From 9281b0cb142941f113f2e5e8db3722a4dd8b6d72 Mon Sep 17 00:00:00 2001 From: Hunter Gregory <42728408+huntergregory@users.noreply.github.com> Date: Mon, 11 Nov 2024 12:26:40 -0800 Subject: [PATCH 1/2] docs: fix quick install Signed-off-by: Hunter Gregory <42728408+huntergregory@users.noreply.github.com> --- cmd/policy-assistant/README.md | 52 ++++++++++++++++------------------ 1 file changed, 25 insertions(+), 27 deletions(-) diff --git a/cmd/policy-assistant/README.md b/cmd/policy-assistant/README.md index c199002e..cb9125f1 100644 --- a/cmd/policy-assistant/README.md +++ b/cmd/policy-assistant/README.md @@ -18,19 +18,17 @@ Policy Assistant is a static analysis tool which ***simulates the action of netw For instance, Policy Assistant can simulate and walk through which policies impact cluster traffic: ```shell -$ policy-assistant analyze --namespace demo --mode walkthrough +$ policy-assistant analyze --mode walkthrough --policy-path policies/ --traffic-path traffic.json verdict walkthrough: -+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+ -| TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH | -+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+ -| demo/[pod=a] -> demo/[pod=b]:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress | -+---------------------------------------+---------+-------------------------------------------------------------+ + -| demo/[pod=a] -> demo/[pod=b]:81 (TCP) | Denied | [ANP] Pass (pass-81) -> [BANP] Deny (baseline-deny) | | -+---------------------------------------+---------+-------------------------------------------------------------+ + -| demo/[pod=b] -> demo/[pod=a]:80 (TCP) | Allowed | [ANP] Allow (allow-80) | | -+---------------------------------------+---------+-------------------------------------------------------------+ + -| demo/[pod=b] -> demo/[pod=a]:81 (TCP) | Denied | [ANP] Pass (pass-81) -> [NPv1] Dropped (demo/deny-to-pod-a) | | -+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+ ++-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ +| TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH | ++-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ +| demo/deployment/a -> demo/pod/b:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress | ++-------------------------------------------------+---------+-----------------------------------------------------------------------------+ + +| demo/deployment/a -> demo/pod/b:81 (TCP) | Denied | [ANP] No-Op -> [BANP] Deny (baseline-deny) | | ++-------------------------------------------------+ +-----------------------------------------------------------------------------+ + +| demo2/[app=nginx] -> demo/deployment/a:81 (TCP) | | [ANP] Pass (development-ns) -> [NPv1] Dropped (demo/deny-anything-to-pod-a) | | ++-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ ``` ### Quick Install @@ -38,10 +36,10 @@ verdict walkthrough: Download the latest `policy-assistant` release either from GitHub ([web page](https://github.com/kubernetes-sigs/network-policy-api/releases/v0.0.1-policy-assistant)) or via these bash commands: ```bash -curl -O https://github.com/kubernetes-sigs/network-policy-api/releases/download/v0.0.1-policy-assistant/pola_linux_amd64.tar.gz +curl -O https://github.com/kubernetes-sigs/network-policy-api/releases/download/v0.0.1-policy-assistant/policy-assistant_linux_amd64.tar.gz # optionally verify check sum -tar -xvf pola_linux_amd64.tar.gz -./policy-assistant --help +tar -xvf policy-assistant_linux_amd64.tar.gz +./policy-assistant analyze --help ``` Alternatively, [install from source](#make-from-source). @@ -167,20 +165,20 @@ Combined: Visualize how traffic would be allowed/denied and which policies are causing the verdict. +For more information, see the [walkthrough demo](./examples/demos/walkthrough/README.md). + ```shell -$ policy-assistant analyze --mode walkthrough --policy-path cmd/policy-assistant/examples/demos/kubecon-eu-2024/policies/ +$ policy-assistant analyze --mode walkthrough --policy-path policies/ --traffic-path traffic.json verdict walkthrough: -+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+ -| TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH | -+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+ -| demo/[pod=a] -> demo/[pod=b]:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress | -+---------------------------------------+---------+-------------------------------------------------------------+ + -| demo/[pod=a] -> demo/[pod=b]:81 (TCP) | Denied | [ANP] Pass (pass-81) -> [BANP] Deny (baseline-deny) | | -+---------------------------------------+---------+-------------------------------------------------------------+ + -| demo/[pod=b] -> demo/[pod=a]:80 (TCP) | Allowed | [ANP] Allow (allow-80) | | -+---------------------------------------+---------+-------------------------------------------------------------+ + -| demo/[pod=b] -> demo/[pod=a]:81 (TCP) | Denied | [ANP] Pass (pass-81) -> [NPv1] Dropped (demo/deny-to-pod-a) | | -+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+ ++-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ +| TRAFFIC | VERDICT | INGRESS WALKTHROUGH | EGRESS WALKTHROUGH | ++-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ +| demo/deployment/a -> demo/pod/b:80 (TCP) | Allowed | [ANP] Allow (allow-80) | no policies targeting egress | ++-------------------------------------------------+---------+-----------------------------------------------------------------------------+ + +| demo/deployment/a -> demo/pod/b:81 (TCP) | Denied | [ANP] No-Op -> [BANP] Deny (baseline-deny) | | ++-------------------------------------------------+ +-----------------------------------------------------------------------------+ + +| demo2/[app=nginx] -> demo/deployment/a:81 (TCP) | | [ANP] Pass (development-ns) -> [NPv1] Dropped (demo/deny-anything-to-pod-a) | | ++-------------------------------------------------+---------+-----------------------------------------------------------------------------+------------------------------+ ``` ## Development From 8d4038275a9f4fdce6a2e7c8fab525f040cb1c07 Mon Sep 17 00:00:00 2001 From: Hunter Gregory <42728408+huntergregory@users.noreply.github.com> Date: Mon, 11 Nov 2024 12:28:34 -0800 Subject: [PATCH 2/2] chore: replace lingering pola references with policy assistant Signed-off-by: Hunter Gregory <42728408+huntergregory@users.noreply.github.com> --- .../.github/workflows/kind_antrea.yml | 4 ++-- .../.github/workflows/kind_calico.yml | 4 ++-- .../.github/workflows/kind_cilium.yml | 4 ++-- .../.github/workflows/kind_cni_from_source.yml | 4 ++-- .../.github/workflows/kind_ovn.yml | 4 ++-- cmd/policy-assistant/.goreleaser.yml | 2 +- cmd/policy-assistant/Makefile | 8 ++++---- cmd/policy-assistant/examples/run.sh | 16 ++++++++-------- .../hack/sonobuoy/run-sonobuoy-plugin.sh | 4 ++-- .../pkg/connectivity/probe/pod.go | 4 ++-- 10 files changed, 27 insertions(+), 27 deletions(-) diff --git a/cmd/policy-assistant/.github/workflows/kind_antrea.yml b/cmd/policy-assistant/.github/workflows/kind_antrea.yml index b69cfd3e..31a26ca5 100644 --- a/cmd/policy-assistant/.github/workflows/kind_antrea.yml +++ b/cmd/policy-assistant/.github/workflows/kind_antrea.yml @@ -2,7 +2,7 @@ name: Kind Antrea policy-assistant on: workflow_dispatch: inputs: - pola_args: + policy_assistant_args: description: "args to pass on to policy-assistant" required: false default: "generate --include conflict --job-timeout-seconds 2 --server-protocol=tcp,udp" @@ -23,4 +23,4 @@ jobs: go-version: 1.18 - name: Run policy-assistant working-directory: hack/kind - run: CNI=antrea RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh + run: CNI=antrea RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh diff --git a/cmd/policy-assistant/.github/workflows/kind_calico.yml b/cmd/policy-assistant/.github/workflows/kind_calico.yml index bdf50dd6..ca5202ad 100644 --- a/cmd/policy-assistant/.github/workflows/kind_calico.yml +++ b/cmd/policy-assistant/.github/workflows/kind_calico.yml @@ -2,7 +2,7 @@ name: Kind Calico policy-assistant on: workflow_dispatch: inputs: - pola_args: + policy_assistant_args: description: "args to pass on to policy-assistant" required: false default: "generate --include conflict --job-timeout-seconds 2" @@ -22,4 +22,4 @@ jobs: go-version: 1.18 - name: Run policy-assistant working-directory: hack/kind - run: CNI=calico RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh + run: CNI=calico RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh diff --git a/cmd/policy-assistant/.github/workflows/kind_cilium.yml b/cmd/policy-assistant/.github/workflows/kind_cilium.yml index bdeb698d..08dc105b 100644 --- a/cmd/policy-assistant/.github/workflows/kind_cilium.yml +++ b/cmd/policy-assistant/.github/workflows/kind_cilium.yml @@ -2,7 +2,7 @@ name: Kind Cilium policy-assistant on: workflow_dispatch: inputs: - pola_args: + policy_assistant_args: description: "args to pass on to policy-assistant" required: false default: "generate --include conflict --job-timeout-seconds 2 --server-protocol=tcp,udp --ignore-loopback=true" @@ -22,4 +22,4 @@ jobs: go-version: 1.18 - name: Run policy-assistant working-directory: hack/kind - run: CNI=cilium RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh + run: CNI=cilium RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh diff --git a/cmd/policy-assistant/.github/workflows/kind_cni_from_source.yml b/cmd/policy-assistant/.github/workflows/kind_cni_from_source.yml index aff077bb..8516f3e5 100644 --- a/cmd/policy-assistant/.github/workflows/kind_cni_from_source.yml +++ b/cmd/policy-assistant/.github/workflows/kind_cni_from_source.yml @@ -5,7 +5,7 @@ on: cni: description: "name of CNI to use" required: true - pola_args: + policy_assistant_args: description: "args to pass on to policy-assistant" required: false default: "generate include --conflict --job-timeout-seconds 2" @@ -24,4 +24,4 @@ jobs: - name: Run policy-assistant working-directory: hack/kind - run: CNI=${{ github.event.inputs.cni }} RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh + run: CNI=${{ github.event.inputs.cni }} RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh diff --git a/cmd/policy-assistant/.github/workflows/kind_ovn.yml b/cmd/policy-assistant/.github/workflows/kind_ovn.yml index e0fc15c0..f770deac 100644 --- a/cmd/policy-assistant/.github/workflows/kind_ovn.yml +++ b/cmd/policy-assistant/.github/workflows/kind_ovn.yml @@ -2,7 +2,7 @@ name: Kind Ovn policy-assistant on: workflow_dispatch: inputs: - pola_args: + policy_assistant_args: description: "args to pass on to policy-assistant" required: false default: "generate --include conflict --job-timeout-seconds 2 --exclude=named-port,multi-peer,upstream-e2e,example --ignore-loopback=true" @@ -24,4 +24,4 @@ jobs: go-version: 1.18 - name: Run policy-assistant working-directory: hack/kind - run: CNI=ovn-kubernetes RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.pola_args }}" ./run-policy-assistant.sh + run: CNI=ovn-kubernetes RUN_FROM_SOURCE=true FROM_SOURCE_ARGS="${{ github.event.inputs.policy_assistant_args }}" ./run-policy-assistant.sh diff --git a/cmd/policy-assistant/.goreleaser.yml b/cmd/policy-assistant/.goreleaser.yml index d5535eab..77ecec37 100644 --- a/cmd/policy-assistant/.goreleaser.yml +++ b/cmd/policy-assistant/.goreleaser.yml @@ -57,5 +57,5 @@ archives: - README* - CHANGELOG* checksum: - name_template: "pola_{{ .RawVersion }}_checksums.txt" + name_template: "policy_assistant_{{ .RawVersion }}_checksums.txt" algorithm: sha256 diff --git a/cmd/policy-assistant/Makefile b/cmd/policy-assistant/Makefile index c62ff4bb..8dce636e 100644 --- a/cmd/policy-assistant/Makefile +++ b/cmd/policy-assistant/Makefile @@ -1,13 +1,13 @@ # TODO: create an actual image registry + image # constants -# FIXME: update POLA_IMAGE to the actual image name -POLA_IMAGE = policy-assistant +# FIXME: update POLICY_ASSISTANT_IMAGE to the actual image name +POLICY_ASSISTANT_IMAGE = policy-assistant # variables # FIXME: update IMAGE_REGISTRY to the actual image registry IMAGE_REGISTRY ?= docker.io -POLA_TAG ?= latest +POLICY_ASSISTANT_TAG ?= latest test: go test ./pkg/... @@ -25,4 +25,4 @@ policy-assistant-binary: CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o ./cmd/policy-assistant/policy-assistant ./cmd/policy-assistant policy-assistant-image: policy-assistant-binary - docker build -t $(IMAGE_REGISTRY)/$(POLA_IMAGE):$(POLA_TAG) ./cmd/policy-assistant + docker build -t $(IMAGE_REGISTRY)/$(POLICY_ASSISTANT_IMAGE):$(POLICY_ASSISTANT_TAG) ./cmd/policy-assistant diff --git a/cmd/policy-assistant/examples/run.sh b/cmd/policy-assistant/examples/run.sh index a4eb1616..c1d98134 100755 --- a/cmd/policy-assistant/examples/run.sh +++ b/cmd/policy-assistant/examples/run.sh @@ -3,9 +3,9 @@ set -euo pipefail set -xv -POLA_OUTPUT_DIR=${POLA_OUTPUT_DIR:-"./policy-assistant-output"} +POLICY_ASSISTANT_OUTPUT_DIR=${POLICY_ASSISTANT_OUTPUT_DIR:-"./policy-assistant-output"} -mkdir -p "$POLA_OUTPUT_DIR" +mkdir -p "$POLICY_ASSISTANT_OUTPUT_DIR" # run all 5 printf "\n\n********************** run all 5 modes **************************\n\n" @@ -15,14 +15,14 @@ go run ../cmd/policy-assistant/main.go analyze \ --target-pod-path ./targets-example.json \ --traffic-path ./traffic-example.json \ --probe-path ./probe-example.json \ - > "$POLA_OUTPUT_DIR"/analyze-all-five.txt + > "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-all-five.txt # run just the explainer printf "\n\n********************** run just the explainer **************************\n\n" go run ../cmd/policy-assistant/main.go analyze \ --mode explain \ --policy-path ../networkpolicies/simple-example/ \ - > "$POLA_OUTPUT_DIR"/analyze-explain.txt + > "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-explain.txt # run just the targets printf "\n\n********************** run just the targets **************************\n\n" @@ -30,7 +30,7 @@ go run ../cmd/policy-assistant/main.go analyze \ --mode query-target \ --policy-path ../networkpolicies/simple-example/ \ --target-pod-path ./targets.json \ - > "$POLA_OUTPUT_DIR"/analyze-query-target.txt + > "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-query-target.txt # run just the traffic printf "\n\n********************** run just the traffic **************************\n\n" @@ -38,7 +38,7 @@ go run ../cmd/policy-assistant/main.go analyze \ --mode query-traffic \ --policy-path ../networkpolicies/simple-example/ \ --traffic-path ./traffic.json \ - > "$POLA_OUTPUT_DIR"/analyze-query-traffic.txt + > "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-query-traffic.txt # run just the probe printf "\n\n********************** run just the probe **************************\n\n" @@ -46,11 +46,11 @@ go run ../cmd/policy-assistant/main.go analyze \ --mode probe \ --policy-path ../networkpolicies/simple-example/ \ --probe-path ./probe.json \ - > "$POLA_OUTPUT_DIR"/analyze-probe.txt + > "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-probe.txt # run just the linter printf "\n\n********************** run just the linter **************************\n\n" go run ../cmd/policy-assistant/main.go analyze \ --mode lint \ --policy-path ../networkpolicies/simple-example \ - > "$POLA_OUTPUT_DIR"/analyze-lint.txt + > "$POLICY_ASSISTANT_OUTPUT_DIR"/analyze-lint.txt diff --git a/cmd/policy-assistant/hack/sonobuoy/run-sonobuoy-plugin.sh b/cmd/policy-assistant/hack/sonobuoy/run-sonobuoy-plugin.sh index bc42a0e0..2a5bb803 100755 --- a/cmd/policy-assistant/hack/sonobuoy/run-sonobuoy-plugin.sh +++ b/cmd/policy-assistant/hack/sonobuoy/run-sonobuoy-plugin.sh @@ -3,11 +3,11 @@ set -xv set -euo pipefail -POLA_ARGS=$@ +POLICY_ASSISTANT_ARGS=$@ RESULTS_DIR="${RESULTS_DIR:-/tmp/results}" -./policy-assistant $POLA_ARGS > "${RESULTS_DIR}"/results.txt +./policy-assistant $POLICY_ASSISTANT_ARGS > "${RESULTS_DIR}"/results.txt cd "${RESULTS_DIR}" diff --git a/cmd/policy-assistant/pkg/connectivity/probe/pod.go b/cmd/policy-assistant/pkg/connectivity/probe/pod.go index 9f883ab3..e0e80d97 100644 --- a/cmd/policy-assistant/pkg/connectivity/probe/pod.go +++ b/cmd/policy-assistant/pkg/connectivity/probe/pod.go @@ -15,7 +15,7 @@ import ( const ( agnhostImage = "e2e-test-images/agnhost:2.43" // FIXME use a real image repository - polaWorkerImage = "docker.io/policy-assistant-worker:latest" + policyAssistantWorkerImage = "docker.io/policy-assistant-worker:latest" ) func NewPod(ns string, name string, labels map[string]string, ip string, containers []*Container) *Pod { @@ -194,7 +194,7 @@ func (c *Container) KubeServicePort() v1.ServicePort { func (c *Container) Image() string { if c.BatchJobs { - return polaWorkerImage + return policyAssistantWorkerImage } return c.ImageRegistry + "/" + agnhostImage }