diff --git a/cmd/policy-assistant/pkg/connectivity/probe/table.go b/cmd/policy-assistant/pkg/connectivity/probe/table.go index 02a0ff65..c2a0d088 100644 --- a/cmd/policy-assistant/pkg/connectivity/probe/table.go +++ b/cmd/policy-assistant/pkg/connectivity/probe/table.go @@ -47,6 +47,12 @@ func NewTableWithDefaultConnectivity(r *Resources, ingress, egress Connectivity) Egress: &egress, } + if fr == to { + c := ConnectivityUndefined + jr.Ingress = &c + jr.Egress = &c + } + setCombined(jr) k := fmt.Sprintf("%s/%d", proto, port) diff --git a/cmd/policy-assistant/pkg/matcher/builder_tests.go b/cmd/policy-assistant/pkg/matcher/builder_tests.go index 84ccd4df..8114160e 100644 --- a/cmd/policy-assistant/pkg/matcher/builder_tests.go +++ b/cmd/policy-assistant/pkg/matcher/builder_tests.go @@ -28,7 +28,7 @@ func RunBuilderTests() { ingress, egress := BuildTarget(netpol.AllowNoIngress) Expect(ingress).ToNot(BeNil()) - Expect(ingress.Peers).To(BeNil()) + Expect(ingress.Peers).To(Equal([]PeerMatcher{&NoMatcher{}})) Expect(egress).To(BeNil()) }) @@ -37,7 +37,7 @@ func RunBuilderTests() { ingress, egress := BuildTarget(netpol.AllowNoEgress) Expect(egress).ToNot(BeNil()) - Expect(egress.Peers).To(BeNil()) + Expect(egress.Peers).To(Equal([]PeerMatcher{&NoMatcher{}})) Expect(ingress).To(BeNil()) }) @@ -46,10 +46,10 @@ func RunBuilderTests() { ingress, egress := BuildTarget(netpol.AllowNoIngressAllowNoEgress) Expect(egress).ToNot(BeNil()) - Expect(egress.Peers).To(BeNil()) + Expect(egress.Peers).To(Equal([]PeerMatcher{&NoMatcher{}})) Expect(ingress).ToNot(BeNil()) - Expect(ingress.Peers).To(BeNil()) + Expect(ingress.Peers).To(Equal([]PeerMatcher{&NoMatcher{}})) }) }) @@ -75,7 +75,7 @@ func RunBuilderTests() { ingress, egress := BuildTarget(netpol.AllowNoIngress_EmptyIngress) Expect(ingress).ToNot(BeNil()) - Expect(ingress.Peers).To(BeNil()) + Expect(ingress.Peers).To(Equal([]PeerMatcher{&NoMatcher{}})) Expect(egress).To(BeNil()) }) @@ -84,7 +84,7 @@ func RunBuilderTests() { ingress, egress := BuildTarget(netpol.AllowNoEgress_EmptyEgress) Expect(egress).ToNot(BeNil()) - Expect(egress.Peers).To(BeNil()) + Expect(egress.Peers).To(Equal([]PeerMatcher{&NoMatcher{}})) Expect(ingress).To(BeNil()) }) @@ -93,10 +93,10 @@ func RunBuilderTests() { ingress, egress := BuildTarget(netpol.AllowNoIngressAllowNoEgress_EmptyEgressEmptyIngress) Expect(egress).ToNot(BeNil()) - Expect(egress.Peers).To(BeNil()) + Expect(egress.Peers).To(Equal([]PeerMatcher{&NoMatcher{}})) Expect(ingress).ToNot(BeNil()) - Expect(ingress.Peers).To(BeNil()) + Expect(ingress.Peers).To(Equal([]PeerMatcher{&NoMatcher{}})) }) }) @@ -128,12 +128,12 @@ func RunBuilderTests() { Describe("PeerMatcher from slice of ingress/egress rules", func() { It("allows no ingress from an empty slice of ingress rules", func() { peers := BuildIngressMatcher("abc", []networkingv1.NetworkPolicyIngressRule{}) - Expect(peers).To(BeNil()) + Expect(peers).To(Equal([]PeerMatcher{&NoMatcher{}})) }) It("allows no egress from an empty slice of egress rules", func() { peers := BuildEgressMatcher("abc", []networkingv1.NetworkPolicyEgressRule{}) - Expect(peers).To(BeNil()) + Expect(peers).To(Equal([]PeerMatcher{&NoMatcher{}})) }) It("allows all ingress from an ingress containing a single empty rule", func() { diff --git a/cmd/policy-assistant/pkg/matcher/simplifier_tests.go b/cmd/policy-assistant/pkg/matcher/simplifier_tests.go index 188f854f..c6b30cf8 100644 --- a/cmd/policy-assistant/pkg/matcher/simplifier_tests.go +++ b/cmd/policy-assistant/pkg/matcher/simplifier_tests.go @@ -135,7 +135,7 @@ func RunSimplifierTests() { Priority: 5, Verdict: Deny, }, - Name: "anp", + RuleName: "anp", } banpAllowAll := &PeerMatcherAdmin{ PodPeerMatcher: &PodPeerMatcher{ @@ -147,7 +147,7 @@ func RunSimplifierTests() { PolicyKind: BaselineAdminNetworkPolicy, Verdict: Allow, }, - Name: "banp", + RuleName: "banp", } Expect(Simplify([]PeerMatcher{all, allOnTCP80, ip, allPodsAllPorts, banpAllowAll, allPodsTCP103, anpDenyAll})).To(Equal([]PeerMatcher{banpAllowAll, anpDenyAll, all})) diff --git a/cmd/policy-assistant/test/integration/explain_test.go b/cmd/policy-assistant/test/integration/explain_test.go index f3bcb859..b2e7f621 100644 --- a/cmd/policy-assistant/test/integration/explain_test.go +++ b/cmd/policy-assistant/test/integration/explain_test.go @@ -1,170 +1,171 @@ package connectivity import ( + "testing" + "github.com/mattfenwick/cyclonus/examples" "github.com/mattfenwick/cyclonus/pkg/kube/netpol" "github.com/mattfenwick/cyclonus/pkg/matcher" "github.com/stretchr/testify/require" - "testing" ) func TestExplain(t *testing.T) { t.Run("prints network policies v1", func(t *testing.T) { - expected := "+---------+--------------------+----------------------------------------------------------------------------+----------------------+-------------------------+---------------------------+\n" + - "| TYPE | SUBJECT | SOURCE RULES | PEER | ACTION | PORT/PROTOCOL |\n" + - "+---------+--------------------+----------------------------------------------------------------------------+----------------------+-------------------------+---------------------------+\n" + - "| Ingress | Namespace: | [NPv1] default/accidental-and | Namespace: | NPv1: All peers allowed | all ports, all protocols |\n" + - "| | default | [NPv1] default/accidental-or | default | | |\n" + - "| | Pod: | | Pod: | | |\n" + - "| | a = b | | role = client | | |\n" + - "+ + + +----------------------+ + +\n" + - "| | | | Namespace: | | |\n" + - "| | | | user = alice | | |\n" + - "| | | | Pod: | | |\n" + - "| | | | role = client | | |\n" + - "+ + + +----------------------+ + +\n" + - "| | | | Namespace: | | |\n" + - "| | | | user = alice | | |\n" + - "| | | | Pod: | | |\n" + - "| | | | all | | |\n" + - "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + - "| | Namespace: | [NPv1] default/allow-nothing-to-v2-all-web | no pods, no ips | | no ports, no protocols |\n" + - "| | default | | | | |\n" + - "| | Pod: | | | | |\n" + - "| | all = web | | | | |\n" + - "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + - "| | Namespace: | [NPv1] default/allow-specific-port-from-role-monitoring-to-app-apiserver | Namespace: | | port 5000 on protocol TCP |\n" + - "| | default | | default | | |\n" + - "| | Pod: | | Pod: | | |\n" + - "| | app = apiserver | | role = monitoring | | |\n" + - "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + - "| | Namespace: | [NPv1] default/allow-from-app-bookstore-to-app-bookstore-role-api | Namespace: | | all ports, all protocols |\n" + - "| | default | | default | | |\n" + - "| | Pod: | | Pod: | | |\n" + - "| | app = bookstore | | app = bookstore | | |\n" + - "| | role = api | | | | |\n" + - "+ +--------------------+----------------------------------------------------------------------------+----------------------+ + +\n" + - "| | Namespace: | [NPv1] default/allow-from-multiple-to-app-bookstore-role-db | Namespace: | | |\n" + - "| | default | | default | | |\n" + - "| | Pod: | | Pod: | | |\n" + - "| | app = bookstore | | app = bookstore | | |\n" + - "| | role = db | | role = api | | |\n" + - "+ + + +----------------------+ + +\n" + - "| | | | Namespace: | | |\n" + - "| | | | default | | |\n" + - "| | | | Pod: | | |\n" + - "| | | | app = bookstore | | |\n" + - "| | | | role = search | | |\n" + - "+ + + +----------------------+ + +\n" + - "| | | | Namespace: | | |\n" + - "| | | | default | | |\n" + - "| | | | Pod: | | |\n" + - "| | | | app = inventory | | |\n" + - "| | | | role = web | | |\n" + - "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + - "| | Namespace: | [NPv1] default/allow-nothing | no pods, no ips | | no ports, no protocols |\n" + - "| | default | | | | |\n" + - "| | Pod: | | | | |\n" + - "| | app = foo | | | | |\n" + - "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + - "| | Namespace: | [NPv1] default/allow-all-to-app-web | all pods, all ips | | all ports, all protocols |\n" + - "| | default | [NPv1] default/allow-all-to-version2-app-web | | | |\n" + - "| | Pod: | [NPv1] default/allow-all-to-version3-app-web | | | |\n" + - "| | app = web | [NPv1] default/allow-all-to-version4-app-web | | | |\n" + - "| | | [NPv1] default/allow-from-anywhere-to-app-web | | | |\n" + - "| | | [NPv1] default/allow-from-namespace-to-app-web | | | |\n" + - "| | | [NPv1] default/allow-from-namespace-with-labels-type-monitoring-to-app-web | | | |\n" + - "| | | [NPv1] default/allow-nothing-to-app-web | | | |\n" + - "+ +--------------------+----------------------------------------------------------------------------+----------------------+ + +\n" + - "| | Namespace: | [NPv1] default/allow-all-within-namespace | Namespace: | | |\n" + - "| | default | [NPv1] default/allow-nothing-to-anything | default | | |\n" + - "| | Pod: | | Pod: | | |\n" + - "| | all pods | | all | | |\n" + - "+---------+--------------------+----------------------------------------------------------------------------+----------------------+-------------------------+---------------------------+\n" + - "| | | | | | |\n" + - "+---------+--------------------+----------------------------------------------------------------------------+----------------------+-------------------------+---------------------------+\n" + - "| Egress | Namespace: | [NPv1] default/allow-egress-on-port-app-foo | all pods, all ips | NPv1: All peers allowed | port 53 on protocol TCP |\n" + - "| | default | [NPv1] default/allow-egress-to-all-namespace-from-app-foo-on-port-53 | | | port 53 on protocol UDP |\n" + - "| | Pod: | [NPv1] default/allow-no-egress-from-labels-app-foo | | | |\n" + - "| | app = foo | [NPv1] default/allow-nothing | | | |\n" + - "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + - "| | Namespace: | [NPv1] default/allow-no-egress-from-namespace | no pods, no ips | | no ports, no protocols |\n" + - "| | default | | | | |\n" + - "| | Pod: | | | | |\n" + - "| | all pods | | | | |\n" + - "+---------+--------------------+----------------------------------------------------------------------------+----------------------+-------------------------+---------------------------+\n" + + expected := "+---------+--------------------+----------------------------------------------------------------------------+----------------------+--------------------+---------------------------+\n" + + "| TYPE | SUBJECT | SOURCE RULES | PEER | ACTION | PORT/PROTOCOL |\n" + + "+---------+--------------------+----------------------------------------------------------------------------+----------------------+--------------------+---------------------------+\n" + + "| Ingress | Namespace: | [NPv1] default/accidental-and | Namespace: | NPv1: | all ports, all protocols |\n" + + "| | default | [NPv1] default/accidental-or | default | Allow any peers | |\n" + + "| | Pod: | | Pod: | | |\n" + + "| | a = b | | role = client | | |\n" + + "+ + + +----------------------+ + +\n" + + "| | | | Namespace: | | |\n" + + "| | | | user = alice | | |\n" + + "| | | | Pod: | | |\n" + + "| | | | role = client | | |\n" + + "+ + + +----------------------+ + +\n" + + "| | | | Namespace: | | |\n" + + "| | | | user = alice | | |\n" + + "| | | | Pod: | | |\n" + + "| | | | all | | |\n" + + "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + + "| | Namespace: | [NPv1] default/allow-nothing-to-v2-all-web | no peers | | none |\n" + + "| | default | | | | |\n" + + "| | Pod: | | | | |\n" + + "| | all = web | | | | |\n" + + "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + + "| | Namespace: | [NPv1] default/allow-specific-port-from-role-monitoring-to-app-apiserver | Namespace: | | port 5000 on protocol TCP |\n" + + "| | default | | default | | |\n" + + "| | Pod: | | Pod: | | |\n" + + "| | app = apiserver | | role = monitoring | | |\n" + + "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + + "| | Namespace: | [NPv1] default/allow-from-app-bookstore-to-app-bookstore-role-api | Namespace: | | all ports, all protocols |\n" + + "| | default | | default | | |\n" + + "| | Pod: | | Pod: | | |\n" + + "| | app = bookstore | | app = bookstore | | |\n" + + "| | role = api | | | | |\n" + + "+ +--------------------+----------------------------------------------------------------------------+----------------------+ + +\n" + + "| | Namespace: | [NPv1] default/allow-from-multiple-to-app-bookstore-role-db | Namespace: | | |\n" + + "| | default | | default | | |\n" + + "| | Pod: | | Pod: | | |\n" + + "| | app = bookstore | | app = bookstore | | |\n" + + "| | role = db | | role = api | | |\n" + + "+ + + +----------------------+ + +\n" + + "| | | | Namespace: | | |\n" + + "| | | | default | | |\n" + + "| | | | Pod: | | |\n" + + "| | | | app = bookstore | | |\n" + + "| | | | role = search | | |\n" + + "+ + + +----------------------+ + +\n" + + "| | | | Namespace: | | |\n" + + "| | | | default | | |\n" + + "| | | | Pod: | | |\n" + + "| | | | app = inventory | | |\n" + + "| | | | role = web | | |\n" + + "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + + "| | Namespace: | [NPv1] default/allow-nothing | no peers | | none |\n" + + "| | default | | | | |\n" + + "| | Pod: | | | | |\n" + + "| | app = foo | | | | |\n" + + "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + + "| | Namespace: | [NPv1] default/allow-all-to-app-web | all pods, all ips | | all ports, all protocols |\n" + + "| | default | [NPv1] default/allow-all-to-version2-app-web | | | |\n" + + "| | Pod: | [NPv1] default/allow-all-to-version3-app-web | | | |\n" + + "| | app = web | [NPv1] default/allow-all-to-version4-app-web | | | |\n" + + "| | | [NPv1] default/allow-from-anywhere-to-app-web | | | |\n" + + "| | | [NPv1] default/allow-from-namespace-to-app-web | | | |\n" + + "| | | [NPv1] default/allow-from-namespace-with-labels-type-monitoring-to-app-web | | | |\n" + + "| | | [NPv1] default/allow-nothing-to-app-web | | | |\n" + + "+ +--------------------+----------------------------------------------------------------------------+----------------------+ + +\n" + + "| | Namespace: | [NPv1] default/allow-all-within-namespace | Namespace: | | |\n" + + "| | default | [NPv1] default/allow-nothing-to-anything | default | | |\n" + + "| | Pod: | | Pod: | | |\n" + + "| | all pods | | all | | |\n" + + "+---------+--------------------+----------------------------------------------------------------------------+----------------------+--------------------+---------------------------+\n" + + "| | | | | | |\n" + + "+---------+--------------------+----------------------------------------------------------------------------+----------------------+--------------------+---------------------------+\n" + + "| Egress | Namespace: | [NPv1] default/allow-egress-on-port-app-foo | all pods, all ips | NPv1: | port 53 on protocol TCP |\n" + + "| | default | [NPv1] default/allow-egress-to-all-namespace-from-app-foo-on-port-53 | | Allow any peers | port 53 on protocol UDP |\n" + + "| | Pod: | [NPv1] default/allow-no-egress-from-labels-app-foo | | | |\n" + + "| | app = foo | [NPv1] default/allow-nothing | | | |\n" + + "+ +--------------------+----------------------------------------------------------------------------+----------------------+ +---------------------------+\n" + + "| | Namespace: | [NPv1] default/allow-no-egress-from-namespace | no peers | | none |\n" + + "| | default | | | | |\n" + + "| | Pod: | | | | |\n" + + "| | all pods | | | | |\n" + + "+---------+--------------------+----------------------------------------------------------------------------+----------------------+--------------------+---------------------------+\n" + "" policies := matcher.BuildV1AndV2NetPols(true, netpol.AllExamples, nil, nil) require.Equal(t, expected, policies.ExplainTable()) }) t.Run("prints network ANPs and BANPs", func(t *testing.T) { - expected := "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + - "| TYPE | SUBJECT | SOURCE RULES | PEER | ACTION | PORT/PROTOCOL |\n" + - "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + - "| Ingress | Namespace: | [ANP] default/example-anp | Namespace: | ANP: | all ports, all protocols |\n" + - "| | kubernetes.io/metadata.name Exists [] | [ANP] default/example-anp-2 | kubernetes.io/metadata.name = network-policy-conformance-hufflepuff | pri=16 (example-anp-2): Deny | |\n" + - "| | | [BANP] default/default | Pod: | pri=20 (example-anp): Deny | |\n" + - "| | | | all | BANP: | |\n" + - "| | | | | Deny | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+ +\n" + - "| | | | Namespace: | ANP: | |\n" + - "| | | | kubernetes.io/metadata.name = network-policy-conformance-ravenclaw | pri=16 (example-anp-2): Allow (ineffective rules: Deny, Pass) | |\n" + - "| | | | Pod: | pri=20 (example-anp): Allow (ineffective rules: Deny, Pass) | |\n" + - "| | | | all | BANP: | |\n" + - "| | | | | Allow | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + - "| | | | Namespace: | ANP: | port 80 on protocol TCP |\n" + - "| | | | kubernetes.io/metadata.name = network-policy-conformance-slytherin | pri=16 (example-anp-2): Deny (ineffective rules: Pass) | port 53 on protocol UDP |\n" + - "| | | | Pod: | pri=20 (example-anp): Deny (ineffective rules: Pass) | port 9003 on protocol SCTP |\n" + - "| | | | all | BANP: | |\n" + - "| | | | | Deny | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + - "| | | | Namespace: | ANP: | port 80 on protocol TCP |\n" + - "| | | | kubernetes.io/metadata.name = network-policy-conformance-hufflepuff | pri=16 (example-anp-2): Allow | port 5353 on protocol UDP |\n" + - "| | | | Pod: | pri=20 (example-anp): Allow | port 9003 on protocol SCTP |\n" + - "| | | | all | BANP: | |\n" + - "| | | | | Allow | |\n" + - "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + - "| | | | | | |\n" + - "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + - "| Egress | Namespace: | [ANP] default/example-anp | Namespace: | BANP: | all ports, all protocols |\n" + - "| | kubernetes.io/metadata.name Exists [] | [ANP] default/example-anp-2 | Not Same labels - Test1 | Deny | |\n" + - "| | | [BANP] default/default | Pod: | | |\n" + - "| | | | all | | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+ +\n" + - "| | | | Namespace: | BANP: | |\n" + - "| | | | Same labels - Test | Allow | |\n" + - "| | | | Pod: | | |\n" + - "| | | | all | | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+ +\n" + - "| | | | Namespace: | ANP: | |\n" + - "| | | | kubernetes.io/metadata.name = network-policy-conformance-hufflepuff | pri=16 (example-anp-2): Deny | |\n" + - "| | | | Pod: | pri=20 (example-anp): Deny | |\n" + - "| | | | all | BANP: | |\n" + - "| | | | | Deny | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+ +\n" + - "| | | | Namespace: | ANP: | |\n" + - "| | | | kubernetes.io/metadata.name = network-policy-conformance-ravenclaw | pri=16 (example-anp-2): Allow (ineffective rules: Deny, Pass) | |\n" + - "| | | | Pod: | pri=20 (example-anp): Allow (ineffective rules: Deny, Pass) | |\n" + - "| | | | all | | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + - "| | | | Namespace: | ANP: | port 80 on protocol TCP |\n" + - "| | | | kubernetes.io/metadata.name = network-policy-conformance-slytherin | pri=16 (example-anp-2): Deny (ineffective rules: Pass) | port 53 on protocol UDP |\n" + - "| | | | Pod: | pri=20 (example-anp): Deny (ineffective rules: Pass) | port 9003 on protocol SCTP |\n" + - "| | | | all | | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+ +\n" + - "| | | | Namespace: | BANP: | |\n" + - "| | | | kubernetes.io/metadata.name Exists [] | Deny | |\n" + - "| | | | Pod: | | |\n" + - "| | | | all | | |\n" + - "+ + + +------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + - "| | | | Namespace: | ANP: | port 8080 on protocol TCP |\n" + - "| | | | kubernetes.io/metadata.name = network-policy-conformance-hufflepuff | pri=16 (example-anp-2): Allow | port 5353 on protocol UDP |\n" + - "| | | | Pod: | pri=20 (example-anp): Allow | port 9003 on protocol SCTP |\n" + - "| | | | all | BANP: | |\n" + - "| | | | | Allow | |\n" + - "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+------------------------------------------------------------------+----------------------------+\n" + + expected := "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + + "| TYPE | SUBJECT | SOURCE RULES | PEER | ACTION | PORT/PROTOCOL |\n" + + "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + + "| Ingress | Namespace: | [ANP] default/example-anp | Namespace: | ANP: | all ports, all protocols |\n" + + "| | kubernetes.io/metadata.name Exists [] | [ANP] default/example-anp-2 | kubernetes.io/metadata.name = network-policy-conformance-hufflepuff | pri=16 (deny-from-hufflepuff-everything-else-2): Deny | |\n" + + "| | | [BANP] default/default | Pod: | pri=20 (deny-from-hufflepuff-everything-else): Deny | |\n" + + "| | | | all | BANP: | |\n" + + "| | | | | Deny | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ +\n" + + "| | | | Namespace: | ANP: | |\n" + + "| | | | kubernetes.io/metadata.name = network-policy-conformance-ravenclaw | pri=16 (allow-from-ravenclaw-everything-2): Allow (ineffective rules: Deny, Pass) | |\n" + + "| | | | Pod: | pri=20 (allow-from-ravenclaw-everything): Allow (ineffective rules: Deny, Pass) | |\n" + + "| | | | all | BANP: | |\n" + + "| | | | | Allow | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + + "| | | | Namespace: | ANP: | port 80 on protocol TCP |\n" + + "| | | | kubernetes.io/metadata.name = network-policy-conformance-slytherin | pri=16 (deny-from-slytherin-at-port-80-53-9003-2): Deny (ineffective rules: Pass) | port 53 on protocol UDP |\n" + + "| | | | Pod: | pri=20 (deny-from-slytherin-at-port-80-53-9003): Deny (ineffective rules: Pass) | port 9003 on protocol SCTP |\n" + + "| | | | all | BANP: | |\n" + + "| | | | | Deny | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + + "| | | | Namespace: | ANP: | port 80 on protocol TCP |\n" + + "| | | | kubernetes.io/metadata.name = network-policy-conformance-hufflepuff | pri=16 (allow-from-hufflepuff-at-port-80-5353-9003-2): Allow | port 5353 on protocol UDP |\n" + + "| | | | Pod: | pri=20 (allow-from-hufflepuff-at-port-80-5353-9003): Allow | port 9003 on protocol SCTP |\n" + + "| | | | all | BANP: | |\n" + + "| | | | | Allow | |\n" + + "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + + "| | | | | | |\n" + + "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + + "| Egress | Namespace: | [ANP] default/example-anp | Namespace: | BANP: | all ports, all protocols |\n" + + "| | kubernetes.io/metadata.name Exists [] | [ANP] default/example-anp-2 | Not Same labels - Test1 | Deny | |\n" + + "| | | [BANP] default/default | Pod: | | |\n" + + "| | | | all | | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ +\n" + + "| | | | Namespace: | BANP: | |\n" + + "| | | | Same labels - Test | Allow | |\n" + + "| | | | Pod: | | |\n" + + "| | | | all | | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ +\n" + + "| | | | Namespace: | ANP: | |\n" + + "| | | | kubernetes.io/metadata.name = network-policy-conformance-hufflepuff | pri=16 (deny-to-hufflepuff-everything-else-2): Deny | |\n" + + "| | | | Pod: | pri=20 (deny-to-hufflepuff-everything-else): Deny | |\n" + + "| | | | all | BANP: | |\n" + + "| | | | | Deny | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ +\n" + + "| | | | Namespace: | ANP: | |\n" + + "| | | | kubernetes.io/metadata.name = network-policy-conformance-ravenclaw | pri=16 (allow-to-ravenclaw-everything-2): Allow (ineffective rules: Deny, Pass) | |\n" + + "| | | | Pod: | pri=20 (allow-to-ravenclaw-everything): Allow (ineffective rules: Deny, Pass) | |\n" + + "| | | | all | | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + + "| | | | Namespace: | ANP: | port 80 on protocol TCP |\n" + + "| | | | kubernetes.io/metadata.name = network-policy-conformance-slytherin | pri=16 (deny-to-slytherin-at-ports-80-53-9003-2): Deny (ineffective rules: Pass) | port 53 on protocol UDP |\n" + + "| | | | Pod: | pri=20 (deny-to-slytherin-at-ports-80-53-9003): Deny (ineffective rules: Pass) | port 9003 on protocol SCTP |\n" + + "| | | | all | | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+ +\n" + + "| | | | Namespace: | BANP: | |\n" + + "| | | | kubernetes.io/metadata.name Exists [] | Deny | |\n" + + "| | | | Pod: | | |\n" + + "| | | | all | | |\n" + + "+ + + +------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + + "| | | | Namespace: | ANP: | port 8080 on protocol TCP |\n" + + "| | | | kubernetes.io/metadata.name = network-policy-conformance-hufflepuff | pri=16 (allow-to-hufflepuff-at-ports-8080-5353-2): Allow | port 5353 on protocol UDP |\n" + + "| | | | Pod: | pri=20 (allow-to-hufflepuff-at-ports-8080-5353): Allow | port 9003 on protocol SCTP |\n" + + "| | | | all | BANP: | |\n" + + "| | | | | Allow | |\n" + + "+---------+------------------------------------------+-----------------------------+------------------------------------------------------------------------+--------------------------------------------------------------------------------------+----------------------------+\n" + "" policies := matcher.BuildV1AndV2NetPols(false, nil, examples.CoreGressRulesCombinedANB, examples.CoreGressRulesCombinedBANB) require.Equal(t, expected, policies.ExplainTable()) diff --git a/cmd/policy-assistant/test/integration/integration_test.go b/cmd/policy-assistant/test/integration/integration_test.go index a686f866..e1eab4ec 100644 --- a/cmd/policy-assistant/test/integration/integration_test.go +++ b/cmd/policy-assistant/test/integration/integration_test.go @@ -82,9 +82,6 @@ func TestNetPolV1Connectivity(t *testing.T) { defaultIngressBehavior: probe.ConnectivityAllowed, defaultEgressBehavior: probe.ConnectivityAllowed, nonDefaultIngress: []flow{ - {"x/a", "x/a", 80, v1.ProtocolTCP}, - {"x/a", "x/a", 81, v1.ProtocolTCP}, - {"x/a", "x/a", 81, v1.ProtocolUDP}, {"x/b", "x/a", 80, v1.ProtocolTCP}, {"x/b", "x/a", 81, v1.ProtocolTCP}, {"x/b", "x/a", 81, v1.ProtocolUDP}, @@ -295,8 +292,6 @@ func TestANPConnectivity(t *testing.T) { defaultIngressBehavior: probe.ConnectivityAllowed, defaultEgressBehavior: probe.ConnectivityAllowed, nonDefaultIngress: []flow{ - {"x/a", "x/a", 80, v1.ProtocolTCP}, - {"x/a", "x/a", 81, v1.ProtocolTCP}, {"x/b", "x/a", 80, v1.ProtocolTCP}, {"x/b", "x/a", 81, v1.ProtocolTCP}, {"x/c", "x/a", 80, v1.ProtocolTCP}, @@ -866,7 +861,6 @@ func TestBANPConnectivity(t *testing.T) { {"y/b", "x/a", 80, v1.ProtocolTCP}, {"y/b", "x/b", 80, v1.ProtocolTCP}, {"y/b", "y/a", 80, v1.ProtocolTCP}, - {"y/b", "y/b", 80, v1.ProtocolTCP}, }, args: args{ resources: getResources(t, []string{"x", "y"}, []string{"a", "b"}, []int{80}, []v1.Protocol{v1.ProtocolTCP}), @@ -1189,7 +1183,6 @@ func TestANPWithBANP(t *testing.T) { defaultIngressBehavior: probe.ConnectivityBlocked, defaultEgressBehavior: probe.ConnectivityAllowed, nonDefaultIngress: []flow{ - {"x/a", "x/a", 80, v1.ProtocolUDP}, {"x/b", "x/a", 80, v1.ProtocolUDP}, }, args: args{ @@ -1257,7 +1250,6 @@ func TestANPWithBANP(t *testing.T) { defaultIngressBehavior: probe.ConnectivityAllowed, defaultEgressBehavior: probe.ConnectivityAllowed, nonDefaultIngress: []flow{ - {"x/a", "x/a", 80, v1.ProtocolUDP}, {"x/b", "x/a", 80, v1.ProtocolUDP}, }, args: args{