPUT_DIR"/analyze-probe.txt
> "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-probe.txt

# run just the linter
printf "\n\n********************** run just the linter **************************\n\n"
go run ../cmd/policy-assistant/main.go analyze \
--mode lint \
--policy-path ../networkpolicies/simple-example \
> "$POLA_OUTPUT_DIR"/analyze-lint.txt
> "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-lint.txt
4 changes: 2 additions & 2 deletions cmd/policy-assistant/hack/sonobuoy/run-sonobuoy-plugin.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,11 @@
set -xv
set -euo pipefail

POLA_ARGS=$@
POLICY_ASSISTANT_ARGS=$@
RESULTS_DIR="${RESULTS_DIR:-/tmp/results}"


./policy-assistant $POLA_ARGS > "${RESULTS_DIR}"/results.txt
./policy-assistant $POLICY_ASSISTANT_ARGS > "${RESULTS_DIR}"/results.txt


cd "${RESULTS_DIR}"
Expand Down
4 changes: 2 additions & 2 deletions cmd/policy-assistant/pkg/connectivity/probe/pod.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
const (
agnhostImage = "e2e-test-images/agnhost:2.43"
// FIXME use a real image repository
polaWorkerImage = "docker.io/policy-assistant-worker:latest"
policyAssistantWorkerImage = "docker.io/policy-assistant-worker:latest"
)

func NewPod(ns string, name string, labels map[string]string, ip string, containers []*Container) *Pod {
Expand Down Expand Up @@ -194,7 +194,7 @@ func (c *Container) KubeServicePort() v1.ServicePort {

func (c *Container) Image() string {
if c.BatchJobs {
return polaWorkerImage
return policyAssistantWorkerImage
}
return c.ImageRegistry + "/" + agnhostImage
}
Expand Down

0 comments on commit 9e2692c

Please sign in to comment.