adding fake ip for pod from core

pkg/netpol/connlist/connlist_test.go

@@ -28,7 +28,7 @@ func getConnlistFromDirPathRes(stopOnErr bool, path string) (*ConnlistAnalyzer,
 // TestConnList tests the output of ConnlistFromDirPath() for valid input resources
 func TestConnList(t *testing.T) {
 	testNames := []string{"ipblockstest", "onlineboutique", "onlineboutique_workloads",
-		"minikube_resources", "online_boutique_workloads_no_ns"}
+		"minikube_resources", "online_boutique_workloads_no_ns", "core_pods_without_host_ip"}
 	expectedOutputFileName := "connlist_output.txt"
 	generateActualOutput := false
 	for _, testName := range testNames {

pkg/netpol/eval/internal/k8s/pod.go

@@ -28,10 +28,7 @@ import (
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/scan"
 )
 
-const (
-	defaultPortsListSize = 8
-	ipv4LoopbackAddr     = "127.0.0.1"
-)
+const defaultPortsListSize = 8
 
 // Pod encapsulates k8s Pod fields that are relevant for evaluating network policies
 type Pod struct {
@@ -57,7 +54,7 @@ type Owner struct {
 
 // PodFromCoreObject creates a PodRef by extracting relevant fields from the k8s Pod
 func PodFromCoreObject(p *corev1.Pod) (*Pod, error) {
-	if p.Status.HostIP == "" || len(p.Status.PodIPs) == 0 { // not scheduled nor assigned IP addresses - ignore
+	if p.Status.HostIP == "" && len(p.Status.PodIPs) == 0 { // not scheduled nor assigned IP addresses - ignore
 		return nil, errors.New("no worker node or IP assigned for pod: " + namespacedName(p))
 	}
 
@@ -188,7 +185,7 @@ func PodsFromWorkloadObject(workload interface{}, kind string) ([]*Pod, error) {
 		pod.Labels = make(map[string]string, len(podTemplate.Labels))
 		pod.IPs = make([]corev1.PodIP, 0)
 		pod.Ports = make([]corev1.ContainerPort, 0, defaultPortsListSize)
-		pod.HostIP = getFakePodIP()
+		pod.HostIP = scan.IPv4LoopbackAddr
 		pod.Owner = Owner{Name: workloadName, Kind: kind, APIVersion: APIVersion}
 		for k, v := range podTemplate.Labels {
 			pod.Labels[k] = v
@@ -210,7 +207,3 @@ func namespacedName(pod *corev1.Pod) string {
 func variantFromLabelsMap(labels map[string]string) string {
 	return hex.EncodeToString(sha1.New().Sum([]byte(fmt.Sprintf("%v", labels)))) //nolint:gosec
 }
-
-func getFakePodIP() string {
-	return ipv4LoopbackAddr
-}

pkg/netpol/scan/scan.go

@@ -24,6 +24,9 @@ import (
 	"k8s.io/client-go/kubernetes/scheme"
 )
 
+// IPv4LoopbackAddr is used as fake IP in the abscence of Pod.HostIP
+const IPv4LoopbackAddr = "127.0.0.1"
+
 type ResourcesScanner struct {
 	logger      logger.Logger
 	stopOnError bool
@@ -392,6 +395,9 @@ func convertPodListTOK8sObjects(pl *v1.PodList) ([]K8sObject, error) {
 		if isValidKind, err := validateNamespaceAndKind(&pl.Items[i].Namespace, &pl.Items[i].Kind, Pod); !isValidKind {
 			return nil, err
 		}
+		if pl.Items[i].Status.HostIP == "" {
+			pl.Items[i].Status.HostIP = IPv4LoopbackAddr
+		}
 		res[i] = K8sObject{Pod: &pl.Items[i], Kind: Pod}
 	}
 	return res, nil
@@ -594,6 +600,9 @@ func parsePod(r io.Reader) *v1.Pod {
 	if isValid, err := validateNamespaceAndKind(&rc.Namespace, &rc.Kind, Pod); !isValid || err != nil {
 		return nil
 	}
+	if rc.Status.HostIP == "" {
+		rc.Status.HostIP = IPv4LoopbackAddr
+	}
 	return &rc
 }
 

tests/core_pods_without_host_ip/enable-all-traffic.yaml

@@ -0,0 +1,13 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: enable-all-traffic
+  namespace: kube-system
+spec:
+  podSelector:
+    matchLabels:
+      tier: frontend
+  policyTypes:
+    - Ingress
+  ingress:
+    - {}

tests/core_pods_without_host_ip/ns_list.yaml

@@ -0,0 +1,88 @@
+apiVersion: v1
+items:
+    - metadata:
+        labels:
+            unique-label: defaultNameSpace
+        name: default
+        resourceVersion: "11"
+        selfLink: /api/v1/namespaces/default
+      spec:
+        finalizers:
+            - kubernetes
+      status:
+        phase: Active
+    - metadata:
+        name: dlaas
+        resourceVersion: "11"
+        selfLink: /api/v1/namespaces/dlaas
+      spec:
+        finalizers:
+            - kubernetes
+      status:
+        phase: Active
+    - metadata:
+        name: url-fetcher-ns
+        resourceVersion: "11"
+      spec:
+        finalizers:
+            - kubernetes
+      status:
+        phase: Active
+    - metadata:
+        name: vendor-cert-store
+      spec:
+        finalizers:
+            - kubernetes
+      status:
+        phase: Active
+    - metadata:
+        labels:
+            unique-label: vendor-systemNameSpace
+        name: vendor-system
+      spec:
+        finalizers:
+            - kubernetes
+      status:
+        phase: Active
+    - metadata:
+        creationTimestamp: "2018-03-06T11:49:51Z"
+        name: kube-public
+        selfLink: /api/v1/namespaces/kube-public
+      spec:
+        finalizers:
+            - kubernetes
+      status:
+        phase: Active
+    - metadata:
+        annotations:
+            kubectl.kubernetes.io/last-applied-configuration: |
+                {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{},"name":"kube-system","namespace":""}}
+        labels:
+            unique-label: kubeSystemNameSpace
+        name: kube-system
+        resourceVersion: "127"
+        selfLink: /api/v1/namespaces/kube-system
+      spec:
+        finalizers:
+            - kubernetes
+      status:
+        phase: Active
+    - metadata:
+        annotations:
+            kubectl.kubernetes.io/last-applied-configuration: |
+                {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{},"name":"kube-system","namespace":""}}
+        creationTimestamp: "2018-03-06T11:49:51Z"
+        labels:
+            unique-label: dummy
+        name: kube-system-dummy-to-ignore
+        resourceVersion: "127"
+        selfLink: /api/v1/namespaces/kube-system-dummy-to-ignore
+      spec:
+        finalizers:
+            - kubernetes
+      status:
+        phase: Active
+kind: NamespaceList
+metadata:
+    resourceVersion: "2996488"
+    selfLink: /api/v1/namespaces