[Policy Assistant] Summary Table for (B)ANP and NetPol

[huntergregory]

Requirement for #150.

Dependency: #152

Repurposing cyclonus analyze --mode=explain (see ParseMode in analyze.go). This function is also used in running the conformance tests via cyclonus generate. The function displays a summary table of all ingress rules for the set of NetworkPolicies, then all egress rules for the set.

Current Output:

$ ./cyclonus analyze --mode=explain --use-example-policies
INFO[2023-10-10T00:12:51-07:00] log level set to 'info'
explained policies:
+---------+--------------------+---------------------------------------------------------------------+--------------------------+---------------------------+
|  TYPE   |       TARGET       |                            SOURCE RULES                             |           PEER           |       PORT/PROTOCOL       |
+---------+--------------------+---------------------------------------------------------------------+--------------------------+---------------------------+
| Ingress | namespace: default | default/accidental-and                                              | namespace: default       | all ports, all protocols  |
|         | Match labels:      | default/accidental-or                                               | pods: Match labels:      |                           |
|         |   a: b             |                                                                     |   role: client           |                           |
+         +                    +                                                                     +--------------------------+                           +
|         |                    |                                                                     | namespace: Match labels: |                           |
|         |                    |                                                                     |   user: alice            |                           |
|         |                    |                                                                     | pods: Match labels:      |                           |
|         |                    |                                                                     |   role: client           |                           |
+         +                    +                                                                     +--------------------------+                           +
|         |                    |                                                                     | namespace: Match labels: |                           |
|         |                    |                                                                     |   user: alice            |                           |
|         |                    |                                                                     | pods: all                |                           |
+         +--------------------+---------------------------------------------------------------------+--------------------------+---------------------------+
|         | namespace: default | default/allow-nothing-to-v2-all-web                                 | no pods, no ips          | no ports, no protocols    |
|         | Match labels:      |                                                                     |                          |                           |
|         |   all: web         |                                                                     |                          |                           |
+         +--------------------+---------------------------------------------------------------------+--------------------------+---------------------------+
|         | namespace: default | default/allow-specific-port-from-role-monitoring-to-app-apiserver   | namespace: default       | port 5000 on protocol TCP |
|         | Match labels:      |                                                                     | pods: Match labels:      |                           |
|         |   app: apiserver   |                                                                     |   role: monitoring       |                           |
+         +--------------------+---------------------------------------------------------------------+--------------------------+---------------------------+
|         | namespace: default | default/allow-from-app-bookstore-to-app-bookstore-role-api          | namespace: default       | all ports, all protocols  |
|         | Match labels:      |                                                                     | pods: Match labels:      |                           |
|         |   app: bookstore   |                                                                     |   app: bookstore         |                           |
|         |   role: api        |                                                                     |                          |                           |
+         +--------------------+---------------------------------------------------------------------+--------------------------+                           +
|         | namespace: default | default/allow-from-multiple-to-app-bookstore-role-db                | namespace: default       |                           |
|         | Match labels:      |                                                                     | pods: Match labels:      |                           |
|         |   app: bookstore   |                                                                     |   app: bookstore         |                           |
|         |   role: db         |                                                                     |   role: api              |                           |
+         +                    +                                                                     +--------------------------+                           +
|         |                    |                                                                     | namespace: default       |                           |
|         |                    |                                                                     | pods: Match labels:      |                           |
|         |                    |                                                                     |   app: bookstore         |                           |
|         |                    |                                                                     |   role: search           |                           |
+         +                    +                                                                     +--------------------------+                           +
|         |                    |                                                                     | namespace: default       |                           |
|         |                    |                                                                     | pods: Match labels:      |                           |
|         |                    |                                                                     |   app: inventory         |                           |
|         |                    |                                                                     |   role: web              |                           |
+         +--------------------+---------------------------------------------------------------------+--------------------------+---------------------------+

EDIT: below images are slightly outdated. See new images in further comments.

We can repurpose this for ANP (highlighting changes):

Example with multiple Network Policies:

[huntergregory]

Revised idea for tables:

[Peac36]

Hey @huntergregory, I would like to work on this and I believe I know what is expected here however I have two questions:

• Should we print priority info for NetworkPolicyV1?
• Are there examples (B)ANP similar to the NetworkPolicy that I can use for testing?

[Peac36]

/assign

[huntergregory]

Thanks for the help with this issue @Peac36 !

For testing, there are some policies in test/integration/integration_test.go which might be helpful.

NetworkPolicyV1 doesn't quite have a priority concept. Instead, a NPv1 defines a target (based on its pod selector and the namespace it resides in) and has a list of allowed peers (e.g. for ingress, traffic goes from a peer to a target). For an isolated Pod, if any NPv1 allows ingress to the Pod, then ingress is allowed. There is similar logic for egress. This section of the documentation explains this further.

So we'll have to be creative about the action/priority column for NPv1 (I was thinking to just say NPv1: peers allowed in this column).

Happy to help with any other questions/clarifications 🙂

[Peac36]

Thanks @huntergregory, I've just opened the PR for this. Let's continue the discussion there.

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[huntergregory]

Fixed in #188