[Policy Assistant] calculate all allowed connections in a cluster #221
Comments
huntergregory
changed the title
|
Some good discussion on this today. Takeaways:
|
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Parent issue: #150
Goal
For all the Deployments and DaemonSets in a cluster, calculate the set of allowed connections given a set of policies.
Current Functionality
Check whether traffic is allowed/denied for the specified source, destination, and port/protocol.
Proposed New Feature
Produce JSON of all allowed connections and the effective policy rules causing this.
Here is one idea for the format (let me put this in a PR):
{ "Connections": [ { "From": "10.0.0.0/28", "To": "ns-dev/daemonset/backend", "AllowedTraffic": { "TCPPorts": "all" }, "EffectivePolicyRules": { "Ingress": { "ANPPassed": [ { "PolicyKey": "default/anp1", "Priority": 1, "RuleNumber": 9, "Rule": "dev-pass-on-external-tcp", "TCPPorts": "all" } ], "ANPDenied": [ { "PolicyKey": "default/anp1", "Priority": 1, "RuleNumber": 10, "Rule": "deny-external", "UDPPorts": "all", "OtherPorts": "all" } ], "NPv1Allowed": [ { "PolicyKey": "ns-dev/allow-all", "TCPPorts": "all" } ] } } }, { "From": "ns-dev/deployment/frontend", "To": "ns-dev/daemonset/backend", "AllowedTraffic": { "TCPPorts": "80", "UDPPorts": "53,80" }, "EffectivePolicyRules": { "Ingress": { "ANPAllowed": [ { "PolicyKey": "default/anp2", "Priority": 2, "RuleNumber": 1, "Rule": "allow-all-udp", "UDPPorts": "all" } ], "ANPPassed": [ { "PolicyKey": "default/anp1", "Priority": 1, "RuleNumber": 1, "Rule": "pass-tcp-80", "TCPPorts": "80" }, { "PolicyKey": "default/anp1", "Priority": 1, "RuleNumber": 2, "Rule": "pass-rest-of-tcp", "TCPPorts": "0-79,81-65535" } ], "ANPDenied": [ { "PolicyKey": "default/anp3", "Priority": 3, "RuleNumber": 1, "Rule": "deny-everything-else", "OtherPorts": "all" } ], "NPv1Allowed": [ { "PolicyKey": "ns-dev/deny-all" }, { "PolicyKey": "ns-dev/allow-tcp-80", "TCPPorts": "80" } ] }, "Egress": { "BANPAllowed": [ { "PolicyKey": "default/default", "RuleNumber": 1, "Rule": "allow-port-53-and-80", "TCPPorts": "53,80", "UDPPorts": "53,80", "OtherPorts": "53,80", } ], "BANPDenied": [ { "PolicyKey": "default/default", "RuleNumber": 2, "Rule": "baseline-deny-udp", "UDPPorts": "0-52,54-65535" } ] } } } ] }Implementation
There is a policy engine that calculates whether traffic is allowed/denied for a given set of:
Can we brute force calculate all possible connections between each Deployment/DaemonSet in a cluster? There are only 65,000 ports, so this may be feasible?
Code
It's determined whether traffic is allowed here:
network-policy-api/cmd/policy-assistant/pkg/matcher/policy.go
Line 269 in 669dfbc
network-policy-api/cmd/policy-assistant/pkg/matcher/policy.go
Line 311 in 669dfbc
Based on the port/protocol logic from the
PeerMatcherinterface:network-policy-api/cmd/policy-assistant/pkg/matcher/peermatcher.go
Line 29 in 669dfbc
The text was updated successfully, but these errors were encountered: