Add support for ANP and BANP in the explain command #188
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
Welcome @Peac36! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @Peac36. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
Thanks for this @Peac36! We'll get to it ASAP |
| @@ -50,7 +50,7 @@ func (s *SliceBuilder) TargetsTableLines(targets []*Target, isIngress bool) { | |||
| ruleType = "Egress" | |||
| } | |||
| for _, target := range targets { | |||
| sourceRules := slice.Sort(target.SourceRules) | |||
There was a problem hiding this comment.
I recommend sorting all output so that it's:
- deterministic
- predictable for the reader
| case *IPPeerMatcher: | ||
| s.IPPeerMatcherTableLines(a) | ||
| case *PodPeerMatcher: | ||
| s.PodPeerMatcherTableLines(a, NewV1Effect(true)) | ||
| default: | ||
| panic(errors.Errorf("invalid PeerMatcher type %T", a)) | ||
| continue |
There was a problem hiding this comment.
this is an unexpected case, right? might be worth a warning at least
|
nice one @Peac36 ! thanks for posting screenshots of the output 👍 👍 !! I'll defer to @astoycos and @huntergregory <- they're the real approvers , please let me know if you'd like me to take a closer look at anything but overall I feel like this is a good patch! |
|
Thanks for making this PR @Peac36 ! Have been OOF and then got a concussion, but will aim to review this early next week! |
There was a problem hiding this comment.
Thanks again @Peac36 for tackling this important visualization piece!
You found all the code pieces nicely. The only remaining functionality is handling SameLabels and NotSameLabels.
Also, thanks for looking to improve the formatting. We will need to make sure everything is clear for every case. Along that line, could you add UTs to make sure we have expected outputs for all cases? For NPv1, I'd suggest using the example policies from cyclonus analyze --use-example-policies (believe that's the correct arg but you can also check cyclonus analyze --help).
| @@ -107,14 +107,12 @@ func LabelSelectorTableLines(selector metav1.LabelSelector) string { | |||
| } | |||
| var lines []string | |||
| if len(selector.MatchLabels) > 0 { | |||
| lines = append(lines, "Match labels:") | |||
There was a problem hiding this comment.
Can we keep this and Match expressions: ? Similarly to my previous comment, leaving this will make the output clearer imo
There was a problem hiding this comment.
Or feel free to change the wording, and we can assess outputs for both the MatchLabels case and MatchExpressions
There was a problem hiding this comment.
Let's keep it that way. We can change it later when we are sure for the output layout.
|
Thank you for the input. I'll try to resolve it as soon as possible. |
|
EDIT: removed "verdict" idea below since traffic decisions could be made by overlapping peers. About the Action column, I like the idea of adding the source there. Taking it a step further, I think we could make it quicker to glance at and hold the user's hand a little more. Since a policy's rules share the same priority, we could consolidate a policy into a single line (so long as the rules share the same ports/protocols) and explicitly point out which actions are ineffective. Example: Another example: Implementation Ideas
TestingWe should try to come up with a UT that covers these kinds of examples with multiple policies. Also, a case where a policy has multiple rules that share the same subject and namespaces, but not the same ports to help convey that output behavior. |
k8s-ci-robot
added
size/XL
|
@huntergregory - I've resolved most of the initial feedback and started working on the new implementation idea but I have a question about Source rules. Should we list all ANPs that affect this subject or we can just drop the column and add the policy name in the action column? |
|
Thanks @Peac36. I'm thinking to list all ANPs that affect this subject to keep in-line with the previous design. For context, here are those example policies I referenced before, and the previous output for NPv1: |
|
@Peac36 btw would you mind continuing the PR in separate commits? Will make it easier to review/track changes |
|
Also @Peac36, we're planning to record a demo in a week or so for the Policy Assistant. Would be awesome to showcase your work! I'd like to give you a shoutout in a slide for our upcoming KubeCon presentation, similar to slide 25 here from the Fall. Feel free to join the Kubernetes Slack workspace -> sig-network-policy-api channel and DM me there! |
Sure.
Awesome. I'm almost ready with the grouping of the ANPs and after that, I'll take care of the BANPs and the tests. I will be ready with the whole thing probably on Monday. I hope this is OK for you guys. |
Peac36
force-pushed
the
update/153
branch
3 times, most recently
from
5c73100 to
c5db850
Compare
|
Hey @huntergregory I'm ready with the feedback and implementation of the idea you gave. Here is a short preview.
Added tests for
Let me know if you have more ideas for tests. |
There was a problem hiding this comment.
Thanks @Peac36 the screenshot looks really good. Can we flip the ordering for priorities in Action column? Highest priority (lowest pri number) coming first.
Had a few thoughts on simplifying implementation. My main goal is to keep parallels with NPv1 where possible, and to minimize change to NPv1 and functionality outside the summary table.
Also, thanks for adding tests. So I was thinking, to prevent regressions, it'd be nice to just have maybe one integration test comparing the output of cyclonus analyze --mode explain to an expected table (including NPv1).
Pretty simple, just something like this as a regular UT (no need for gomega?) in a new file test/integration/explain_test.go:
tableOutput := policy.ExplainTable()
expectedTable := """---------------------------
| Name | Subject | Action |
| abc | ns=x | allow |
---------------------------
require.Equal(t, expectedTable, tableOutput)
"""
Also, we don't have a PR check for it yet. Could you run go test . in both test/integration/ and pkg/matcher/ directories to make sure previous tests are all green?
| @@ -87,6 +89,8 @@ func SetupAnalyzeCommand() *cobra.Command { | |||
| func RunAnalyzeCommand(args *AnalyzeArgs) { | |||
| // 1. read policies from kube | |||
| var kubePolicies []*networkingv1.NetworkPolicy | |||
| var kubeANPs []*v1alpha1.AdminNetworkPolicy | |||
There was a problem hiding this comment.
for a follow-up PR: set these via CLI (#201)
| default: | ||
| panic(errors.Errorf("invalid PeerMatcher type %T", a)) | ||
| s.PodPeerMatcherTableLines(t, NewV1Effect(true), "") | ||
| case *PeerMatcherAdmin: |
There was a problem hiding this comment.
simplification idea: before this function, combine all ANPs + BANPs sharing the same subject into one target using BuildV1AndV2NetPols(simplify=true). Then at this case in the switch statement, we know this is an admin target. Let's make a separate function call here to render the target's peers, and break out of the current for loop
There was a problem hiding this comment.
Within this function call, we can group by PeerMatchers by Peer and Port
Peac36
force-pushed
the
update/153
branch
5 times, most recently
from
8fdff90 to
82478cb
Compare
|
@huntergregory - Can you review it again? I refactor it based on your feedback. So instead of grouping in the parsing stage, I introduced a new struct that combines all anps and bansp before printing stage. The code is much simpler now
All green.
Done. Added a test for printing anps and banps as well. |
There was a problem hiding this comment.
Thanks for simplifying @Peac36, this will help us in the long run. And thanks for working on this quickly. Let's address a couple questions/nits and then we can get this merged. Would you be able to tackle these ASAP?
Seeing a few discrepancies between your last screenshot and the text in your integration test. Do you know why? Which is correct?
Before:
After:
|
Thanks for the feedback @huntergregory. Already fixed some of them, however, I'll need some more - probably later tomorrow will be able to resolve them all. About the discrepancies - the issue came from here: I missed including the namespace selector when building the map key so the grouping was incorrect. Here is the result after the fix. Please note that I made some changed to the Banp so the result should not be the same as the one from previous examples. |
|
@huntergregory - I've resolved your last feedback. |
There was a problem hiding this comment.
Awesome thank you @Peac36 !!
/lgtm
@mattfenwick could we get your seal of approval? Also going to raise a PR to add myself to cmd/policy-assistant/OWNERS.
|
Andrew added me as owner actually, let’s see if this works 😆 /lgtm /approve |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: huntergregory, Peac36 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
I know it's too late but I'll do it anyway! /lgtm great work @Peac36 , I love where y'all are taking this! |
|
Congrats @Peac36 on the first policy assistant PR! Just messaged you on Slack about something for tomorrow (Monday) if you have time |
|
Fixed #153 |
Issue: #153
These images are based on the following files:
Also made some modifications to the original requirements: