From 0c2712923e52fced97f1b873510209dcf95b34d7 Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 9 Jun 2024 12:03:01 +0300 Subject: [PATCH] HC optimization finalization - phase 3 (#723) * Initial implementation of building and minimizing fw-rules directly from connectivity properties. Signed-off-by: Tanya * Fixed lint errors. Signed-off-by: Tanya * Updating (some of) expected results for explainability queries, according to more condensed optimized output. Signed-off-by: Tanya * Fixed converting fw-rules to connectivity properties, while taking into account TCP/non-TCP protocol restriction. Signed-off-by: Tanya * Optimized handling IpBlocks in optimized fw-rules minimization Signed-off-by: Tanya * Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya * Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya * More optimization in calculation partial ns grouping. Signed-off-by: Tanya * Fixed lint error Signed-off-by: Tanya * Refining basic namespace grouping by finding more opportunities to use properties in containing connections. Signed-off-by: Tanya * One more refinemenet of basic namespace grouping Signed-off-by: Tanya * One more refinemenet of basic namespace grouping Signed-off-by: Tanya * More refinemenets of peer grouping from properties Signed-off-by: Tanya * More refinemenets of peer grouping from properties Signed-off-by: Tanya * More refinements of peer grouping from properties Signed-off-by: Tanya * Added outputEndpoints option handling to PeerSetElement. Refined ns-set pairs grouping computation -trying starting from src_peers and from dst_peers and choosing a more compact grouping. Added grouping by full IpBlock. Signed-off-by: Tanya * Fixing lint errors. Signed-off-by: Tanya * Fixing handling txt-no_fw_rules format in the optimized solution Signed-off-by: Tanya * Fixing lint error Signed-off-by: Tanya * Fix: taking into account connectivity restriction (TCP/non-TCP) in generation of dot output in optimized solution Signed-off-by: Tanya * Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya * Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya * Added grouping by dns entries to the optimized algorithm. Signed-off-by: Tanya * Changed expected results of connectivity map query tests according to optimized runs Signed-off-by: Tanya * Changed optimized semantic diff query implementation according to the optimized fw-rules minimization algorithm. Fixed get_connection_set_and_peers_from_cube. Changed some of the expected results of semantic diff tests. Signed-off-by: Tanya * Keeping every dns entry separate in minimization of fw rules. Updated more semantic diff expected results. Signed-off-by: Tanya * Updated containment, permits, forbids expected results. Signed-off-by: Tanya * Cleaning up unused code and refactoring accordingly. Signed-off-by: Tanya * Fixed lint error. Signed-off-by: Tanya * Changed default to be the optimized run. Signed-off-by: Tanya * In opt='debug' the result explanation should ne according to the optimized run. Signed-off-by: Tanya * Restoring resource in scheme, changed by mistake. Signed-off-by: Tanya * Updating more expected results. Signed-off-by: Tanya * Small optimizations. Signed-off-by: Tanya * Initial implementation of building and minimizing fw-rules directly from connectivity properties. Signed-off-by: Tanya * Fixed lint errors. Signed-off-by: Tanya * Updating (some of) expected results for explainability queries, according to more condensed optimized output. Signed-off-by: Tanya * Fixed converting fw-rules to connectivity properties, while taking into account TCP/non-TCP protocol restriction. Signed-off-by: Tanya * Optimized handling IpBlocks in optimized fw-rules minimization Signed-off-by: Tanya * Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya * Optimized initial namespace grouping (by grouping few namespaces together, according to grouping in cubes). Also, added grouping by labels to initial grouping. Signed-off-by: Tanya * More optimization in calculation partial ns grouping. Signed-off-by: Tanya * Fixed lint error Signed-off-by: Tanya * Refining basic namespace grouping by finding more opportunities to use properties in containing connections. Signed-off-by: Tanya * One more refinemenet of basic namespace grouping Signed-off-by: Tanya * One more refinemenet of basic namespace grouping Signed-off-by: Tanya * More refinemenets of peer grouping from properties Signed-off-by: Tanya * More refinemenets of peer grouping from properties Signed-off-by: Tanya * More refinements of peer grouping from properties Signed-off-by: Tanya * Added outputEndpoints option handling to PeerSetElement. Refined ns-set pairs grouping computation -trying starting from src_peers and from dst_peers and choosing a more compact grouping. Added grouping by full IpBlock. Signed-off-by: Tanya * Fixing lint errors. Signed-off-by: Tanya * Fixing handling txt-no_fw_rules format in the optimized solution Signed-off-by: Tanya * Fixing lint error Signed-off-by: Tanya * Fix: taking into account connectivity restriction (TCP/non-TCP) in generation of dot output in optimized solution Signed-off-by: Tanya * Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya * Small fixes in txt_no_fw_rules_format Signed-off-by: Tanya * Added grouping by dns entries to the optimized algorithm. Signed-off-by: Tanya * Changed expected results of connectivity map query tests according to optimized runs Signed-off-by: Tanya * Changed optimized semantic diff query implementation according to the optimized fw-rules minimization algorithm. Fixed get_connection_set_and_peers_from_cube. Changed some of the expected results of semantic diff tests. Signed-off-by: Tanya * Keeping every dns entry separate in minimization of fw rules. Updated more semantic diff expected results. Signed-off-by: Tanya * Updated containment, permits, forbids expected results. Signed-off-by: Tanya * Cleaning up unused code and refactoring accordingly. Signed-off-by: Tanya * Fixed lint error. Signed-off-by: Tanya * Changed default to be the optimized run. Signed-off-by: Tanya * In opt='debug' the result explanation should ne according to the optimized run. Signed-off-by: Tanya * Restoring resource in scheme, changed by mistake. Signed-off-by: Tanya * Updating more expected results. Signed-off-by: Tanya * Small optimizations. Signed-off-by: Tanya * Small optimizations. Signed-off-by: Tanya * Removed disjoint_ip_blocks from optimized solution Signed-off-by: Tanya * Optimization: adding auto-connections to covered_peer_props (in fw-rules minimization) only if the number of peers is not too high, to avoid long run of these auto-connections calculation. Signed-off-by: Tanya * Optimization: adding resources to global resource/namespace/pod list in test schemes (instead of putting them only in configurations), to avoid trying to load resources from live cluster, which is time-consuming. Signed-off-by: Tanya * Deleted unused original implementation code. Changed number of expected warnings (see Issue https://github.com/IBM/network-config-analyzer/issues/724 Signed-off-by: Tanya * Further refining code by deleting unused original implementatation code. Signed-off-by: Tanya * Removed usage of ConnectionSet. Signed-off-by: Tanya * Fixed lint errors. Fixed small error. Signed-off-by: Tanya * Fixed sorting ConnectivityProperties (making stable sort) Consequently, fixed expected results Signed-off-by: Tanya * Fixed handling TCP / non-TCP connections output. Signed-off-by: Tanya * More fixed expected results. Signed-off-by: Tanya * More fixed expected results. Small fix in printing TCP connections in dot format. Signed-off-by: Tanya * Added some doc Signed-off-by: Tanya * Removed no longer used named_ports and excluded_named_ports in ConnectivityProperties. Removed outdated unit tests. Signed-off-by: Tanya * Small fixes Signed-off-by: Tanya * Updates of some more expected results. Removed --optimized_run flag. Removed ConnectionSet class. Signed-off-by: Tanya * Fixed lint errors. Removed original-to-optimized-comparison workflows from test-push. Signed-off-by: Tanya * Small fix. Signed-off-by: Tanya * Small fix. Signed-off-by: Tanya * Some more refactoring of FWRule minimization code. Signed-off-by: Tanya * Fixed lint error. Signed-off-by: Tanya --------- Signed-off-by: Tanya --- .github/workflows/test-push.yml | 53 - nca/CoreDS/ConnectionSet.py | 584 ----------- nca/CoreDS/ConnectivityProperties.py | 252 ++--- nca/CoreDS/DimensionsManager.py | 2 +- nca/CoreDS/Peer.py | 34 - nca/CoreDS/ProtocolSet.py | 26 + nca/FWRules/ConnectivityGraph.py | 151 +-- nca/FWRules/DotGraph.py | 21 +- nca/FWRules/FWRule.py | 34 +- nca/FWRules/MinimizeBasic.py | 169 --- ...zeCsFWRulesOpt.py => MinimizeCsFWRules.py} | 200 ++-- nca/FWRules/MinimizeFWRules.py | 692 ++---------- nca/NetworkConfig/NetworkConfig.py | 103 +- nca/NetworkConfig/NetworkConfigQuery.py | 985 ++---------------- nca/NetworkConfig/NetworkLayer.py | 152 +-- nca/NetworkConfig/PoliciesFinder.py | 9 +- nca/NetworkConfig/QueryOutputHandler.py | 23 +- nca/NetworkConfig/ResourcesHandler.py | 23 +- nca/Parsers/CalicoPolicyYamlParser.py | 110 +- nca/Parsers/GenericGatewayYamlParser.py | 8 +- nca/Parsers/IstioGatewayPolicyGenerator.py | 9 +- nca/Parsers/IstioPolicyYamlParser.py | 15 +- nca/Parsers/K8sPolicyYamlParser.py | 56 +- .../PolicyResources/CalicoNetworkPolicy.py | 129 +-- .../PolicyResources/GatewayPolicy.py | 81 +- .../PolicyResources/IstioNetworkPolicy.py | 91 +- nca/Resources/PolicyResources/IstioSidecar.py | 82 +- .../PolicyResources/K8sNetworkPolicy.py | 87 +- .../PolicyResources/NetworkPolicy.py | 155 +-- nca/SchemeRunner.py | 28 +- nca/Utils/ExplTracker.py | 4 +- nca/nca_cli.py | 26 +- .../testcase15-ports/testcase15-scheme.yaml | 2 +- .../testcase15-with-ingress-scheme.yaml | 2 +- ...obal-interferes-local-print-all-pairs.json | 2 +- ...lobal-interferes-local-print-all-pairs.txt | 2 +- ...obal-interferes-local-print-all-pairs.yaml | 2 +- ...and-sub-deny-not-equiv-all-peer-pairs.json | 2 +- ...-and-sub-deny-not-equiv-all-peer-pairs.txt | 2 +- ...and-sub-deny-not-equiv-all-peer-pairs.yaml | 2 +- ...stcase15_with_ingress_connectivity_map.txt | 28 +- .../testcase16-scheme_output.txt | 2 +- .../testcase18_connectivity_map.txt | 4 +- ...case25_mix_k8s_calico_connectivity_map.txt | 2 +- ...se25_mix_k8s_calico_connectivity_map_2.txt | 2 +- ...-1-k8s-calico-istio-2_connectivity_map.txt | 2 +- ...alico-istio-ingress-2_connectivity_map.txt | 6 +- ...-calico-istio-ingress_connectivity_map.txt | 4 +- ...ig-1-k8s-calico-istio_connectivity_map.txt | 4 +- ...g-1-k8s-istio-ingress_connectivity_map.txt | 4 +- ...nfig-1-calico-ingress-config-allow-all.txt | 4 +- .../testcase8-semantic-diff-query.txt | 2 +- .../testConnectivityPropertiesNamedPorts.py | 90 -- .../basic_semantic_diff_csv_query_output.txt | 6 +- .../basic_semantic_diff_md_query_output.txt | 6 +- .../basic_semantic_diff_query_output.txt | 6 +- .../basic_semantic_diff_yaml_query_output.txt | 31 +- .../helm_test_multi_chart.txt | 14 +- .../helm_test_one_chart.txt | 6 +- ...elm_test_resolved_yaml_in_template_dir.txt | 6 +- .../helm_test_resolved_yaml_inside_chart.txt | 6 +- .../helm_test_resolved_yaml_next_to_chart.txt | 6 +- ...est_resolved_yaml_next_to_multi_charts.txt | 8 +- .../livesim_test_all_dot.dot | 14 +- .../livesim_test_all_txt.txt | 6 +- .../poc1_expl_output.txt | 28 +- .../test4_expl_output.txt | 6 +- .../calico-testcase13-scheme_output.txt | 2 +- .../calico-testcase13-scheme_output.yaml | 3 +- .../calico-testcase14-scheme_output.txt | 2 +- .../calico-testcase14-scheme_output.yaml | 11 +- .../calico-testcase15-scheme_output.txt | 2 +- .../calico-testcase15-scheme_output.yaml | 31 +- ...lico-testcase20-Eran_gnps_query_output.txt | 6 +- ...ico-testcase20-Eran_gnps_query_output.yaml | 86 +- ...ivity_map_FirstDenySubset_query_output.txt | 2 +- ...vity_map_FirstDenySubset_query_output.yaml | 2 +- ...ty_map_firstAllowSuperSet_query_output.txt | 2 +- ...y_map_firstAllowSuperSet_query_output.yaml | 2 +- ...onnectivity_map_onlyAllow_query_output.txt | 2 +- ...nnectivity_map_onlyAllow_query_output.yaml | 2 +- ...onnectivity_map_denyFirst_query_output.txt | 2 +- ...nnectivity_map_denyFirst_query_output.yaml | 19 +- ...vity_test_methods_basic_1_query_output.txt | 2 +- ...ity_test_methods_basic_1_query_output.yaml | 26 +- ...vity_test_methods_basic_2_query_output.txt | 4 +- ...ity_test_methods_basic_2_query_output.yaml | 24 +- ...vity_test_methods_paths_1_query_output.txt | 2 +- ...ity_test_methods_paths_1_query_output.yaml | 112 +- ...ty_test_operation_allow_1_query_output.txt | 2 +- ...y_test_operation_allow_1_query_output.yaml | 26 +- ...ity_test_operation_deny_1_query_output.txt | 4 +- ...ty_test_operation_deny_1_query_output.yaml | 40 +- .../istio-test1-scheme_query1_output.txt | 4 +- .../istio-test1-scheme_query1_output.yaml | 6 +- .../istio-test1-scheme_query2_output.txt | 6 +- .../istio-test1-scheme_query2_output.yaml | 9 +- .../expected_output/poc1-scheme_output.csv | 24 +- .../expected_output/poc1-scheme_output.dot | 36 +- .../expected_output/poc1-scheme_output.md | 24 +- .../expected_output/poc1-scheme_output.txt | 24 +- .../expected_output/poc1-scheme_output.yaml | 48 +- .../expected_output/poc2-scheme_output.txt | 28 +- .../expected_output/poc2-scheme_output.yaml | 108 +- .../expected_output/poc3-scheme_output.txt | 28 +- .../expected_output/poc3-scheme_output.yaml | 56 +- ...4_scheme_connectivity_map_query_output.txt | 28 +- ..._scheme_connectivity_map_query_output.yaml | 108 +- ...e_semantic_diff_poc4_poc3_query_output.txt | 2 +- ..._semantic_diff_poc4_poc3_query_output.yaml | 4 +- .../port_aggregation-scheme_output.txt | 2 +- .../port_aggregation-scheme_output.yaml | 64 +- ..._diff_a_to_b_with_ipBlock_query_output.csv | 2 +- ...c_diff_a_to_b_with_ipBlock_query_output.md | 2 +- ..._diff_a_to_b_with_ipBlock_query_output.txt | 2 +- ...diff_a_to_b_with_ipBlock_query_output.yaml | 22 +- ...ic_diff_ipblocks__np1_np4_query_output.csv | 2 +- ...tic_diff_ipblocks__np1_np4_query_output.md | 2 +- ...ic_diff_ipblocks__np1_np4_query_output.txt | 2 +- ...c_diff_ipblocks__np1_np4_query_output.yaml | 18 +- ...diff_ipblocks_equivalence_query_output.csv | 8 +- ..._diff_ipblocks_equivalence_query_output.md | 8 +- ...diff_ipblocks_equivalence_query_output.txt | 8 +- ...iff_ipblocks_equivalence_query_output.yaml | 16 +- ...tic_diff_ipblocks_np1_np2_query_output.csv | 4 +- ...ntic_diff_ipblocks_np1_np2_query_output.md | 4 +- ...tic_diff_ipblocks_np1_np2_query_output.txt | 4 +- ...ic_diff_ipblocks_np1_np2_query_output.yaml | 8 +- ...ports_np1_and_np2_by_pods_query_output.txt | 4 +- ...f_named_ports_np1_and_np2_query_output.csv | 4 +- ...ff_named_ports_np1_and_np2_query_output.md | 4 +- ...f_named_ports_np1_and_np2_query_output.txt | 4 +- ..._named_ports_np1_and_np2_query_output.yaml | 8 +- .../semantic_diff_old1_new1_query_output.csv | 4 +- .../semantic_diff_old1_new1_query_output.md | 4 +- .../semantic_diff_old1_new1_query_output.txt | 4 +- .../semantic_diff_old1_new1_query_output.yaml | 12 +- .../semantic_diff_old1_new1a_query_output.csv | 4 +- .../semantic_diff_old1_new1a_query_output.md | 4 +- .../semantic_diff_old1_new1a_query_output.txt | 4 +- ...semantic_diff_old1_new1a_query_output.yaml | 20 +- ...ld1_new1a_txt_no_fw_rules_query_output.txt | 6 +- .../semantic_diff_old2_new2_query_output.csv | 4 +- .../semantic_diff_old2_new2_query_output.json | 20 +- .../semantic_diff_old2_new2_query_output.md | 4 +- .../semantic_diff_old2_new2_query_output.txt | 4 +- .../semantic_diff_old2_new2_query_output.yaml | 20 +- .../semantic_diff_poc-scheme_output.csv | 26 +- .../semantic_diff_poc-scheme_output.md | 26 +- .../semantic_diff_poc-scheme_output.txt | 26 +- .../semantic_diff_poc-scheme_output.yaml | 216 ++-- .../expected_output/test12-scheme_output.txt | 2 +- .../expected_output/test12-scheme_output.yaml | 27 +- .../expected_output/test16-scheme_output.txt | 2 +- .../expected_output/test16-scheme_output.yaml | 66 +- .../expected_output/test2-scheme_output.txt | 4 +- .../expected_output/test2-scheme_output.yaml | 54 +- .../expected_output/test23-scheme_output.txt | 2 +- .../expected_output/test23-scheme_output.yaml | 12 +- .../expected_output/test24-scheme_output.txt | 2 +- .../expected_output/test24-scheme_output.yaml | 12 +- .../expected_output/test3-scheme_output.txt | 2 +- .../expected_output/test3-scheme_output.yaml | 24 +- ...scheme_query_connectivity_map_3_output.csv | 2 +- ...scheme_query_connectivity_map_3_output.dot | 4 +- ...-scheme_query_connectivity_map_3_output.md | 2 +- ...scheme_query_connectivity_map_3_output.txt | 2 +- ...cheme_query_connectivity_map_3_output.yaml | 24 +- ...scheme_query_connectivity_map_4_output.csv | 8 +- ...scheme_query_connectivity_map_4_output.dot | 14 +- ...-scheme_query_connectivity_map_4_output.md | 8 +- ...scheme_query_connectivity_map_4_output.txt | 8 +- ...cheme_query_connectivity_map_4_output.yaml | 88 +- .../semantic_diff_namedPorts-scheme.yaml | 2 +- ...info-test-sidecar-connectivity-scheme.yaml | 2 + ...emptiness-redundancy-w-sidecar-scheme.yaml | 2 + .../online_boutique/connectivity-scheme.yaml | 34 +- ...boutique_multi_layer_from_live_cluster.txt | 28 +- ...est-connectivity-map-missing-resources.dot | 70 +- ...-and-k8s-ingress-test-connectivity-map.dot | 70 +- ...est-connectivity-map-missing-resources.dot | 38 +- ...ex-istio-ingress-test-connectivity-map.dot | 38 +- ...est-connectivity-map-missing-resources.dot | 34 +- ...-k8s-ingress-all-test-connectivity-map.dot | 34 +- ...est-connectivity-map-missing-resources.dot | 18 +- ...-ingress-cluster-test-connectivity-map.dot | 18 +- ...onnectivity-map-with-missing-resources.dot | 18 +- ...plex-k8s-ingress-test-connectivity-map.dot | 18 +- ...nectivity-bookinfo-demo-by-deployments.dot | 10 +- .../connectivity-bookinfo-demo-by-pods.dot | 10 +- ...tivity_map_of_onlineboutique_resources.txt | 20 +- ...boutique_resources_with_istio_gateways.txt | 24 +- ...uiv_configs_w_sidecars_different_hosts.txt | 2 +- ...ly_istio_ingress_test_connectivity_map.txt | 4 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- .../istio_egress_test_connectivity_map.txt | 4 +- .../istio_ingress_test_connectivity_map.txt | 6 +- .../new_online_boutique_connectivity_map.txt | 26 +- ...ne_boutique_synth_res_connectivity_map.txt | 20 +- ...es_connectivity_map_with_baseline_rule.txt | 18 +- ...synth_res_connectivity_map_wo_fw_rules.txt | 390 +++---- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- ...online_boutique_new_input_vs_synth_res.txt | 32 +- ...w_synth_res_vs_synth_with_baseline_res.txt | 2 +- ...emantic_diff_sidecars_added_conns_test.txt | 4 +- ...semantic_diff_sidecars_lost_conns_test.txt | 2 +- ...ars-and-gateways-test-connectivity-map.txt | 6 +- ...nfigs_w_sidecars_different_hosts_types.txt | 2 +- tests/k8s_cmdline_tests.yaml | 7 - .../demo_short/demo2-scheme.yaml | 5 +- .../ipblockstest/test-scheme.yaml | 7 +- .../namedPorts/namedPorts-scheme.yaml | 2 +- .../test-no-fw-rules-scheme.yaml | 3 +- .../namedPorts-scheme.yaml | 2 +- .../ipblocktest-conn-graph-no-fw-rules.txt | 940 ++++++++--------- .../k8s_ingress_test_connectivity_map.txt | 2 +- .../new_online_boutique_connectivity_map.txt | 20 +- ...outique_synthesis_res_connectivity_map.txt | 22 +- .../onlineboutique-conn-graph-no-fw-rules.txt | 50 +- ...outique_synthesis_res_connectivity_map.txt | 28 +- ...antic_diff_a_to_b_different_topologies.txt | 34 +- ...ue_new_synthesized_vs_orig_synthesized.txt | 8 +- ...online_boutique_new_vs_synthesized_new.txt | 2 +- .../services1_connectivity_map.txt | 4 +- tests/run_all_tests.py | 67 +- 225 files changed, 2925 insertions(+), 5941 deletions(-) delete mode 100644 nca/CoreDS/ConnectionSet.py delete mode 100644 nca/FWRules/MinimizeBasic.py rename nca/FWRules/{MinimizeCsFWRulesOpt.py => MinimizeCsFWRules.py} (77%) diff --git a/.github/workflows/test-push.yml b/.github/workflows/test-push.yml index fd8aa7a12..04ce53c6c 100644 --- a/.github/workflows/test-push.yml +++ b/.github/workflows/test-push.yml @@ -87,27 +87,6 @@ jobs: name: k8s-failed-run-time-check-file path: ./tests/k8s_tests_failed_runtime_check.csv if-no-files-found: ignore - k8s-tests-orig-vs-opt-comparison: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - uses: ./.github/actions/setup-nca-env - - name: install helm - run: | - curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 - chmod 700 get_helm.sh - sudo ./get_helm.sh - - name: Run k8s tests - env: - GHE_TOKEN: ${{ github.token }} - PYTHONPATH: . - run: python tests/run_all_tests.py --type=general --category=k8s --hc_opt=debug | tee tests/k8s_cmp_log.txt ; test ${PIPESTATUS[0]} -eq 0 - - name: upload run_k8s_tests log - if: ${{ always() }} - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 - with: - name: k8s-cmp-log - path: tests/k8s_cmp_log.txt calico-tests: runs-on: ubuntu-latest steps: @@ -131,22 +110,6 @@ jobs: name: calico-failed-run-time-check-file path: ./tests/calico_tests_failed_runtime_check.csv if-no-files-found: ignore - calico-tests-orig-vs-opt-comparison: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - uses: ./.github/actions/setup-nca-env - - name: Run calico tests - env: - GHE_TOKEN: ${{ github.token }} - PYTHONPATH: . - run: python tests/run_all_tests.py --type=general --category=calico --hc_opt=debug | tee tests/calico_cmp_log.txt ; test ${PIPESTATUS[0]} -eq 0 - - name: upload run_calico_tests log - if: ${{ always() }} - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 - with: - name: calico-cmp-log - path: tests/calico_cmp_log.txt istio-tests: runs-on: ubuntu-latest steps: @@ -170,22 +133,6 @@ jobs: name: istio-failed-run-time-check-file path: ./tests/istio_tests_failed_runtime_check.csv if-no-files-found: ignore - istio-tests-orig-vs-opt-comparison: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 - - uses: ./.github/actions/setup-nca-env - - name: Run istio tests - env: - GHE_TOKEN: ${{ github.token }} - PYTHONPATH: . - run: python tests/run_all_tests.py --type=general --category=istio --hc_opt=debug | tee tests/istio_cmp_log.txt ; test ${PIPESTATUS[0]} -eq 0 - - name: upload run_istio_tests log - if: ${{ always() }} - uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 - with: - name: istio-cmp-log - path: tests/istio_cmp_log.txt fw-rules-assertion-tests: runs-on: ubuntu-latest steps: diff --git a/nca/CoreDS/ConnectionSet.py b/nca/CoreDS/ConnectionSet.py deleted file mode 100644 index 42d44d26c..000000000 --- a/nca/CoreDS/ConnectionSet.py +++ /dev/null @@ -1,584 +0,0 @@ -# -# Copyright 2020- IBM Inc. All rights reserved -# SPDX-License-Identifier: Apache2.0 -# - -from .CanonicalIntervalSet import CanonicalIntervalSet -from .ConnectivityProperties import ConnectivityProperties -from .ProtocolNameResolver import ProtocolNameResolver -from .ProtocolSet import ProtocolSet - - -class ConnectionSet: - """ - This class holds a set of connections and allows several manipulations on this set such as union, intersection, ... - """ - _icmp_protocols = {1, 58} - port_supporting_protocols = {6, 17, 132} - _max_protocol_num = 255 - _min_protocol_num = 0 - - def __init__(self, allow_all=False): - self.allowed_protocols = {} # a map from protocol number (0-255) to allowed properties (ports, icmp) - self.allow_all = allow_all # Shortcut to represent all connections, and then allowed_protocols is to be ignored - - def __bool__(self): - return self.allow_all or bool(self.allowed_protocols) - - def __eq__(self, other): - if isinstance(other, ConnectionSet): - return self.allow_all == other.allow_all and self.allowed_protocols == other.allowed_protocols - return False - - def __lt__(self, other): - if self.allow_all: - return False - if other.allow_all: - return True - if len(self.allowed_protocols) != len(other.allowed_protocols): - return len(self.allowed_protocols) < len(other.allowed_protocols) - return str(self) < str(other) - - def __hash__(self): - return hash((frozenset(self.allowed_protocols.keys()), self.allow_all)) - - def get_simplified_connections_representation(self, is_str, use_complement_simplification=True): - """ - Get a simplified representation of the connection set - choose shorter version between self and its complement. - representation as str is a string representation, and not str is representation as list of objects. - The representation is used at fw-rules representation of the connection. - :param bool is_str: should get str representation (True) or list representation (False) - :param bool use_complement_simplification: should choose shorter rep between self and complement - :return: the required representation of the connection set - :rtype Union[str, list] - """ - if self.allow_all or not self.allowed_protocols: - return self._get_connections_representation(is_str) - self_rep = self._get_connections_representation(is_str) - if not use_complement_simplification: - return self_rep - # check the alternative of the complement - complement = ConnectionSet(True) - self - complement_rep = complement._get_connections_representation(is_str) - if len(complement_rep) < len(self_rep): - return f'All but {complement_rep}' if is_str else [{"All but": complement_rep}] - return self_rep - - def _get_connections_representation(self, is_str): - """ - get the required representation of the connection set (str or list) for fw-rules output - :param bool is_str: should get str representation (True) or list representation (False) - :return: the required representation of the connection set - :rtype Union[str, list] - """ - if self.allow_all or not self.allowed_protocols: - return str(self) if is_str else [str(self)] - res = [] - protocols_ranges = CanonicalIntervalSet() - protocols = self.allowed_protocols - if is_str: - # aggregate specific representations: - protocols, aggregated_properties_txt = self._aggregate_connection_representation(self.allowed_protocols) - if aggregated_properties_txt != '': - res.append(aggregated_properties_txt) - for protocol in sorted(protocols): - if ProtocolNameResolver.is_standard_protocol(protocol): - protocol_text = ProtocolNameResolver.get_protocol_name(protocol) - properties = protocols[protocol] - res.append(self._get_protocol_with_properties_representation(is_str, protocol_text, properties)) - else: - # collect allowed protocols numbers into ranges - # assuming no properties objects for protocols numbers - protocols_ranges.add_interval(CanonicalIntervalSet.Interval(protocol, protocol)) - if protocols_ranges: - res += self._get_protocols_ranges_representation(is_str, protocols_ranges) - return ','.join(s for s in res) if is_str else res - - @staticmethod - def _aggregate_connection_representation(protocols): - """ - Aggregate shared properties of the protocols, for better human understanding. - :param dict protocols: a map from protocol number (1-255) to allowed properties - :return: dict protocols_not_aggregated: the rest of the protocol data that was not aggregated. - :return: str aggregation_results: a string of the aggregated representation - """ - protocols_not_aggregated = protocols - aggregation_results = '' - - # handle TCP+UDP ports aggregation (do not handle range segmentation overlapping) - tcp_protocol_number = ProtocolNameResolver.get_protocol_number('TCP') - udp_protocol_number = ProtocolNameResolver.get_protocol_number('UDP') - tcp_protocol = protocols_not_aggregated.get(tcp_protocol_number) - udp_protocol = protocols_not_aggregated.get(udp_protocol_number) - if tcp_protocol and udp_protocol and tcp_protocol.active_dimensions and \ - udp_protocol.active_dimensions == tcp_protocol.active_dimensions: - aggregation_results, protocols_not_aggregated = ConnectionSet._aggregate_pair_protocols(protocols_not_aggregated, - tcp_protocol_number, - udp_protocol_number) - if aggregation_results != '': # can be empty when all properties are allowed for both protocols - aggregation_results = 'TCP+UDP ' + aggregation_results - - # handle future aggregations here - - return protocols_not_aggregated, aggregation_results - - @staticmethod - def _aggregate_pair_protocols(protocols, protocol_number1, protocol_number2): - """ - Handles aggregation of 2 protocols' properties - :param protocols: The protocol dictionary so we can remove empty protocols after aggregation - :param protocol_number1: first protocol number to aggregate with the second - :param protocol_number2: second protocol number to aggregate - :return: str aggregated_properties: a string of the aggregated properties - :return: dict protocols_not_aggregated: the rest of the protocol data that was not aggregated. - """ - protocols_not_aggregated = protocols - aggregated_properties = protocols_not_aggregated[protocol_number1] & protocols_not_aggregated[protocol_number2] - if not aggregated_properties: - return '', protocols_not_aggregated - - protocol1_dif = protocols_not_aggregated[protocol_number1] - protocols_not_aggregated[protocol_number2] - protocol2_dif = protocols_not_aggregated[protocol_number2] - protocols_not_aggregated[protocol_number1] - protocols_not_aggregated = protocols.copy() - if protocol1_dif: - protocols_not_aggregated[protocol_number1] = protocol1_dif - else: - del protocols_not_aggregated[protocol_number1] - - if protocol2_dif: - protocols_not_aggregated[protocol_number2] = protocol2_dif - else: - del protocols_not_aggregated[protocol_number2] - - return str(aggregated_properties), protocols_not_aggregated - - @staticmethod - def _get_protocol_with_properties_representation(is_str, protocol_text, properties): - """ - :param bool is_str: should get str representation (True) or list representation (False) - :param str protocol_text: str description of protocol - :param Union[bool, ConnectivityProperties] properties: properties object of the protocol - :return: representation required for a given pair of protocol and its properties - :rtype: Union[dict, str] - """ - if not is_str: - protocol_obj = {'Protocol': protocol_text} - if not isinstance(properties, bool): - protocol_obj.update(properties.get_properties_obj()) - return protocol_obj - # for str representation: - return protocol_text if isinstance(properties, bool) else ' '.join(filter(None, [protocol_text, str(properties)])) - - @staticmethod - def _get_protocols_ranges_representation(is_str, protocols_ranges): - """ - :param bool is_str: should get str representation (True) or list representation (False) - :param protocols_ranges: - :return: - :rtype: list - """ - if is_str: - return [f'protocols numbers: {protocols_ranges}'] - res = [] - for protocols_range in protocols_ranges.get_interval_set_list_numbers_and_ranges(): - res.append({'Protocol': protocols_range}) - return res - - def __str__(self): - if self.allow_all: - return "All connections" - if not self.allowed_protocols: - return 'No connections' - - if len(self.allowed_protocols) == 1: - protocol_num = next(iter(self.allowed_protocols)) - protocol_text = 'Protocol: ' + ProtocolNameResolver.get_protocol_name(protocol_num) - properties = self.allowed_protocols[protocol_num] - properties_text = '' - if not isinstance(properties, bool) and str(properties): - properties_text = ', ' + str(properties) - return protocol_text + properties_text - - protocol_text = 'Protocols: ' - for idx, protocol in enumerate(self.allowed_protocols.keys()): - if idx > 0: - protocol_text += ', ' - protocol_text += ProtocolNameResolver.get_protocol_name(protocol) - - # add properties: - properties = self.allowed_protocols[protocol] - properties_text = '' - if not isinstance(properties, bool): - properties_text = ', ' + str(properties) - protocol_text += properties_text - return protocol_text - - def __and__(self, other): - if other.allow_all: - return self.copy() - if self.allow_all: - return other.copy() - - res = ConnectionSet() - for key, properties in self.allowed_protocols.items(): - if key in other.allowed_protocols: - conjunction = properties & other.allowed_protocols[key] - if conjunction: - res.allowed_protocols[key] = conjunction - - return res - - def __or__(self, other): - res = ConnectionSet() - if self.allow_all or other.allow_all: - res.allow_all = True - return res - - for key, properties in self.allowed_protocols.items(): - if key in other.allowed_protocols: - res.allowed_protocols[key] = properties | other.allowed_protocols[key] - else: - res.allowed_protocols[key] = self.copy_properties(properties) - - for key, properties in other.allowed_protocols.items(): - if key not in res.allowed_protocols: - res.allowed_protocols[key] = self.copy_properties(properties) - - res.check_if_all_connections() - return res - - def __sub__(self, other): - if other.allow_all: - return ConnectionSet() - if self.allow_all: - res = self.copy() - res -= other - return res - - res = ConnectionSet() - for key, properties in self.allowed_protocols.items(): - if key in other.allowed_protocols: - if isinstance(properties, bool): - continue - diff = properties - other.allowed_protocols[key] - if diff: - res.allowed_protocols[key] = diff - else: - res.allowed_protocols[key] = self.copy_properties(properties) - - return res - - def __iand__(self, other): - if other.allow_all: - return self - if self.allow_all: - self.allow_all = False - for protocol, properties in other.allowed_protocols.items(): - self.allowed_protocols[protocol] = self.copy_properties(properties) - return self - - for key in list(self.allowed_protocols.keys()): # we need a copy of the keys because we delete while iterating - if key not in other.allowed_protocols: - del self.allowed_protocols[key] - else: - self.allowed_protocols[key] &= other.allowed_protocols[key] - if not self.allowed_protocols[key]: - del self.allowed_protocols[key] # became empty - return self - - def __ior__(self, other): - if self.allow_all or not bool(other): - return self - if other.allow_all: - self.allow_all = True - self.allowed_protocols.clear() - return self - - for key in self.allowed_protocols: - if key in other.allowed_protocols: - self.allowed_protocols[key] |= other.allowed_protocols[key] - - for key in other.allowed_protocols.keys(): - if key not in self.allowed_protocols: - self.allowed_protocols[key] = self.copy_properties(other.allowed_protocols[key]) - - self.check_if_all_connections() - return self - - def __isub__(self, other): - if not bool(other): - return self # nothing to subtract - if other.allow_all: - self.allowed_protocols.clear() # subtract everything - self.allow_all = False - return self - - if self.allow_all: - self.add_all_connections() - self.allow_all = False # We are about to subtract something - - for key in list(self.allowed_protocols.keys()): - if key in other.allowed_protocols: - other_features = other.allowed_protocols[key] - if isinstance(other_features, bool): - del self.allowed_protocols[key] - else: - self.allowed_protocols[key] -= other_features - if not self.allowed_protocols[key]: - del self.allowed_protocols[key] - - return self - - def contained_in(self, other): - """ - Check whether the 'self' set of connections is contained in the 'other' set of connections - :param ConnectionSet other: The other set of connections - :return: True if it 'self' is contained in 'other', False otherwise - :rtype: bool - """ - if other.allow_all: - return True - if self.allow_all: # BUGBUG: What if other allows all implicitly - return False - - for protocol, properties in self.allowed_protocols.items(): - if protocol not in other.allowed_protocols: - return False - if isinstance(properties, bool): - continue - if not properties.contained_in(other.allowed_protocols[protocol]): - return False - - return True - - @staticmethod - def copy_properties(properties): - """ - :param properties: protocol properties - :return: A (deep) copy of the given properties - """ - if isinstance(properties, bool): - return properties - return properties.copy() - - def copy(self): - """ - :return: A deep copy of self - :rtype: ConnectionSet - """ - res = ConnectionSet(self.allow_all) - for protocol, properties in self.allowed_protocols.items(): - res.allowed_protocols[protocol] = self.copy_properties(properties) - return res - - @staticmethod - def protocol_supports_ports(protocol): - """ - :param protocol: Protocol number or name - :return: Whether the given protocol has ports - :rtype: bool - """ - prot = protocol - if isinstance(protocol, str): - prot = ProtocolNameResolver.get_protocol_number(protocol) - return prot in ConnectionSet.port_supporting_protocols - - @staticmethod - def protocol_is_icmp(protocol): - """ - :param protocol: Protocol number or name - :return: Whether the protocol is icmp or icmpv6 - :rtype: bool - """ - prot = protocol - if isinstance(protocol, str): - prot = ProtocolNameResolver.get_protocol_number(protocol) - return prot in ConnectionSet._icmp_protocols - - def add_connections(self, protocol, properties=True): - """ - Add connections to the set of connections - :param int,str protocol: protocol number of the connections to add - :param properties: an object with protocol properties (e.g., ports), if relevant - :type properties: Union[bool, ConnectivityProperties] - :return: None - """ - if isinstance(protocol, str): - protocol = ProtocolNameResolver.get_protocol_number(protocol) - if not ProtocolNameResolver.is_valid_protocol(protocol): - raise Exception('Protocol must be in the range 0-255') - if not bool(properties): # if properties are empty, there is nothing to add - return - if protocol in self.allowed_protocols: - self.allowed_protocols[protocol] |= properties - else: - self.allowed_protocols[protocol] = properties if isinstance(properties, bool) else properties.copy() - - def remove_protocol(self, protocol): - """ - Remove a protocol from the set of connections - :param int,str protocol: The protocol to remove - :return: None - """ - if isinstance(protocol, str): - protocol = ProtocolNameResolver.get_protocol_number(protocol) - if not ProtocolNameResolver.is_valid_protocol(protocol): - raise Exception('Protocol must be in the range 0-255') - if protocol not in self.allowed_protocols: - return - del self.allowed_protocols[protocol] - - def _add_all_connections_of_protocol(self, protocol): - """ - Add all possible connections to the connection set for a given protocol - :param protocol: the given protocol number - :return: None - """ - if self.protocol_supports_ports(protocol) or self.protocol_is_icmp(protocol): - self.allowed_protocols[protocol] = ConnectivityProperties.make_all_props() - else: - self.allowed_protocols[protocol] = True - - def add_all_connections(self, excluded_protocols=None): - """ - Add all possible connections to the connection set - :param list[int] excluded_protocols: (optional) list of protocol numbers to exclude - :return: None - """ - for protocol in range(ConnectionSet._min_protocol_num, ConnectionSet._max_protocol_num + 1): - if excluded_protocols and protocol in excluded_protocols: - continue - self._add_all_connections_of_protocol(protocol) - - def check_if_all_connections(self): - """ - update self if it allows all connections but not flagged with allow_all - """ - if self.is_all_connections_without_allow_all(): - self.allow_all = True - self.allowed_protocols.clear() - - def is_all_connections_without_allow_all(self): - """ - check if self is not flagged with allow_all, but still allows all connections, and thus should - be replaced with allow_all flag - :rtype: bool - """ - if self.allow_all: - return False - num_protocols = ConnectionSet._max_protocol_num - ConnectionSet._min_protocol_num + 1 - if len(self.allowed_protocols) < num_protocols: - return False - for protocol in ConnectionSet.port_supporting_protocols | ConnectionSet._icmp_protocols: - if not self.allowed_protocols[protocol].is_all(): - return False - return True - - def has_named_ports(self): - """ - :return: True if any of the port-supporting protocols refers to a named port, False otherwise - :rtype: bool - """ - for protocol, properties in self.allowed_protocols.items(): - if self.protocol_supports_ports(protocol) and properties.has_named_ports(): - return True - return False - - def get_named_ports(self): - """ - :return: A list of (protocol, set-of-named-ports) pairs for every protocol that supports ports - :rtype: list[(int, set[str])] - """ - res = [] - for protocol, properties in self.allowed_protocols.items(): - if self.protocol_supports_ports(protocol) and properties.has_named_ports(): - res.append((protocol, properties.get_named_ports())) - return res - - def convert_named_ports(self, named_ports): - """ - Replaces all references to named ports with actual ports, given a mapping - NOTE: that this function modifies self - :param dict[str, (int, int)] named_ports: mapping from a named to port (str) to actual port number + protocol - :return: None - """ - for protocol, properties in list(self.allowed_protocols.items()): - if self.protocol_supports_ports(protocol): - properties.convert_named_ports(named_ports, ProtocolNameResolver.get_protocol_name(protocol)) - if not properties: - del self.allowed_protocols[protocol] - - def print_diff(self, other, self_name, other_name): - """ - Prints a single diff between two sets of connections ('self' and 'other') - :param ConnectionSet other: The connections to compare against - :param self_name: the name of 'self' connection set - :param other_name: The name of 'other' connection set - :return: A string with the diff details (if any) - :rtype: str - """ - if self.allow_all and other.allow_all: - return 'No diff.' - if self.allow_all and not other.allow_all: - return self_name + ' allows all connections while ' + other_name + ' does not.' - if not self.allow_all and other.allow_all: - return other_name + ' allows all connections while ' + self_name + ' does not.' - for protocol, properties in self.allowed_protocols.items(): - if protocol not in other.allowed_protocols: - res = self_name + ' allows communication using protocol ' + \ - ProtocolNameResolver.get_protocol_name(protocol) - if not isinstance(properties, bool) and not properties.is_all(): - res += ' on ' + properties._get_first_item_str() - res += ' while ' + other_name + ' does not.' - return res - other_properties = other.allowed_protocols[protocol] - if properties != other_properties: - return ProtocolNameResolver.get_protocol_name(protocol) + ' protocol - ' + \ - properties.print_diff(other_properties, self_name, other_name) - - for protocol in other.allowed_protocols: - if protocol not in self.allowed_protocols: - return other_name + ' allows communication using protocol ' + \ - ProtocolNameResolver.get_protocol_name(protocol) + ' while ' + self_name + ' does not.' - - return 'No diff.' - - def convert_to_connectivity_properties(self, peer_container, relevant_protocols=ProtocolSet()): - """ - Convert the current ConnectionSet to ConnectivityProperties format. - This function is used for comparing fw-rules output between original and optimized implementation, - when optimized_run == 'debug' - :param PeerContainer peer_container: the peer container - :param ProtocolSet relevant_protocols: specify if all protocols refer to TCP / non-TCP protocols - :return: the connection set in ConnectivityProperties format - """ - if self.allow_all: - if relevant_protocols: - protocols_conn = ConnectivityProperties.make_conn_props_from_dict({"protocols": relevant_protocols}) - else: - protocols_conn = ConnectivityProperties(create_all=True) - return ConnectivityProperties.get_all_conns_props_per_config_peers(peer_container) & protocols_conn - - res = ConnectivityProperties.make_empty_props() - for protocol, properties in self.allowed_protocols.items(): - protocols = ProtocolSet.get_protocol_set_with_single_protocol(protocol) - this_prop = ConnectivityProperties.make_conn_props_from_dict({"protocols": protocols}) - if isinstance(properties, bool): - if properties: - res |= this_prop - else: - res |= (this_prop & properties) - return res - - @staticmethod - def get_all_tcp_connections(): - tcp_conns = ConnectionSet() - tcp_conns.add_connections('TCP', ConnectivityProperties.make_all_props()) - return tcp_conns - - @staticmethod - def get_non_tcp_connections(): - res = ConnectionSet() - res.add_all_connections([ProtocolNameResolver.get_protocol_number('TCP')]) - return res - # return ConnectionSet(True) - ConnectionSet.get_all_TCP_connections() diff --git a/nca/CoreDS/ConnectivityProperties.py b/nca/CoreDS/ConnectivityProperties.py index 330a042b2..cbba09b59 100644 --- a/nca/CoreDS/ConnectivityProperties.py +++ b/nca/CoreDS/ConnectivityProperties.py @@ -3,13 +3,13 @@ # SPDX-License-Identifier: Apache2.0 # -from .CanonicalIntervalSet import CanonicalIntervalSet from .CanonicalHyperCubeSet import CanonicalHyperCubeSet from .DimensionsManager import DimensionsManager from .PortSet import PortSet from .MethodSet import MethodSet from .Peer import PeerSet, BasePeerSet from .ProtocolNameResolver import ProtocolNameResolver +from .ProtocolSet import ProtocolSet from .MinDFA import MinDFA from .ConnectivityCube import ConnectivityCube @@ -21,47 +21,21 @@ class ConnectivityProperties(CanonicalHyperCubeSet): for TCP, it may be any of the dimensions from dimensions_list, except for icmp_type and icmp_code, for icmp data the actual used dimensions are only [src_peers, dst_peers, icmp_type, icmp_code]. - The usage of this class in the original solution: - In the original solution ConnectivityProperties do not hold src_peers, dst_peers and protocols dimensions. - First, ConnectivityProperties are built at parse time. Since peers are not a part of ConnectivityProperties, - the named ports cannot be resolved at parse time, and so are kept in named_ports and excluded_named_ports, - as explained below. - Second, at the query time, ConnectivityProperties is calculated for every pair of peers, and the named ports - are resolved. The pairs of peers and the protocols are kept in ConnectionSet class, together with - the resulting ConnectivityProperties. - - The usage of this class in the optimized solution: - In the optimized solution ConnectivityProperties potentially hold all the dimensions, including sets - of source peers and destination peers. The connectivity properties are built at the parse time for every policy. - The named ports are resolved during the construction, therefore in the optimized solution named_ports and - excluded_named_ports fields are not used. - - The src_peers and dst_peers dimensions are special dimensions, they do not have constant domain. Their domain - depends on the current set of peers in the system (as appears in BasePeerSet singleton). This set grows when - adding more configurations. Thus, there is no unique 'all values' representation. In particular, those - dimensions are never reduced to inactive. - This might be a problem in comparison and inclusion operators of ConnectivityProperties. The possible solution - may be to keep 'reference full domain value' for these dimensions (as another member in the BasePeerSet), - and to set it to relevant values per query, and to make a special treatment of these dimensions - in the above operators. - - Also, including support for (included and excluded) named ports (relevant for dest ports only). - - The representation with named ports is considered a mid-representation, and is required due to the late binding - of the named ports to real ports numbers. - The method convert_named_ports is responsible for applying this late binding, and is called by a policy's method - allowed_connections() to get policy's allowed connections, given peers and direction ingress/egress - Given a specific dest-peer context, the pod's named ports mapping is known, and used for the named ports conversion. - Some of the operators for ConnectivityProperties are not supported for objects with (included and excluded) named ports. - For example, in the general case, the result for (all but port "x") | (all but port 10) has 2 options: - (1) if the dest pod has named port "x" mapped to 10 -> the result would be: (all but port 10) - (2) otherwise, the result would be: (all ports) - Thus, for the 'or' operator, the assumption is that excluded named ports is empty for both input objects. - Some methods, such as bool(), str(), may not return accurate results on objects with named ports (included/excluded) - since they depend on the late binding with actual dest pod context. - The current actual flow for using named ports is limited for the following: - (1) k8s: only +ve named ports, no src named ports, and only use of 'or' operators between these objects. - (2) calico: +ve and -ve named ports, no src named ports, and no use of operators between these objects. + ConnectivityProperties potentially hold all the dimensions, including sets of source peers and destination peers. + The connectivity properties are built at the parse time for every policy. + + The src_peers and dst_peers dimensions are special dimensions, they do not have constant domain. Their domain + depends on the current set of peers in the system (as appears in BasePeerSet singleton). This set grows when + adding more configurations. Thus, there is no unique 'all values' representation. In particular, those + dimensions are never reduced to inactive. + This might be a problem in comparison and inclusion operators of ConnectivityProperties. The possible solution + may be to keep 'reference full domain value' for these dimensions (as another member in the BasePeerSet), + and to set it to relevant values per query, and to make a special treatment of these dimensions + in the above operators. + + Also, including support for (included and excluded) named ports (relevant for dest ports only), which are + resolved during the construction of ConnectivityProperties. + """ def __init__(self, dimensions_list=None, create_all=False): @@ -70,8 +44,6 @@ def __init__(self, dimensions_list=None, create_all=False): :param create_all: whether to create full connectivity properties. """ super().__init__(dimensions_list if dimensions_list else ConnectivityCube.all_dimensions_list) - self.named_ports = {} # a mapping from dst named port (String) to src ports interval set - self.excluded_named_ports = {} # a mapping from dst named port (String) to src ports interval set if create_all: self.set_all() @@ -97,21 +69,14 @@ def _make_conn_props_no_named_ports_resolution(conn_cube): src_ports = conn_cube["src_ports"] dst_ports = conn_cube["dst_ports"] assert not src_ports.named_ports and not src_ports.excluded_named_ports - all_ports = PortSet.all_ports_interval.copy() - for port_name in dst_ports.named_ports: - res.named_ports[port_name] = src_ports.port_set - for port_name in dst_ports.excluded_named_ports: - res.excluded_named_ports[port_name] = all_ports + assert not dst_ports.named_ports and not dst_ports.excluded_named_ports return res - def __bool__(self): - return super().__bool__() or bool(self.named_ports) - def __str__(self): if self.is_all(): - return '' + return 'All connections' if not super().__bool__(): - return 'Empty' + return 'No connections' if self.active_dimensions == ['dst_ports']: assert (len(self) == 1) for cube in self: @@ -125,6 +90,9 @@ def __str__(self): def __hash__(self): return super().__hash__() + def __lt__(self, other): + return len(self) < len(other) or str(self) < str(other) + def get_connectivity_cube(self, cube): """ translate the ordered cube to ConnectivityCube format @@ -189,9 +157,7 @@ def get_properties_obj(self): def __eq__(self, other): if isinstance(other, ConnectivityProperties): - res = super().__eq__(other) and self.named_ports == other.named_ports and \ - self.excluded_named_ports == other.excluded_named_ports - return res + return super().__eq__(other) return False def __and__(self, other): @@ -209,85 +175,6 @@ def __sub__(self, other): res -= other return res - def __iand__(self, other): - assert not self.has_named_ports() - assert not isinstance(other, ConnectivityProperties) or not other.has_named_ports() - super().__iand__(other) - return self - - def __ior__(self, other): - assert not self.excluded_named_ports - assert not isinstance(other, ConnectivityProperties) or not other.excluded_named_ports - super().__ior__(other) - if isinstance(other, ConnectivityProperties): - res_named_ports = dict({}) - for port_name in self.named_ports: - res_named_ports[port_name] = self.named_ports[port_name] - for port_name in other.named_ports: - if port_name in res_named_ports: - res_named_ports[port_name] |= other.named_ports[port_name] - else: - res_named_ports[port_name] = other.named_ports[port_name] - self.named_ports = res_named_ports - return self - - def __isub__(self, other): - assert not self.has_named_ports() - assert not isinstance(other, ConnectivityProperties) or not other.has_named_ports() - super().__isub__(other) - return self - - def contained_in(self, other): - """ - :param ConnectivityProperties other: another connectivity properties - :return: Whether all (source port, target port) pairs in self also appear in other - :rtype: bool - """ - assert not self.has_named_ports() - assert not other.has_named_ports() - return super().contained_in(other) - - def has_named_ports(self): - return self.named_ports or self.excluded_named_ports - - def get_named_ports(self): - res = set() - res |= set(self.named_ports.keys()) - res |= set(self.excluded_named_ports.keys()) - return res - - def convert_named_ports(self, named_ports, protocol): - """ - Replaces all references to named ports with actual ports, given a mapping - NOTE: that this function modifies self - :param dict[str, (int, int)] named_ports: The mapping from a named to port (str) to the actual port number - :param int protocol: The relevant protocol - :return: None - """ - if not named_ports: - named_ports = {} - - my_named_ports = self.named_ports - self.named_ports = {} - my_excluded_named_ports = self.excluded_named_ports - self.excluded_named_ports = {} - - active_dims = ["src_ports", "dst_ports"] - for port in my_named_ports: - real_port = named_ports.get(port) - if real_port and real_port[1] == protocol: - real_port_number = real_port[0] - rectangle = [my_named_ports[port], - CanonicalIntervalSet.get_interval_set(real_port_number, real_port_number)] - self.add_cube(rectangle, active_dims) - for port in my_excluded_named_ports: - real_port = named_ports.get(port) - if real_port and real_port[1] == protocol: - real_port_number = real_port[0] - rectangle = [my_excluded_named_ports[port], - CanonicalIntervalSet.get_interval_set(real_port_number, real_port_number)] - self.add_hole(rectangle, active_dims) - def copy(self): """ :rtype: ConnectivityProperties @@ -296,9 +183,6 @@ def copy(self): for layer in self.layers: res.layers[self._copy_layer_elem(layer)] = self.layers[layer].copy() res.active_dimensions = self.active_dimensions.copy() - - res.named_ports = self.named_ports.copy() - res.excluded_named_ports = self.excluded_named_ports.copy() return res def print_diff(self, other, self_name, other_name): @@ -309,6 +193,10 @@ def print_diff(self, other, self_name, other_name): :return: If self!=other, return a string showing a (source, target) pair that appears in only one of them :rtype: str """ + if self.is_all() and not other.is_all(): + return self_name + ' allows all connections while ' + other_name + ' does not.' + if not self.is_all() and other.is_all(): + return other_name + ' allows all connections while ' + self_name + ' does not.' self_minus_other = self - other other_minus_self = other - self diff_str = self_name if self_minus_other else other_name @@ -366,7 +254,7 @@ def project_on_one_dimension(self, dim_name): return res @staticmethod - def _resolve_named_ports(named_ports, peer, protocols): + def _resolve_named_ports(named_ports, peer, protocols, used_named_ports): peer_named_ports = peer.get_named_ports() real_ports = PortSet() for named_port in named_ports: @@ -379,6 +267,7 @@ def _resolve_named_ports(named_ports, peer, protocols): f'of the pod {peer}. Ignoring the pod') continue real_ports.add_port(real_port[0]) + used_named_ports.add(named_port) return real_ports @staticmethod @@ -389,11 +278,8 @@ def make_conn_props(conn_cube): If possible (i.e., in the optimized solution, when dst_peers are supported in the given cube), the named ports will be resolved. - In the optimized solution, the resulting ConnectivityProperties should not contain named ports: + The resulting ConnectivityProperties should not contain named ports: they are substituted with corresponding port numbers, per peer - In the original solution, the resulting ConnectivityProperties may contain named ports; - they cannot yet be resolved, since dst peers are not provided at this stage the original solution; - they will be resolved by convert_named_ports call during query runs. :param ConnectivityCube conn_cube: the input connectivity cube including all dimension values, whereas missing dimensions are represented by their default values (representing all possible values). @@ -402,11 +288,12 @@ def make_conn_props(conn_cube): src_ports = conn_cube["src_ports"] dst_ports = conn_cube["dst_ports"] assert not src_ports.named_ports and not src_ports.excluded_named_ports - if (not dst_ports.named_ports and not dst_ports.excluded_named_ports) or \ - not conn_cube.is_active_dim("dst_peers"): - # Should not resolve named ports + if not dst_ports.named_ports and not dst_ports.excluded_named_ports: + # No named ports return ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube) + # Should resolve named ports +# assert conn_cube.is_active_dim("dst_peers") # Initialize conn_properties if dst_ports.port_set: dst_ports_no_named_ports = PortSet() @@ -419,15 +306,21 @@ def make_conn_props(conn_cube): # Resolving dst named ports protocols = conn_cube["protocols"] dst_peers = conn_cube["dst_peers"] + used_named_ports = set() for peer in dst_peers: - real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.named_ports, peer, protocols) + real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.named_ports, peer, protocols, + used_named_ports) if real_ports: conn_cube.update({"dst_ports": real_ports, "dst_peers": PeerSet({peer})}) conn_properties |= ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube) - excluded_real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.excluded_named_ports, peer, protocols) + excluded_real_ports = ConnectivityProperties._resolve_named_ports(dst_ports.excluded_named_ports, peer, + protocols, used_named_ports) if excluded_real_ports: conn_cube.update({"dst_ports": excluded_real_ports, "dst_peers": PeerSet({peer})}) conn_properties -= ConnectivityProperties._make_conn_props_no_named_ports_resolution(conn_cube) + unresolved_named_ports = (dst_ports.named_ports.union(dst_ports.excluded_named_ports)).difference(used_named_ports) + if unresolved_named_ports: + print(f'Warning: Named ports {unresolved_named_ports} are not defined in any pod') return conn_properties @staticmethod @@ -571,3 +464,64 @@ def _reorder_list_by_map(orig_list, new_to_old_map): for i in range(len(orig_list)): res.append(orig_list[new_to_old_map[i]]) return res + + @staticmethod + def extract_src_dst_peers_from_cube(the_cube, peer_container, relevant_protocols=ProtocolSet(True)): + """ + Remove src_peers and dst_peers from the given cube, and return those sets of peers + and the resulting properties without the peers. + :param ConnectivityCube the_cube: the given cube + :param PeerContainer peer_container: the peer container + :param relevant_protocols: the relevant protocols used to represent all protocols + :return: tuple(ConnectivityProperties, PeerSet, PeerSet) - the resulting properties after removing + src_peers and dst_peers, src_peers, dst_peers + """ + all_peers = peer_container.get_all_peers_group(True) + conn_cube = the_cube.copy() + src_peers = conn_cube["src_peers"] or all_peers + conn_cube.unset_dim("src_peers") + dst_peers = conn_cube["dst_peers"] or all_peers + conn_cube.unset_dim("dst_peers") + protocols = conn_cube["protocols"] + if protocols == relevant_protocols: + conn_cube.unset_dim("protocols") + props = ConnectivityProperties.make_conn_props(conn_cube) + return props, src_peers, dst_peers + + def get_simplified_connections_representation(self, is_str, use_complement_simplification=True): + """ + Get a simplified representation of the connectivity properties - choose shorter version between self + and its complement. + representation as str is a string representation, and not str is representation as list of objects. + The representation is used at fw-rules representation of the connection. + :param bool is_str: should get str representation (True) or list representation (False) + :param bool use_complement_simplification: should choose shorter rep between self and complement + :return: the required representation of the connection set + :rtype Union[str, list] + """ + if self.is_all(): + return "All connections" if is_str else ["All connections"] + if not super().__bool__(): + return "No connections" if is_str else ["No connections"] + + rep = self._get_connections_representation(is_str) + if use_complement_simplification and 'protocols' in self.active_dimensions: + # The following 'minus' operation is heavy, try to avoid it as much as possible. + compl = ConnectivityProperties.make_all_props() - self + compl_rep = compl._get_connections_representation(is_str) + if len(rep) > len(compl_rep): + return f'All but {compl_rep}' if is_str else [{"All but": compl_rep}] + else: + return rep + else: + return rep + + def _get_connections_representation(self, is_str): + cubes_list = [self.get_cube_dict(cube, is_str) for cube in self] + if is_str: + return ','.join(self._get_cube_str_representation(cube) for cube in cubes_list) + return cubes_list + + @staticmethod + def _get_cube_str_representation(cube): + return '{' + ','.join(f'{item[0]}:{item[1]}' for item in cube.items()) + '}' diff --git a/nca/CoreDS/DimensionsManager.py b/nca/CoreDS/DimensionsManager.py index 20213e12e..26529a192 100644 --- a/nca/CoreDS/DimensionsManager.py +++ b/nca/CoreDS/DimensionsManager.py @@ -13,7 +13,7 @@ class DimensionsManager: """ A singleton class to manage dimensions names and their association to type and domain. - The dimensions are related to certain protocol's properties in ConnectionSet / ConnectivityProperties. + The dimensions are related to certain protocol's properties in ConnectivityProperties. They are used for allowed connection representation, as protocols properties, within CanonicalHyperCubeSet objects. The src_peers and dst_peers are special dimensions, they do not have constant domain. diff --git a/nca/CoreDS/Peer.py b/nca/CoreDS/Peer.py index 40b1efce3..cc68d1af5 100644 --- a/nca/CoreDS/Peer.py +++ b/nca/CoreDS/Peer.py @@ -2,7 +2,6 @@ # Copyright 2020- IBM Inc. All rights reserved # SPDX-License-Identifier: Apache2.0 # -import copy import ipaddress import re from ipaddress import ip_network @@ -425,39 +424,6 @@ def _add_interval_to_list(interval, non_overlapping_interval_list): non_overlapping_interval_list += interval.split() non_overlapping_interval_list += to_add - @staticmethod - def disjoint_ip_blocks(ip_blocks1, ip_blocks2, exclude_ipv6=False): - """ - Takes all (atomic) ip-ranges in both ip-blocks and returns a new set of ip-ranges where - each ip-range is: - 1. a subset of an ip-range in either ip-blocks AND - 2. cannot be partially intersected by an ip-range in either ip-blocks AND - 3. is maximal (extending the range to either side will violate either 1 or 2) - :param ip_blocks1: A set of ip blocks - :param ip_blocks2: A set of ip blocks - :param bool exclude_ipv6: indicates if to exclude the IPv6 addresses in case the result is all_ips_block - :return: A set of ip ranges as specified above - :rtype: PeerSet - """ - # deepcopy is required since add_interval_to_list() changes the 'interval' argument - ip_blocks_set = copy.deepcopy(ip_blocks1) - ip_blocks_set |= copy.deepcopy(ip_blocks2) - ip_blocks = sorted(ip_blocks_set, key=IpBlock.ip_count) - - # making sure the resulting list does not contain overlapping ipBlocks - blocks_with_no_overlap = [] - for interval in ip_blocks: - IpBlock._add_interval_to_list(interval, blocks_with_no_overlap) - - res = PeerSet() - for ip_block in blocks_with_no_overlap: - res.add(ip_block) - - if not res: - res.add(IpBlock.get_all_ips_block(exclude_ipv6)) - - return res - def is_ipv4_block(self): """ checks whether self IpBlock includes only IPv4 addresses diff --git a/nca/CoreDS/ProtocolSet.py b/nca/CoreDS/ProtocolSet.py index 99006018b..d4ff4dbbe 100644 --- a/nca/CoreDS/ProtocolSet.py +++ b/nca/CoreDS/ProtocolSet.py @@ -13,6 +13,8 @@ class ProtocolSet(CanonicalIntervalSet): """ min_protocol_num = 0 max_protocol_num = 255 + port_supporting_protocols = {6, 17, 132} + icmp_protocols = {1, 58} def __init__(self, all_protocols=False): """ @@ -148,3 +150,27 @@ def copy(self): for interval in self.interval_set: new_copy.interval_set.append(interval.copy()) return new_copy + + @staticmethod + def protocol_supports_ports(protocol): + """ + :param protocol: Protocol number or name + :return: Whether the given protocol has ports + :rtype: bool + """ + prot = protocol + if isinstance(protocol, str): + prot = ProtocolNameResolver.get_protocol_number(protocol) + return prot in ProtocolSet.port_supporting_protocols + + @staticmethod + def protocol_is_icmp(protocol): + """ + :param protocol: Protocol number or name + :return: Whether the protocol is icmp or icmpv6 + :rtype: bool + """ + prot = protocol + if isinstance(protocol, str): + prot = ProtocolNameResolver.get_protocol_number(protocol) + return prot in ProtocolSet.icmp_protocols diff --git a/nca/FWRules/ConnectivityGraph.py b/nca/FWRules/ConnectivityGraph.py index fe9b5dc3a..620b91153 100644 --- a/nca/FWRules/ConnectivityGraph.py +++ b/nca/FWRules/ConnectivityGraph.py @@ -6,10 +6,10 @@ import itertools from collections import defaultdict import networkx -from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod +from nca.CoreDS.Peer import IpBlock, Pod from nca.CoreDS.ProtocolSet import ProtocolSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from .DotGraph import DotGraph -from .MinimizeFWRules import MinimizeBasic, MinimizeFWRules from .ClusterInfo import ClusterInfo @@ -26,32 +26,14 @@ def __init__(self, all_peers, allowed_labels, output_config): :param allowed_labels: the set of allowed labels to be used in generated fw-rules, extracted from policy yamls :param output_config: OutputConfiguration object """ - # connections_to_peers holds the connectivity graph + # props_to_peers holds the connectivity graph self.output_config = output_config - self.connections_to_peers = defaultdict(list) + self.props_to_peers = defaultdict(list) if self.output_config.fwRulesOverrideAllowedLabels: allowed_labels = set(label for label in self.output_config.fwRulesOverrideAllowedLabels.split(',')) self.cluster_info = ClusterInfo(all_peers, allowed_labels) self.allowed_labels = allowed_labels - def add_edge(self, source_peer, dest_peer, connections): - """ - Adding a labeled edge to the graph - :param Peer source_peer: The source peer - :param Peer dest_peer: The dest peer - :param ConnectionSet connections: The allowed connections from source_peer to dest_peer - :return: None - """ - self.connections_to_peers[connections].append((source_peer, dest_peer)) - - def add_edges(self, connections): - """ - Adding a set of labeled edges to the graph - :param dict connections: a map from ConnectionSet to (src, dest) pairs - :return: None - """ - self.connections_to_peers.update(connections) - def add_edges_from_cube_dict(self, conn_cube, peer_container, connectivity_restriction=None): """ Add edges to the graph according to the give cube @@ -68,13 +50,13 @@ def add_edges_from_cube_dict(self, conn_cube, peer_container, connectivity_restr else: # connectivity_restriction == 'non-TCP' relevant_protocols = ProtocolSet.get_non_tcp_protocols() - conns, src_peers, dst_peers = \ - MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) + props, src_peers, dst_peers = \ + ConnectivityProperties.extract_src_dst_peers_from_cube(conn_cube, peer_container, relevant_protocols) split_src_peers = src_peers.split() split_dst_peers = dst_peers.split() for src_peer in split_src_peers: for dst_peer in split_dst_peers: - self.connections_to_peers[conns].append((src_peer, dst_peer)) + self.props_to_peers[props].append((src_peer, dst_peer)) def add_props_to_graph(self, props, peer_container, connectivity_restriction=None): """ @@ -290,16 +272,16 @@ def _get_equals_groups(self): """ # for each peer, we get a list of (peer,conn,direction) that it connected to: peers_edges = {peer: [] for peer in set(self.cluster_info.all_peers)} - edges_connections = dict() - for connection, peer_pairs in self.connections_to_peers.items(): - if not connection: + edges_props = dict() + for props, peer_pairs in self.props_to_peers.items(): + if not props: continue for src_peer, dst_peer in peer_pairs: if src_peer != dst_peer: - peers_edges[src_peer].append((dst_peer, connection, False)) - peers_edges[dst_peer].append((src_peer, connection, True)) - edges_connections[(src_peer, dst_peer)] = connection - edges_connections[(dst_peer, src_peer)] = connection + peers_edges[src_peer].append((dst_peer, props, False)) + peers_edges[dst_peer].append((src_peer, props, True)) + edges_props[(src_peer, dst_peer)] = props + edges_props[(dst_peer, src_peer)] = props # for each peer, adding a self edge only for connection that the peer already have: for peer, peer_edges in peers_edges.items(): @@ -311,7 +293,7 @@ def _get_equals_groups(self): # find groups of peers that are also connected to each other: connected_groups, left_out = self._find_equal_groups(peers_edges) # for every group, also add the connection of the group (should be only one) - connected_groups = [(group, edges_connections.get((group[0], group[1]), None)) for group in connected_groups] + connected_groups = [(group, edges_props.get((group[0], group[1]), None)) for group in connected_groups] # removing the peers of groups that we already found: peers_edges = {peer: edges for peer, edges in peers_edges.items() if peer in left_out} @@ -332,8 +314,8 @@ def get_connections_without_fw_rules_txt_format(self, connectivity_msg=None, exc :return: a string of the original peers connectivity graph content (without minimization of fw-rules) """ lines = set() - for connections, peer_pairs in self.connections_to_peers.items(): - if not connections: + for props, peer_pairs in self.props_to_peers.items(): + if not props: continue for src_peer, dst_peer in peer_pairs: if src_peer != dst_peer: @@ -343,8 +325,7 @@ def get_connections_without_fw_rules_txt_format(self, connectivity_msg=None, exc # not be added either if exclude_self_loop_conns and src_peer_name == dst_peer_name: continue - conn_str = connections.get_simplified_connections_representation(True) - conn_str = conn_str.title() if not conn_str.isupper() else conn_str + conn_str = props.get_simplified_connections_representation(True) lines.add(f'{src_peer_name} => {dst_peer_name} : {conn_str}') lines_list = [] @@ -370,7 +351,7 @@ def get_connectivity_dot_format_str(self, connectivity_restriction=None, simplif # we are going to treat a peers_group as one peer. # the first peer in the peers_group is representing the group # we will add the text of all the peers in the group to this peer - for peers_group, group_connection in peers_groups: + for peers_group, group_props in peers_groups: peer_name, node_type, nc_name, text = self._get_peer_details(peers_group[0]) if len(peers_group) > 1: text = sorted(set(self._get_peer_details(peer)[3][0] for peer in peers_group)) @@ -379,20 +360,20 @@ def get_connectivity_dot_format_str(self, connectivity_restriction=None, simplif node_type = DotGraph.NodeType.MultiPod if len(text) > 1 else node_type dot_graph.add_node(nc_name, peer_name, node_type, text) # adding the self edges: - if len(text) > 1 and group_connection: - conn_str = group_connection.get_simplified_connections_representation(True) - conn_str = conn_str.replace("Protocol:", "").replace('All connections', 'All') + if len(text) > 1 and group_props: + conn_str = group_props.get_simplified_connections_representation(True) + conn_str = conn_str.replace('All connections', 'All') dot_graph.add_edge(peer_name, peer_name, label=conn_str, is_dir=False) representing_peers = [multi_peer[0][0] for multi_peer in peers_groups] - for connections, peer_pairs in self.connections_to_peers.items(): + for props, peer_pairs in self.props_to_peers.items(): directed_edges = set() # todo - is there a better way to get edge details? # we should revisit this code after reformatting connections labels - conn_str = connections.get_simplified_connections_representation(True) - conn_str = conn_str.replace("Protocol:", "").replace('All connections', 'All') + conn_str = props.get_simplified_connections_representation(True) + conn_str = conn_str.replace('All connections', 'All') for src_peer, dst_peer in peer_pairs: - if src_peer != dst_peer and connections and src_peer in representing_peers and dst_peer in representing_peers: + if src_peer != dst_peer and props and src_peer in representing_peers and dst_peer in representing_peers: src_peer_name, _, src_nc, _ = self._get_peer_details(src_peer) dst_peer_name, _, dst_nc, _ = self._get_peer_details(dst_peer) directed_edges.add(((src_peer_name, src_nc), (dst_peer_name, dst_nc))) @@ -412,83 +393,3 @@ def get_connectivity_dot_format_str(self, connectivity_restriction=None, simplif for edge in undirected_edges | cliques_edges: dot_graph.add_edge(src_name=edge[0][0], dst_name=edge[1][0], label=conn_str, is_dir=False) return dot_graph.to_str(self.output_config.outputFormat == 'dot') - - def get_minimized_firewall_rules(self): - """ - computes and returns minimized firewall rules from original connectivity graph - :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules - """ - - connections_sorted_by_size = list(self.connections_to_peers.items()) - connections_sorted_by_size.sort(reverse=True) - - connections_sorted_by_size = self._merge_ip_blocks(connections_sorted_by_size) - - if self.output_config.fwRulesRunInTestMode: - # print the original connectivity graph - lines = set() - for connections, peer_pairs in connections_sorted_by_size: - for src_peer, dst_peer in peer_pairs: - src_peer_name = self._get_peer_details(src_peer)[0] - dst_peer_name = self._get_peer_details(dst_peer)[0] - # on level of deployments, omit the 'all connections' between a pod to itself - # a connection between deployment to itself is derived from connection between 2 different pods of - # the same deployment - if src_peer == dst_peer and self.output_config.outputEndpoints == 'deployments': - continue - lines.add(f'src: {src_peer_name}, dest: {dst_peer_name}, allowed conns: {connections}') - for line in lines: - print(line) - print('======================================================') - # compute the minimized firewall rules - return MinimizeFWRules.minimize_firewall_rules(self.cluster_info, self.output_config, connections_sorted_by_size) - - @staticmethod - def _merge_ip_blocks(connections_sorted_by_size): - """ - Given an input connectivity graph, merge ip-blocks for peer-pairs when possible. e.g. if (pod_x , - 0.0.0.0-49.49.255.255) and ) and (pod_x, 49.50.0.0-255.255.255.255) are in connections_sorted_by_size[conn], - then in the output result, only (pod_x, 0.0.0.0-255.255.255.255) will be in: connections_sorted_by_size[conn] - - :param connections_sorted_by_size: the original connectivity graph : a list of tuples - (connection set , peer_pairs), where peer_pairs is a list of (src,dst) tuples - :return: connections_sorted_by_size_new : a new connectivity graph with merged ip-blocks - """ - connections_sorted_by_size_new = [] - for connections, peer_pairs in connections_sorted_by_size: - map_ip_blocks_per_dst = dict() - map_ip_blocks_per_src = dict() - merged_peer_pairs = [] - for (src, dst) in peer_pairs: - if isinstance(src, IpBlock) and isinstance(dst, ClusterEP): - if dst not in map_ip_blocks_per_dst: - map_ip_blocks_per_dst[dst] = src.copy() - else: - map_ip_blocks_per_dst[dst] |= src - elif isinstance(dst, IpBlock) and isinstance(src, ClusterEP): - if src not in map_ip_blocks_per_src: - map_ip_blocks_per_src[src] = dst.copy() - else: - map_ip_blocks_per_src[src] |= dst - else: - merged_peer_pairs.append((src, dst)) - for (src, ip_block) in map_ip_blocks_per_src.items(): - merged_peer_pairs.append((src, ip_block)) - for (dst, ip_block) in map_ip_blocks_per_dst.items(): - merged_peer_pairs.append((ip_block, dst)) - connections_sorted_by_size_new.append((connections, merged_peer_pairs)) - - return connections_sorted_by_size_new - - def conn_graph_has_fw_rules(self): - """ - :return: bool flag indicating if the given conn_graph has fw_rules (and not considered empty) - """ - if not self.connections_to_peers: - return False - if len((self.connections_to_peers.items())) == 1: - conn = list(self.connections_to_peers.keys())[0] - # we currently do not create fw-rules for "no connections" - if not conn: # conn is "no connections": - return False - return True diff --git a/nca/FWRules/DotGraph.py b/nca/FWRules/DotGraph.py index 4e6deeeca..0323ea4a4 100644 --- a/nca/FWRules/DotGraph.py +++ b/nca/FWRules/DotGraph.py @@ -5,7 +5,6 @@ from dataclasses import dataclass from enum import Enum import string -import ast class DotGraph: @@ -213,6 +212,11 @@ def _edge_to_str(self, edge): line += f'[{label} {tooltip} color={edge_color} fontcolor=darkgreen {arrow_type}]\n' return line + @staticmethod + def get_val_by_key_from_list(the_list, key): + res_items = [item for item in the_list if key in item] + return res_items[0].split(':')[1] if res_items else '' + def _set_labels_dict(self): """ creates a dict of label -> to label_short @@ -227,19 +231,14 @@ def _set_labels_dict(self): labels_short = {} # for each label, the short will look like "tcp" if there is a port, or "TCP" if there is no port for label in self.labels: - splitted_label = label.split(' ', 1) - label_type = splitted_label.pop(0) - label_port = splitted_label[0] if splitted_label else '' - if label_port.startswith('{'): - # it is not a port, its a list of dict, a dict can have 'dst_ports' - # we will use only one 'dst_ports': - connections = ast.literal_eval(f'[{label_port}]') - ports = [conn['dst_ports'] for conn in connections if 'dst_ports' in conn.keys()] - label_port = ports[0] if ports else '' + splitted_label = label.replace('{', '').replace('}', '').split(',') + label_type = self.get_val_by_key_from_list(splitted_label, 'protocols') or 'TCP' + label_port = self.get_val_by_key_from_list(splitted_label, 'dst_ports') # a 'dst_ports' can be too long (like 'port0,port1-port2' ) we trim it to the first port: if len(label_port) > 6: label_port = label_port.split(',')[0].split('-')[0] - labels_short[label] = f'{label_type.lower()}{label_port}' if label_port else label_type + labels_short[label] = 'All' if label == 'All' else f'{label_type.lower()}{label_port}' if label_port \ + else label_type # for labels sharing the same short, we will add a letter to the end of the short: for short in set(labels_short.values()): diff --git a/nca/FWRules/FWRule.py b/nca/FWRules/FWRule.py index 7e511b43b..31c6e51f3 100644 --- a/nca/FWRules/FWRule.py +++ b/nca/FWRules/FWRule.py @@ -573,16 +573,16 @@ class FWRule: rule_csv_header = ['query', 'src_ns', 'src_pods', 'dst_ns', 'dst_pods', 'connection'] supported_formats = {'txt', 'yaml', 'csv', 'md', 'json'} - def __init__(self, src, dst, conn): + def __init__(self, src, dst, props): """ Create an object of FWRule :param src: src element of type FWRuleElement :param dst: dst element of type FWRuleElement - :param conn: allowed connections of type ConnectionSet + :param props: allowed connections of type ConnectivityProperties """ self.src = src self.dst = dst - self.conn = conn + self.props = props # TODO: also re-format the rule if ns is a combination of both 'system' and non 'system' def should_rule_be_filtered_out(self): @@ -604,7 +604,7 @@ def __str__(self): """ src_str = self.src.get_elem_str(True) dst_str = self.dst.get_elem_str(False) - conn_str = str(self.conn) + conn_str = str(self.props) return src_str + dst_str + ' conn: ' + conn_str def get_rule_str(self): @@ -613,14 +613,14 @@ def get_rule_str(self): """ src_str = self.src.get_elem_str(True) dst_str = self.dst.get_elem_str(False) - conn_str = self.conn.get_simplified_connections_representation(True) + conn_str = self.props.get_simplified_connections_representation(True) return src_str + dst_str + ' conn: ' + conn_str + '\n' def __hash__(self): return hash(str(self)) def __eq__(self, other): - return self.src == other.src and self.dst == other.dst and self.conn == other.conn + return self.src == other.src and self.dst == other.dst and self.props == other.props def __lt__(self, other): return str(self) < str(other) @@ -640,7 +640,7 @@ def get_rule_component_str(self, component): elif component == 'dst_pods': return str(self.dst) if isinstance(self.dst, (IPBlockElement, DNSElement)) else self.dst.get_pod_str() elif component == 'connection': - return self.conn.get_simplified_connections_representation(True) + return self.props.get_simplified_connections_representation(True) return '' def get_rule_csv_row(self): @@ -663,7 +663,7 @@ def get_rule_dict_obj(self): src_ip_block_list = sorted(self.src.get_elem_list_obj()) if isinstance(self.src, IPBlockElement) else None dst_ip_block_list = sorted(self.dst.get_elem_list_obj()) if isinstance(self.dst, IPBlockElement) else None dst_dns_entry_list = sorted(self.dst.get_elem_list_obj()) if isinstance(self.dst, DNSElement) else None - conn_list = self.conn.get_simplified_connections_representation(False) + conn_list = self.props.get_simplified_connections_representation(False) rule_obj = {} if src_ip_block_list is None and dst_ip_block_list is None and dst_dns_entry_list is None: @@ -707,21 +707,3 @@ def get_rule_in_req_format(self, req_format): if req_format == 'txt': return self.get_rule_str() return None - - @staticmethod - def create_fw_rules_from_base_elements(src, dst, connections, cluster_info, output_config): - """ - create fw-rules from single pair of base elements (src,dst) and a given connection set - :param ConnectionSet connections: the allowed connections from src to dst - :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock - :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info - :param OutputConfiguration output_config: an object holding output configuration - :return: list with created fw-rules - :rtype list[FWRule] - """ - src_elem = FWRuleElement.create_fw_elements_from_base_element(src, cluster_info, output_config) - dst_elem = FWRuleElement.create_fw_elements_from_base_element(dst, cluster_info, output_config) - if src_elem is None or dst_elem is None: - return [] - return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] diff --git a/nca/FWRules/MinimizeBasic.py b/nca/FWRules/MinimizeBasic.py deleted file mode 100644 index 81362ee24..000000000 --- a/nca/FWRules/MinimizeBasic.py +++ /dev/null @@ -1,169 +0,0 @@ -# -# Copyright 2020- IBM Inc. All rights reserved -# SPDX-License-Identifier: Apache2.0 -# - -from nca.CoreDS.ConnectionSet import ConnectionSet -from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.Peer import PeerSet -from nca.CoreDS.ProtocolSet import ProtocolSet - - -class MinimizeBasic: - """ - This is a base class for minimizing fw-rules/peer sets - """ - def __init__(self, cluster_info, output_config): - self.cluster_info = cluster_info - self.output_config = output_config - - def _get_pods_grouping_by_labels_main(self, pods_set, extra_pods_set): - """ - The main function to implement pods grouping by labels. - This function splits the pods into namespaces, and per ns calls get_pods_grouping_by_labels(). - :param pods_set: the pods for grouping - :param extra_pods_set: additional pods that can be used for grouping - :return: - res_chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. - res_remaining_pods: set of pods from pods_set that are not included in the grouping result (could not be grouped). - """ - ns_context_options = set(pod.namespace for pod in pods_set) - res_chosen_rep = [] - res_remaining_pods = set() - # grouping by pod-labels per each namespace separately - for ns in ns_context_options: - pods_set_per_ns = pods_set & PeerSet(self.cluster_info.ns_dict[ns]) - extra_pods_set_per_ns = extra_pods_set & self.cluster_info.ns_dict[ns] - chosen_rep, remaining_pods = self._get_pods_grouping_by_labels(pods_set_per_ns, ns, extra_pods_set_per_ns) - res_chosen_rep.extend(chosen_rep) - res_remaining_pods |= remaining_pods - return res_chosen_rep, res_remaining_pods - - def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): - """ - Implements pods grouping by labels in a single namespace. - :param pods_set: the set of pods for grouping. - :param ns: the namespace - :param extra_pods_set: additional pods that can be used for completing the grouping - (originated in containing connections). - :return: - chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. - remaining_pods: set of pods from pods_list that are not included in the grouping result - """ - if self.output_config.fwRulesDebug: - print('get_pods_grouping_by_labels:') - print('pods_list: ' + ','.join([str(pod) for pod in pods_set])) - print('extra_pods_list: ' + ','.join([str(pod) for pod in extra_pods_set])) - all_pods_set = pods_set | extra_pods_set - allowed_labels = self.cluster_info.allowed_labels - pods_per_ns = self.cluster_info.ns_dict[ns] - # labels_rep_options is a list of tuples (key, (values, pods-set)), where each tuple in this list is a valid - # grouping of pods-set by "key in values" - labels_rep_options = [] - for key in allowed_labels: - values_for_key = self.cluster_info.get_all_values_set_for_key_per_namespace(key, {ns}) - fully_covered_label_values = set() - pods_with_fully_covered_label_values = set() - for v in values_for_key: - all_pods_per_label_val = self.cluster_info.pods_labels_map[(key, v)] & pods_per_ns - if not all_pods_per_label_val: - continue - pods_with_label_val_from_pods_list = all_pods_per_label_val & all_pods_set - pods_with_label_val_from_original_pods_list = all_pods_per_label_val & pods_set - # allow to "borrow" from extra_pods_set only if at least one pod is also in original pods_set - if all_pods_per_label_val == pods_with_label_val_from_pods_list and \ - pods_with_label_val_from_original_pods_list: - fully_covered_label_values |= {v} - pods_with_fully_covered_label_values |= pods_with_label_val_from_pods_list - # TODO: is it OK to ignore label-grouping if only one pod is involved? - if self.output_config.fwRulesGroupByLabelSinglePod: - if fully_covered_label_values and len( - pods_with_fully_covered_label_values) >= 1: # don't ignore label-grouping if only one pod is involved - labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) - else: - if fully_covered_label_values and len( - pods_with_fully_covered_label_values) > 1: # ignore label-grouping if only one pod is involved - labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) - - chosen_rep = [] - remaining_pods = pods_set.copy() - # sort labels_rep_options by length of pods_with_fully_covered_label_values, to prefer label-grouping that - # covers more pods - sorted_rep_options = sorted(labels_rep_options, key=lambda x: len(x[1][1]), reverse=True) - if self.output_config.fwRulesDebug: - print('sorted rep options:') - for (key, (label_vals, pods)) in sorted_rep_options: - print(key, label_vals, len(pods)) - ns_info = {ns} - for (k, (vals, pods)) in sorted_rep_options: - if (pods & pods_set).issubset(remaining_pods): - chosen_rep.append((k, vals, ns_info)) - remaining_pods -= PeerSet(pods) - if not remaining_pods: - break - return chosen_rep, remaining_pods - - # TODO - after moving to the optimized HC set implementation, - # get rid of ConnectionSet and move the code below to ConnectivityProperties.py - @staticmethod - def get_connection_set_and_peers_from_cube(the_cube, peer_container, - relevant_protocols=ProtocolSet(True)): - all_peers = peer_container.get_all_peers_group(True) - conn_cube = the_cube.copy() - src_peers = conn_cube["src_peers"] or all_peers - conn_cube.unset_dim("src_peers") - dst_peers = conn_cube["dst_peers"] or all_peers - conn_cube.unset_dim("dst_peers") - protocols = conn_cube["protocols"] - conn_cube.unset_dim("protocols") - has_active_dim = conn_cube.has_active_dim() - if not has_active_dim and (protocols == relevant_protocols or protocols.is_whole_range()): - conns = ConnectionSet(True) - else: - conns = ConnectionSet() - protocol_names = ProtocolSet.get_protocol_names_from_interval_set(protocols) - if has_active_dim: - props = ConnectivityProperties.make_conn_props(conn_cube) - else: - props = ConnectivityProperties.make_all_props() - for protocol in protocol_names: - if has_active_dim: - conns.add_connections(protocol, props) - else: - if ConnectionSet.protocol_supports_ports(protocol) or ConnectionSet.protocol_is_icmp(protocol): - conns.add_connections(protocol, props) - else: - conns.add_connections(protocol, True) - return conns, src_peers, dst_peers - - @staticmethod - def fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction=None): - """ - Converting FWRules to ConnectivityProperties format. - This function is used for comparing FWRules output between original and optimized solutions, - when optimized_run == 'debug' - :param MinimizeFWRules fw_rules: the given FWRules. - :param PeerContainer peer_container: the peer container - param Union[str,None] connectivity_restriction: specify if connectivity is restricted to - TCP / non-TCP , or not - :return: the resulting ConnectivityProperties. - """ - relevant_protocols = ProtocolSet() - if connectivity_restriction: - if connectivity_restriction == 'TCP': - relevant_protocols.add_protocol('TCP') - else: # connectivity_restriction == 'non-TCP' - relevant_protocols = ProtocolSet.get_non_tcp_protocols() - - res = ConnectivityProperties.make_empty_props() - if fw_rules.fw_rules_map is None: - return res - for fw_rules_list in fw_rules.fw_rules_map.values(): - for fw_rule in fw_rules_list: - conn_props = fw_rule.conn.convert_to_connectivity_properties(peer_container, relevant_protocols) - src_peers = fw_rule.src.get_peer_set() - dst_peers = fw_rule.dst.get_peer_set() - rule_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, - "dst_peers": dst_peers}) & conn_props - res |= rule_props - return res diff --git a/nca/FWRules/MinimizeCsFWRulesOpt.py b/nca/FWRules/MinimizeCsFWRules.py similarity index 77% rename from nca/FWRules/MinimizeCsFWRulesOpt.py rename to nca/FWRules/MinimizeCsFWRules.py index 92e968f6e..72d820dd0 100644 --- a/nca/FWRules/MinimizeCsFWRulesOpt.py +++ b/nca/FWRules/MinimizeCsFWRules.py @@ -4,16 +4,14 @@ # from collections import defaultdict -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import IpBlock, ClusterEP, HostEP, DNSEntry, PeerSet, Pod from nca.Resources.OtherResources.K8sNamespace import K8sNamespace from .FWRule import FWRuleElement, FWRule, PodElement, PeerSetElement, LabelExpr, PodLabelsElement, IPBlockElement, \ DNSElement -from .MinimizeBasic import MinimizeBasic -class MinimizeCsFwRulesOpt(MinimizeBasic): +class MinimizeCsFwRules: """ This is a class for minimizing fw-rules within a specific connection-set """ @@ -25,10 +23,11 @@ def __init__(self, cluster_info, output_config): :param output_config: an OutputConfiguration object """ - super().__init__(cluster_info, output_config) + self.cluster_info = cluster_info + self.output_config = output_config self.peer_props = ConnectivityProperties() - self.connections = ConnectionSet() - self.peer_props_in_containing_connections = ConnectivityProperties() + self.props = ConnectivityProperties() + self.peer_props_in_containing_props = ConnectivityProperties() self.ns_set_pairs = set() self.base_elem_pairs = set() self.peer_props_without_ns_expr = ConnectivityProperties() @@ -36,14 +35,13 @@ def __init__(self, cluster_info, output_config): self.results_info_per_option = dict() self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules - def compute_minimized_fw_rules_per_connection(self, connections, peer_props, - peer_props_in_containing_connections): + def compute_minimized_fw_rules_per_prop(self, props, peer_props, peer_props_in_containing_props): """ The main function for creating the minimized set of fw-rules for a given connection set - :param ConnectionSet connections: the allowed connections for the given peer pairs, of type ConnectionSet + :param ConnectivityProperties props: the allowed connections for the given peer pairs :param ConnectivityProperties peer_props: peers (src,dst) for which communication is allowed over the given connections - :param ConnectivityProperties peer_props_in_containing_connections: peers in connections that contain the current + :param ConnectivityProperties peer_props_in_containing_props: peers in connections that contain the current connection set class members used in computation of fw-rules: @@ -58,8 +56,8 @@ class members used in computation of fw-rules: (results_info_per_option: for debugging, dict with some info about the computation) """ self.peer_props = peer_props - self.connections = connections - self.peer_props_in_containing_connections = peer_props_in_containing_connections + self.props = props + self.peer_props_in_containing_props = peer_props_in_containing_props self.ns_set_pairs = set() self.base_elem_pairs = set() self.peer_props_without_ns_expr = ConnectivityProperties() @@ -124,12 +122,15 @@ def _compute_covered_peer_props(self): not necessarily only limited to current connection set) :return: None """ - covered_peer_props = self.peer_props | self.peer_props_in_containing_connections + covered_peer_props = self.peer_props | self.peer_props_in_containing_props all_peers_set = self.peer_props.get_all_peers() - for pod in all_peers_set: - if isinstance(pod, ClusterEP): - covered_peer_props |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({pod}), - "dst_peers": PeerSet({pod})}) + if len(all_peers_set) < 500: + # optimization - add auto-connections only if not too many peers, + # otherwise the calculation below is very heavy + for pod in all_peers_set: + if isinstance(pod, ClusterEP): + covered_peer_props |= ConnectivityProperties.make_conn_props_from_dict({"src_peers": PeerSet({pod}), + "dst_peers": PeerSet({pod})}) self.covered_peer_props = covered_peer_props def _compute_full_ns_grouping(self, all_src_ns_set, all_dst_ns_set): @@ -275,22 +276,6 @@ def _add_to_map_if_covered(self, dim_name, dim_peers, other_dim_name, other_dim_ if curr_covered & self.peer_props_without_ns_expr: peers_to_peers_map[frozenset(dim_peers)] |= other_dim_peers - def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): - """ - create a fw-rule from a fixed-elem and a set of namespaces - :param is_src_fixed: a flag indicating if the fixed elem is src (True) or dst (False) - :param ns_set: a set of namespaces - :param fixed_elem: the fixed element - :return: a list with created FWRule - """ - # currently no grouping of ns-list by labels of namespaces - grouped_elem = FWRuleElement(ns_set, self.cluster_info) - if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) - else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) - return [fw_rule] - def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): """ Group a given set of pods by labels, and create FWRuleElements according to the grouping @@ -308,50 +293,6 @@ def _create_fw_elements_by_pods_grouping_by_labels(self, pods_set): res.append(PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments')) return res - def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set, - make_peer_sets=False): - """ - Implements grouping in the level of pods labels. - :param is_src_fixed: a bool flag to indicate if fixed_elem is at src or dst. - :param pods_set: the set of pods to be grouped - :param fixed_elem: the fixed element of the original fw-rules - :param extra_pods_set: an additional pods set from containing connections (with same fixed_elem) that can be - used for grouping (completing for a set of pods to cover some label grouping). - :return: a set of fw-rules result after grouping - """ - res = [] - # (1) try grouping by pods-labels: - chosen_rep, remaining_pods = self._get_pods_grouping_by_labels_main(pods_set, extra_pods_set) - for (key, values, ns_info) in chosen_rep: - map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) - all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) - pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) - grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) - if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) - else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) - res.append(fw_rule) - - # TODO: should avoid having single pods remaining without labels grouping - # (2) add rules for remaining single pods: - if make_peer_sets and remaining_pods: - peer_set_elem = PeerSetElement(PeerSet(remaining_pods), self.output_config.outputEndpoints == 'deployments') - if is_src_fixed: - fw_rule = FWRule(fixed_elem, peer_set_elem, self.connections) - else: - fw_rule = FWRule(peer_set_elem, fixed_elem, self.connections) - res.append(fw_rule) - else: - for pod in remaining_pods: - single_pod_elem = PodElement(pod, self.output_config.outputEndpoints == 'deployments') - if is_src_fixed: - fw_rule = FWRule(fixed_elem, single_pod_elem, self.connections) - else: - fw_rule = FWRule(single_pod_elem, fixed_elem, self.connections) - res.append(fw_rule) - return res - def _create_fw_rules_from_base_elements_list(self, base_elems_pairs): """ creating initial fw-rules from base elements @@ -361,7 +302,7 @@ def _create_fw_rules_from_base_elements_list(self, base_elems_pairs): """ res = [] for (src, dst) in base_elems_pairs: - res.extend(self._create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, + res.extend(self._create_fw_rules_from_base_elements(src, dst, self.props, self.cluster_info, self.output_config)) return res @@ -392,14 +333,14 @@ def _create_fw_rules_from_peer_props_aux(self, peer_props): dst_peers = conn_cube["dst_peers"] # whole peers sets were handled in self.ns_set_pairs and self.base_elem_pairs assert src_peers and dst_peers - res.extend(self._create_fw_rules_from_base_elements(src_peers, dst_peers, self.connections, + res.extend(self._create_fw_rules_from_base_elements(src_peers, dst_peers, self.props, self.cluster_info, self.output_config)) return res - def _create_fw_rules_from_base_elements(self, src, dst, connections, cluster_info, output_config): + def _create_fw_rules_from_base_elements(self, src, dst, props, cluster_info, output_config): """ create fw-rules from single pair of base elements (src,dst) and a given connection set - :param ConnectionSet connections: the allowed connections from src to dst + :param ConnectivityProperties props: the allowed connections from src to dst :param src: a base-element of type: ClusterEP/K8sNamespace/ IpBlock :param dst: a base-element of type: ClusterEP/K8sNamespace/IpBlock :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info @@ -411,7 +352,7 @@ def _create_fw_rules_from_base_elements(self, src, dst, connections, cluster_inf dst_elem = self._create_fw_elements_from_base_element(dst, cluster_info, output_config) if src_elem is None or dst_elem is None: return [] - return [FWRule(src, dst, connections) for src in src_elem for dst in dst_elem] + return [FWRule(src, dst, props) for src in src_elem for dst in dst_elem] def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_config): """ @@ -447,14 +388,91 @@ def _create_fw_elements_from_base_element(self, base_elem, cluster_info, output_ # unknown base-elem type return None - def _get_peers_paired_with_given_peer(self, peer, is_src_peer): - this_dim = "src_peers" if is_src_peer else "dst_peers" - other_dim = "dst_peers" if is_src_peer else "src_peers" - props = self.covered_peer_props & ConnectivityProperties.make_conn_props_from_dict({this_dim: PeerSet({peer})}) - return props.project_on_one_dimension(other_dim) - - # --------------------------------------------------------------------------------------------------------- - # below functions are for debugging : + def _get_pods_grouping_by_labels_main(self, pods_set, extra_pods_set): + """ + The main function to implement pods grouping by labels. + This function splits the pods into namespaces, and per ns calls get_pods_grouping_by_labels(). + :param pods_set: the pods for grouping + :param extra_pods_set: additional pods that can be used for grouping + :return: + res_chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. + res_remaining_pods: set of pods from pods_set that are not included in the grouping result (could not be grouped). + """ + ns_context_options = set(pod.namespace for pod in pods_set) + res_chosen_rep = [] + res_remaining_pods = set() + # grouping by pod-labels per each namespace separately + for ns in ns_context_options: + pods_set_per_ns = pods_set & PeerSet(self.cluster_info.ns_dict[ns]) + extra_pods_set_per_ns = extra_pods_set & self.cluster_info.ns_dict[ns] + chosen_rep, remaining_pods = self._get_pods_grouping_by_labels(pods_set_per_ns, ns, extra_pods_set_per_ns) + res_chosen_rep.extend(chosen_rep) + res_remaining_pods |= remaining_pods + return res_chosen_rep, res_remaining_pods + + def _get_pods_grouping_by_labels(self, pods_set, ns, extra_pods_set): + """ + Implements pods grouping by labels in a single namespace. + :param pods_set: the set of pods for grouping. + :param ns: the namespace + :param extra_pods_set: additional pods that can be used for completing the grouping + (originated in containing connections). + :return: + chosen_rep: a list of tuples (key,values,ns) -- as the chosen representation for grouping the pods. + remaining_pods: set of pods from pods_list that are not included in the grouping result + """ + if self.output_config.fwRulesDebug: + print('get_pods_grouping_by_labels:') + print('pods_list: ' + ','.join([str(pod) for pod in pods_set])) + print('extra_pods_list: ' + ','.join([str(pod) for pod in extra_pods_set])) + all_pods_set = pods_set | extra_pods_set + allowed_labels = self.cluster_info.allowed_labels + pods_per_ns = self.cluster_info.ns_dict[ns] + # labels_rep_options is a list of tuples (key, (values, pods-set)), where each tuple in this list is a valid + # grouping of pods-set by "key in values" + labels_rep_options = [] + for key in allowed_labels: + values_for_key = self.cluster_info.get_all_values_set_for_key_per_namespace(key, {ns}) + fully_covered_label_values = set() + pods_with_fully_covered_label_values = set() + for v in values_for_key: + all_pods_per_label_val = self.cluster_info.pods_labels_map[(key, v)] & pods_per_ns + if not all_pods_per_label_val: + continue + pods_with_label_val_from_pods_list = all_pods_per_label_val & all_pods_set + pods_with_label_val_from_original_pods_list = all_pods_per_label_val & pods_set + # allow to "borrow" from extra_pods_set only if at least one pod is also in original pods_set + if all_pods_per_label_val == pods_with_label_val_from_pods_list and \ + pods_with_label_val_from_original_pods_list: + fully_covered_label_values |= {v} + pods_with_fully_covered_label_values |= pods_with_label_val_from_pods_list + # TODO: is it OK to ignore label-grouping if only one pod is involved? + if self.output_config.fwRulesGroupByLabelSinglePod: + if fully_covered_label_values and len( + pods_with_fully_covered_label_values) >= 1: # don't ignore label-grouping if only one pod is involved + labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) + else: + if fully_covered_label_values and len( + pods_with_fully_covered_label_values) > 1: # ignore label-grouping if only one pod is involved + labels_rep_options.append((key, (fully_covered_label_values, pods_with_fully_covered_label_values))) + + chosen_rep = [] + remaining_pods = pods_set.copy() + # sort labels_rep_options by length of pods_with_fully_covered_label_values, to prefer label-grouping that + # covers more pods + sorted_rep_options = sorted(labels_rep_options, key=lambda x: len(x[1][1]), reverse=True) + if self.output_config.fwRulesDebug: + print('sorted rep options:') + for (key, (label_vals, pods)) in sorted_rep_options: + print(key, label_vals, len(pods)) + ns_info = {ns} + for (k, (vals, pods)) in sorted_rep_options: + if (pods & pods_set).issubset(remaining_pods): + chosen_rep.append((k, vals, ns_info)) + remaining_pods -= PeerSet(pods) + if not remaining_pods: + break + return chosen_rep, remaining_pods def _print_results_info(self): print('----------------') @@ -466,7 +484,7 @@ def _print_results_info(self): def _print_firewall_rules(self, rules): print('-------------------') - print('rules for connections: ' + str(self.connections)) + print('rules for connections: ' + str(self.props)) for rule in rules: # filter out rule of a pod to itslef # if rule.is_rule_trivial(): diff --git a/nca/FWRules/MinimizeFWRules.py b/nca/FWRules/MinimizeFWRules.py index dab616015..92a253475 100644 --- a/nca/FWRules/MinimizeFWRules.py +++ b/nca/FWRules/MinimizeFWRules.py @@ -4,563 +4,11 @@ # from collections import defaultdict -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.Peer import IpBlock, ClusterEP, Pod, HostEP, DNSEntry +from nca.CoreDS.Peer import IpBlock from nca.CoreDS.ProtocolSet import ProtocolSet -from .FWRule import FWRuleElement, FWRule, PodElement, LabelExpr, PodLabelsElement, IPBlockElement, DNSElement -from .MinimizeBasic import MinimizeBasic -from .MinimizeCsFWRulesOpt import MinimizeCsFwRulesOpt - - -class MinimizeCsFwRules(MinimizeBasic): - """ - This is a class for minimizing fw-rules within a specific connection-set - """ - - def __init__(self, cluster_info, output_config): - """ - create an object of MinimizeCsFwRules - :param cluster_info: an object of type ClusterInfo, with relevant cluster topology info - :param output_config: an OutputConfiguration object - - """ - super().__init__(cluster_info, output_config) - self.peer_pairs = set() - self.connections = ConnectionSet() - self.peer_pairs_in_containing_connections = set() - self.ns_pairs = set() - self.peer_pairs_with_partial_ns_expr = set() - self.peer_pairs_without_ns_expr = set() - self.covered_peer_pairs_union = set() - self.results_info_per_option = dict() - self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules - - def compute_minimized_fw_rules_per_connection(self, connections, peer_pairs, peer_pairs_in_containing_connections): - """ - The main function for creating the minimized set of fw-rules for a given connection set - - :param connections: the allowed connections for the given peer pairs, of type ConnectionSet - :param peer_pairs: (set) pairs of peers (src,dst) for which communication is allowed over the given connections - :param peer_pairs_in_containing_connections: (set) pairs of peers in connections that contain the current - connection set - - class members used in computation of fw-rules: - self.ns_pairs : pairs of namespaces, grouped from peer_pairs and peer_pairs_in_containing_connections - self.peers_with_ns_pairs: pairs of (pod,ns) or (ns,pod), with ns-grouping for one dimension - self.peer_pairs_without_ns_expr: pairs of pods, with no possible ns-grouping - self.covered_peer_pairs_union: union (set) of all peer pairs for which communication is allowed in current - connection-set (but not necessarily only limited to current connection set) - - :return: - minimized_fw_rules: a list of fw-rules (of type list[FWRule]) - (results_info_per_option: for debugging, dict with some info about the computation) - """ - self.peer_pairs = peer_pairs - self.connections = connections - self.peer_pairs_in_containing_connections = peer_pairs_in_containing_connections - self.ns_pairs = set() - self.peer_pairs_with_partial_ns_expr = set() - self.peer_pairs_without_ns_expr = set() - self.covered_peer_pairs_union = set() - self.results_info_per_option = dict() - self.minimized_fw_rules = [] # holds the computation result of minimized fw-rules - - self._create_fw_rules() - if self.output_config.fwRulesRunInTestMode: - self._print_firewall_rules(self.minimized_fw_rules) - self._print_results_info() - - return self.minimized_fw_rules, self.results_info_per_option - - def _create_fw_rules(self): - """ - The main function for creating the minimized set of fw-rules for a given connection set - :return: None - """ - # partition peer_pairs to ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr - self._compute_basic_namespace_grouping() - - # add all fw-rules: - self._add_all_fw_rules() - - def _compute_basic_namespace_grouping(self): - """ - computation of peer_pairs with possible grouping by namespaces. - Results are at: ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr - :return: None - """ - self._compute_covered_peer_pairs_union() - # only Pod elements have namespaces (skipping IpBlocks and HostEPs) - src_namespaces_set = set(src.namespace for (src, dest) in self.peer_pairs if isinstance(src, Pod)) - dst_namespaces_set = set(dest.namespace for (src, dest) in self.peer_pairs if isinstance(dest, Pod)) - # per relevant namespaces, compute which pairs of src-ns and dst-ns are covered by given peer-pairs - for src_ns in src_namespaces_set: - for dst_ns in dst_namespaces_set: - ns_product_pairs = set((src, dst) for src in self.cluster_info.ns_dict[src_ns] for dst in - self.cluster_info.ns_dict[dst_ns]) - if ns_product_pairs.issubset(self.covered_peer_pairs_union): - self.ns_pairs |= {(src_ns, dst_ns)} - else: - self.peer_pairs_without_ns_expr |= ns_product_pairs & self.peer_pairs - - # TODO: what about peer pairs with ip blocks from containing connections, not only peer_pairs for this connection? - pairs_with_elems_without_ns = \ - set((src, dst) for (src, dst) in self.peer_pairs - if isinstance(src, (IpBlock, HostEP, DNSEntry)) or isinstance(dst, (IpBlock, HostEP, DNSEntry))) - self.peer_pairs_without_ns_expr |= pairs_with_elems_without_ns - # compute pairs with src as pod/ip-block and dest as namespace - self._compute_ns_pairs_with_partial_ns_expr(False) - # compute pairs with src as pod/ip-block namespace dest as pod - self._compute_ns_pairs_with_partial_ns_expr(True) - # remove pairs of (pod,pod) for trivial cases of communication from pod to itself - self._remove_trivial_rules_from_peer_pairs_without_ns_expr() - - def _compute_covered_peer_pairs_union(self): - """ - compute the union (set) of all peer pairs for which communication is allowed in current connection-set (but - not necessarily only limited to current connection set) - :return: None - """ - covered_peer_pairs_union = self.peer_pairs | self.peer_pairs_in_containing_connections - - all_pods_set = set(src for (src, dst) in self.peer_pairs if isinstance(src, ClusterEP)) | \ - set(dst for (src, dst) in self.peer_pairs if isinstance(dst, ClusterEP)) - for pod in all_pods_set: - covered_peer_pairs_union |= {(pod, pod)} - self.covered_peer_pairs_union = covered_peer_pairs_union - - @staticmethod - def _get_pods_set_per_fixed_elem_from_peer_pairs(is_src_fixed, fixed_elem, peer_pairs_set): - """ - - :param is_src_fixed: bool flag indicating if fixed elem is src (True) or dst (False) - :param fixed_elem: the fixed element - :param peer_pairs_set: set of peer pairs - :return:set of pods that are paired with fixed_elem ( as src/dst according to flag is_src_fixed) - in peer_pairs_set - """ - if is_src_fixed: - return set(dest for (src, dest) in peer_pairs_set if src == fixed_elem and isinstance(dest, Pod)) - return set(src for (src, dest) in peer_pairs_set if dest == fixed_elem and isinstance(src, Pod)) - - def _get_peer_pairs_product_for_ns_and_fixed_elem(self, is_pod_in_src, pod, ns): - """ - compute all peer pairs represented by a pair of a pod with entire namespace - :param is_pod_in_src: flag indicating if pod is src (True) or dst (False) - :param pod: the fixed element - :param ns: the entire namespace - :return: a set of peer pairs - """ - if is_pod_in_src: - return set((pod, dst_pod) for dst_pod in self.cluster_info.ns_dict[ns]) - return set((src_pod, pod) for src_pod in self.cluster_info.ns_dict[ns]) - - def _get_ns_covered_in_one_dimension(self, is_src_fixed, fixed_elem): - """ - compute if a fixed elem (src or dst) can be paired with entire namespace (dst or src) - :param is_src_fixed: a bool flag indicating if fixed_elem is a src elem (True) of dst (False) - :param fixed_elem: a fixed elem (of type Pod/IpBlock) - :return: - covered_ns_set: set of namespaces for which fixed_elem can be paired with - (connection is allowed between fixed_elem and each ns in this set [direction depends on is_src_fixed], - according to current connection set and the containing connections as well). - peer_pairs_product_union: set of peer pairs represented by each pair of fixed_elem with ns in covered_ns_set - """ - pods_set = self._get_pods_set_per_fixed_elem_from_peer_pairs(is_src_fixed, fixed_elem, - self.peer_pairs_without_ns_expr) - # ns_set is a set with the potential namespaces for grouping - ns_set = set(e.namespace for e in pods_set) - covered_ns_set = set() - peer_pairs_product_union = set() - for ns in ns_set: - peer_pairs_product = self._get_peer_pairs_product_for_ns_and_fixed_elem(is_src_fixed, fixed_elem, ns) - # if the connections between entire ns and fixed_elem is allowed - add ns to covered_ns_set - if peer_pairs_product.issubset(self.covered_peer_pairs_union): - covered_ns_set |= {ns} - peer_pairs_product_union |= peer_pairs_product - return covered_ns_set, peer_pairs_product_union - - def _compute_ns_pairs_with_partial_ns_expr(self, is_src_ns): - """ - computes and updates self.peers_with_ns_pairs with pairs where only one elem (src/dst) - can be grouped to an entire namespace - :param is_src_ns: a bool flag to indicate if computing pairs with src elem grouped as ns (True) or dst (False) - :return: None - """ - # pod_set is the set of pods in pairs of peer_pairs_without_ns_expr, within elem type (src/dst) which is not - # in the grouping computation - pod_set = set(src for (src, _) in self.peer_pairs_without_ns_expr) if not is_src_ns else \ - set(dst for (_, dst) in self.peer_pairs_without_ns_expr) - # loop on fixed elements (not in the grouping computation) - for pod in pod_set: - covered_ns_set, peer_pairs_product_union = self._get_ns_covered_in_one_dimension(not is_src_ns, pod) - for ns in covered_ns_set: - partial_ns_expr_pair = (pod, ns) if not is_src_ns else (ns, pod) - self.peer_pairs_with_partial_ns_expr |= {partial_ns_expr_pair} - self.peer_pairs_without_ns_expr -= peer_pairs_product_union - - # remove trivial pairs to avoid creating them a fw-rule directly - def _remove_trivial_rules_from_peer_pairs_without_ns_expr(self): - """ - update peer_pairs_without_ns_expr by removing pairs with identical src and dst elements. - a communication from a pod to itself is trivial, thus we should avoid creating fw-rules for such pairs. - Note that these pairs are contained in self.covered_peer_pairs_union, thus can be used for grouping if needed. - :return: None - """ - trivial_pairs = set((src, dst) for (src, dst) in self.peer_pairs_without_ns_expr if src == dst) - self.peer_pairs_without_ns_expr -= trivial_pairs - - def get_ns_fw_rules_grouped_by_common_elem(self, is_src_fixed, ns_set, fixed_elem): - """ - create a fw-rule from a fixed-elem and a set of namespaces - :param is_src_fixed: a flag indicating if the fixed elem is src (True) or dst (False) - :param ns_set: a set of namespaces - :param fixed_elem: the fixed element - :return: a list with created FWRule - """ - # currently no grouping of ns-list by labels of namespaces - grouped_elem = FWRuleElement(ns_set, self.cluster_info) - if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) - else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) - return [fw_rule] - - def _get_pod_level_fw_rules_grouped_by_common_labels(self, is_src_fixed, pods_set, fixed_elem, extra_pods_set): - """ - Implements grouping in the level of pods labels. - :param is_src_fixed: a bool flag to indicate if fixed_elem is at src or dst. - :param pods_set: the set of pods to be grouped - :param fixed_elem: the fixed element of the original fw-rules - :param extra_pods_set: an additional pods set from containing connections (with same fixed_elem) that can be - used for grouping (completing for a set of pods to cover some label grouping). - :return: a set of fw-rules result after grouping - """ - res = [] - # (1) try grouping by pods-labels: - chosen_rep, remaining_pods = self._get_pods_grouping_by_labels_main(pods_set, extra_pods_set) - for (key, values, ns_info) in chosen_rep: - map_simple_keys_to_all_values = self.cluster_info.get_map_of_simple_keys_to_all_values(key, ns_info) - all_key_values = self.cluster_info.get_all_values_set_for_key_per_namespace(key, ns_info) - pod_label_expr = LabelExpr(key, set(values), map_simple_keys_to_all_values, all_key_values) - grouped_elem = PodLabelsElement(pod_label_expr, ns_info, self.cluster_info) - if is_src_fixed: - fw_rule = FWRule(fixed_elem, grouped_elem, self.connections) - else: - fw_rule = FWRule(grouped_elem, fixed_elem, self.connections) - res.append(fw_rule) - - # TODO: should avoid having single pods remaining without labels grouping - # (2) add rules for remaining single pods: - for pod in remaining_pods: - single_pod_elem = PodElement(pod, self.output_config.outputEndpoints == 'deployments') - if is_src_fixed: - fw_rule = FWRule(fixed_elem, single_pod_elem, self.connections) - else: - fw_rule = FWRule(single_pod_elem, fixed_elem, self.connections) - res.append(fw_rule) - return res - - def _create_initial_fw_rules_from_base_elements_list(self, base_elems_pairs): - """ - creating initial fw-rules from base elements - :param base_elems_pairs: a set of pairs (src,dst) , each of type: Pod/K8sNamespace/IpBlock - :return: list with created fw-rules - :rtype list[FWRule] - """ - res = [] - for (src, dst) in base_elems_pairs: - res.extend(FWRule.create_fw_rules_from_base_elements(src, dst, self.connections, self.cluster_info, - self.output_config)) - return res - - def _create_all_initial_fw_rules(self): - """ - Creating initial fw-rules from base-elements pairs (pod/ns/ip-block/dns-entry) - :return: a list of initial fw-rules of type FWRule - :rtype list[FWRule] - """ - initial_fw_rules = [] - initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.ns_pairs)) - initial_fw_rules.extend(self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_without_ns_expr)) - initial_fw_rules.extend( - self._create_initial_fw_rules_from_base_elements_list(self.peer_pairs_with_partial_ns_expr)) - return initial_fw_rules - - def _add_all_fw_rules(self): - """ - Computation of fw-rules, following the ns-grouping of peer_pairs. - Results are at: self.minimized_rules_set - :return: None - """ - # create initial fw-rules from ns_pairs, peers_with_ns_pairs, peer_pairs_without_ns_expr - initial_fw_rules = self._create_all_initial_fw_rules() - # TODO: consider a higher resolution decision between option1 and option2 (per src,dst pair rather than per - # all ConnectionSet pairs) - - # option1 - start computation when src is fixed at first iteration, and merge applies to dst - option1, convergence_iteration_1 = self._create_merged_rules_set(True, initial_fw_rules) - # option2 - start computation when dst is fixed at first iteration, and merge applies to src - option2, convergence_iteration_2 = self._create_merged_rules_set(False, initial_fw_rules) - - # self.post_processing_fw_rules(option1) - # self.post_processing_fw_rules(option2) - - if self.output_config.fwRulesRunInTestMode: - equiv1 = self.check_peer_pairs_equivalence(option1) - equiv2 = self.check_peer_pairs_equivalence(option2) - assert equiv1 - assert equiv2 - # add info for documentation about computation results - self.results_info_per_option['option1_len'] = len(option1) - self.results_info_per_option['option2_len'] = len(option2) - self.results_info_per_option['convergence_iteration_1'] = convergence_iteration_1 - self.results_info_per_option['convergence_iteration_2'] = convergence_iteration_2 - self.results_info_per_option['equiv1'] = equiv1 - self.results_info_per_option['equiv2'] = equiv2 - - if self.output_config.fwRulesDebug: - print('option 1 rules:') - self._print_firewall_rules(option1) - print('option 2 rules: ') - self._print_firewall_rules(option2) - - # choose the option with less fw-rules - if len(option1) < len(option2): - self.minimized_fw_rules = option1 - return - self.minimized_fw_rules = option2 - - def _get_grouping_result(self, fixed_elem, set_for_grouping_elems, src_first): - """ - Apply grouping for a set of elements to create grouped fw-rules - :param fixed_elem: the fixed elements from the original fw-rules - :param set_for_grouping_elems: the set of elements to be grouped - :param src_first: a bool flag to indicate if fixed_elem is src or dst - :return: A list of fw-rules after possible grouping operations - """ - res = [] - # partition set_for_grouping_elems into: (1) ns_elems, (2) pod_and_pod_labels_elems, (3) ip_block_elems - pod_and_pod_labels_elems = set(elem for elem in set_for_grouping_elems if - isinstance(elem, (PodElement, PodLabelsElement))) - ip_block_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, IPBlockElement)) - dns_elems = set(elem for elem in set_for_grouping_elems if isinstance(elem, DNSElement)) - ns_elems = set_for_grouping_elems - (pod_and_pod_labels_elems | ip_block_elems | dns_elems) - - if ns_elems: - # grouping of ns elements is straight-forward - ns_set = set.union(*(f.ns_info for f in ns_elems)) - res.extend(self.get_ns_fw_rules_grouped_by_common_elem(src_first, ns_set, fixed_elem)) - - if pod_and_pod_labels_elems: - # grouping of pod and pod-labels elements - # TODO: currently adding this due to example in test24: a single pod-labels elem is replaced by another grouping - if len(pod_and_pod_labels_elems) == 1 and isinstance(list(pod_and_pod_labels_elems)[0], PodLabelsElement): - elem = list(pod_and_pod_labels_elems)[0] - fw_rule = FWRule(fixed_elem, elem, self.connections) if src_first else FWRule(elem, fixed_elem, - self.connections) - res.append(fw_rule) - else: - # set_for_grouping_pods is the set of all pods originated in pods and pod-labels elements, to be grouped - set_for_grouping_pods = set() - for e in pod_and_pod_labels_elems: - set_for_grouping_pods |= e.get_pods_set() - - # allow borrowing pods for labels-grouping from covered_peer_pairs_union - fixed_elem_pods = fixed_elem.get_pods_set() - # extra_pods_list is a list of pods sets that are paired with pods in fixed_elem_pods within - # covered_peer_pairs_union - extra_pods_list = [] - for p in fixed_elem_pods: - if src_first: - pods_to_add = set(dst for (src, dst) in self.covered_peer_pairs_union if src == p) - else: - pods_to_add = set(src for (src, dst) in self.covered_peer_pairs_union if dst == p) - extra_pods_list.append(pods_to_add) - # extra_pods_list_common is a set of pods that are paired with all pods in fixed_elem_pods within - # covered_peer_pairs_union - extra_pods_list_common = set() - if extra_pods_list: - extra_pods_list_common = set.intersection(*extra_pods_list) - - res.extend(self._get_pod_level_fw_rules_grouped_by_common_labels(src_first, set_for_grouping_pods, - fixed_elem, extra_pods_list_common)) - - if ip_block_elems: - # currently no grouping for ip blocks - for elem in ip_block_elems: - if src_first: - res.append(FWRule(fixed_elem, elem, self.connections)) - else: - res.append(FWRule(elem, fixed_elem, self.connections)) - - if dns_elems: - for elem in dns_elems: - if src_first: # do we need both if else? , dns_elem may be a dst always - res.append(FWRule(fixed_elem, elem, self.connections)) - else: - res.append(FWRule(elem, fixed_elem, self.connections)) - - return res - - def _create_merged_rules_set(self, is_src_first, fw_rules): - """ - Computing a minimized set of fw-rules by merging src/dst elements iteratively - :param is_src_first: a bool flag to indicate if merge process starts with src or dest - :param fw_rules: a list of initial fw-rules - :return: a list of minimized fw-rules after merge process - """ - initial_fw_rules = fw_rules.copy() - if not initial_fw_rules: - return [], 0 - count_fw_rules = dict() # map number of fw-rules per iteration number - max_iter = self.output_config.fwRulesMaxIter - convergence_iteration = max_iter - for i in range(0, max_iter): - fw_rules_after_merge = [] - count_fw_rules[i] = len(initial_fw_rules) - if i > 1 and count_fw_rules[i] == count_fw_rules[i - 1]: - convergence_iteration = i - break - if i > 1 and self.output_config.fwRulesRunInTestMode: - assert count_fw_rules[i - 1] > count_fw_rules[i], "Expecting fewer fw_rules after each merge iteration." - # change the grouping target (src/dst) on each iteration - src_first = (i % 2 == 0) if is_src_first else (i % 2 == 1) - first_elem_set = set(f.src for f in initial_fw_rules) if src_first else set(f.dst for f in initial_fw_rules) - for elem in first_elem_set: - if src_first: - # TODO: equals or contained in? - set_for_grouping_elems = set(f.dst for f in initial_fw_rules if f.src == elem) - else: - set_for_grouping_elems = set(f.src for f in initial_fw_rules if f.dst == elem) - res = self._get_grouping_result(elem, set_for_grouping_elems, src_first) - fw_rules_after_merge.extend(res) - # prepare for next iteration - initial_fw_rules = fw_rules_after_merge - if self.output_config.fwRulesDebug: - print('fw rules after iteration: ' + str(i)) - self._print_firewall_rules(initial_fw_rules) - - return initial_fw_rules, convergence_iteration - - # --------------------------------------------------------------------------------------------------------- - # below functions are for debugging : - - def _print_results_info(self): - print('----------------') - print('results_info_per_option: ') - for key in self.results_info_per_option: - val = self.results_info_per_option[key] - print(str(key) + ':' + str(val)) - print('----------------') - - def _print_firewall_rules(self, rules): - print('-------------------') - print('rules for connections: ' + str(self.connections)) - for rule in rules: - # filter out rule of a pod to itslef - # if rule.is_rule_trivial(): - # continue - print(rule) - - def get_src_dest_pairs_from_fw_rules(self, rules): - src_dest_pairs = [] - for rule in rules: - # compute set of pods derived from rule src and rule dest - if not isinstance(rule.src, (IPBlockElement, DNSElement)) and \ - not isinstance(rule.dst, (IPBlockElement, DNSElement)): - src_set = rule.src.get_pods_set() - dest_set = rule.dst.get_pods_set() - - for src in src_set: - for dst in dest_set: - src_dest_pairs.append((src, dst)) - - elif isinstance(rule.src, IPBlockElement) and not isinstance(rule.dst, (IPBlockElement, DNSElement)): - dest_set = rule.dst.get_pods_set() - for dst in dest_set: - src_dest_pairs.append((rule.src.element, dst)) - - elif not isinstance(rule.src, (IPBlockElement, DNSElement)) and \ - isinstance(rule.dst, (IPBlockElement, DNSElement)): - src_set = rule.src.get_pods_set() - for src in src_set: - src_dest_pairs.append((src, rule.dst.element)) - - for (src, dst) in src_dest_pairs: - if isinstance(src, IpBlock) and isinstance(dst, IpBlock): - src_dest_pairs.remove((src, dst)) - if isinstance(src, DNSEntry): # we should not get here but if somehow the src is dns-entry it will be removed - src_dest_pairs.remove((src, dst)) - - return set(src_dest_pairs) - - @staticmethod - def validate_ip_blocks(ips_list_1, ips_list_2): - ip_block_1 = IpBlock() - ip_block_2 = IpBlock() - for ip in ips_list_1: - ip_block_1 |= ip - for ip in ips_list_2: - ip_block_2 |= ip - return ip_block_1.contained_in(ip_block_2) - - # for testing - make sure set of peer pairs derived from fw-rules is equivalent to the input peer pairs - def check_peer_pairs_equivalence(self, rules): - orig_set = set(self.peer_pairs) - allowed_extra_set = set(self.covered_peer_pairs_union) # set(self.peer_pairs_in_containing_connections) - union_allowed_set = orig_set.union(allowed_extra_set) - results_set_orig = self.get_src_dest_pairs_from_fw_rules(rules) - - # direction 1: find justification for every pair in the result - for (src, dst) in results_set_orig: - if isinstance(src, ClusterEP) and isinstance(dst, ClusterEP) and not (src, dst) in union_allowed_set: - return False - elif isinstance(dst, IpBlock): - allowed_ips_from_res = [dst for (src1, dst) in results_set_orig if - src1 == src and isinstance(dst, IpBlock)] - allowed_ips_from_orig = [dst for (src1, dst) in union_allowed_set if - src1 == src and isinstance(dst, IpBlock)] - if not self.validate_ip_blocks(allowed_ips_from_res, allowed_ips_from_orig): - return False - elif isinstance(src, IpBlock): - allowed_ips_from_res = [src for (src, dst1) in results_set_orig if - dst1 == dst and isinstance(src, IpBlock)] - allowed_ips_from_orig = [src for (src, dst1) in union_allowed_set if - dst1 == dst and isinstance(src, IpBlock)] - if not self.validate_ip_blocks(allowed_ips_from_res, allowed_ips_from_orig): - return False - - # direction 2: make sure that any pair in the orig_set is covered in the result - for (src, dst) in orig_set: - if isinstance(src, ClusterEP) and isinstance(dst, ClusterEP) and not (src, dst) in results_set_orig: - if src != dst: # ignore trivial pairs - print('pair ' + str((src, dst)) + ' in orig_set but not in results_set_orig ') - return False - elif isinstance(dst, IpBlock): - allowed_ips_from_res = [dst for (src1, dst) in results_set_orig if - src1 == src and isinstance(dst, IpBlock)] - allowed_ips_from_orig = [dst for (src1, dst) in orig_set if src1 == src and isinstance(dst, IpBlock)] - if not self.validate_ip_blocks(allowed_ips_from_orig, allowed_ips_from_res): - print('src: ' + str(src) + ' ip block from orig not covered in res ') - print(' orig ip block: ' + ','.join(str(ip) for ip in allowed_ips_from_orig)) - print(' res ip block: ' + ','.join(str(ip) for ip in allowed_ips_from_res)) - return False - elif isinstance(src, IpBlock): - allowed_ips_from_res = [src for (src, dst1) in results_set_orig if - dst1 == dst and isinstance(src, IpBlock)] - allowed_ips_from_orig = [src for (src, dst1) in orig_set if - dst1 == dst and isinstance(src, IpBlock)] - if not self.validate_ip_blocks(allowed_ips_from_orig, allowed_ips_from_res): - print('dst: ' + str(dst) + ' ip block from orig not covered in res ') - print(' orig ip block: ' + ','.join(str(ip) for ip in allowed_ips_from_orig)) - print(' res ip block: ' + ','.join(str(ip) for ip in allowed_ips_from_res)) - return False - - return True - -# ================================================================================================================== +from .FWRule import FWRule +from .MinimizeCsFWRules import MinimizeCsFwRules class MinimizeFWRules: @@ -571,7 +19,7 @@ class MinimizeFWRules: def __init__(self, fw_rules_map, cluster_info, output_config, results_map): """ create n object of MinimizeFWRules - :param fw_rules_map: a map from ConnectionSet to list[FWRule] - the list of minimized fw-rules per connection + :param fw_rules_map: a map from ConnectivityProperties to list[FWRule] - the list of minimized fw-rules per props :param cluster_info: an object of type ClusterInfo :param output_config: an object of type OutputConfiguration :param results_map: (temp, for debugging) a map from connection to results info @@ -680,35 +128,6 @@ def _get_all_rules_list_in_req_format(self, req_format): rules_dict[str(rule_obj)] = 1 return rules_list - @staticmethod - def minimize_firewall_rules(cluster_info, output_config, connections_sorted_by_size): - """ - Creates the set of minimized fw rules and prints to output - :param ClusterInfo cluster_info: the cluster info - :param OutputConfiguration output_config: the output configuration - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules - """ - cs_containment_map = MinimizeFWRules._build_connections_containment_map(connections_sorted_by_size) - fw_rules_map = defaultdict(list) - results_map = dict() - minimize_cs = MinimizeCsFwRules(cluster_info, output_config) - # build fw_rules_map: per connection - a set of its minimized fw rules - for connections, peer_pairs in connections_sorted_by_size: - # currently skip "no connections" - if not connections: - continue - # TODO: figure out why we have pairs with (ip,ip) ? - peer_pairs_filtered = MinimizeFWRules._get_peer_pairs_filtered(peer_pairs) - peer_pairs_in_containing_connections = cs_containment_map[connections] - fw_rules, results_per_info = minimize_cs.compute_minimized_fw_rules_per_connection( - connections, peer_pairs_filtered, peer_pairs_in_containing_connections) - fw_rules_map[connections] = fw_rules - results_map[connections] = results_per_info - - minimize_fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, output_config, results_map) - return minimize_fw_rules - @staticmethod def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, peer_container, connectivity_restriction): @@ -719,46 +138,46 @@ def get_minimized_firewall_rules_from_props(props, cluster_info, output_config, else: # connectivity_restriction == 'non-TCP' relevant_protocols = ProtocolSet.get_non_tcp_protocols() - peers_to_connections = defaultdict(ConnectionSet) - # pick up all connection sets relating to the same peer set pairs + peers_to_props = defaultdict(ConnectivityProperties) + # pick up all connectivity propertoes relating to the same peer set pairs for cube in props: conn_cube = props.get_connectivity_cube(cube) conns, src_peers, dst_peers = \ - MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, peer_container, relevant_protocols) + ConnectivityProperties.extract_src_dst_peers_from_cube(conn_cube, peer_container, relevant_protocols) conn_cube.unset_all_but_peers() - peers_to_connections[ConnectivityProperties.make_conn_props(conn_cube)] |= conns - # now combine all peer set pairs relating to the same connection sets - connections_to_peers = defaultdict(ConnectivityProperties) - for peers, conns in peers_to_connections.items(): - connections_to_peers[conns] |= peers - connections_sorted_by_size = list(connections_to_peers.items()) - connections_sorted_by_size.sort(reverse=True) - return MinimizeFWRules.minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size) + peers_to_props[ConnectivityProperties.make_conn_props(conn_cube)] |= conns + # now combine all peer set pairs relating to the same connectivity properties + props_to_peers = defaultdict(ConnectivityProperties) + for peers, conns in peers_to_props.items(): + props_to_peers[conns] |= peers + props_sorted_by_size = list(props_to_peers.items()) + props_sorted_by_size.sort(reverse=True) + return MinimizeFWRules.minimize_firewall_rules(cluster_info, output_config, props_sorted_by_size) @staticmethod - def minimize_firewall_rules_opt(cluster_info, output_config, connections_sorted_by_size): + def minimize_firewall_rules(cluster_info, output_config, props_sorted_by_size): """ Creates the set of minimized fw rules and prints to output :param ClusterInfo cluster_info: the cluster info :param OutputConfiguration output_config: the output configuration - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format + :param list props_sorted_by_size: the original connectivity graph in fw-rules format :return: minimize_fw_rules: an object of type MinimizeFWRules holding the minimized fw-rules """ - cs_containment_map = MinimizeFWRules._build_connections_containment_map_opt(connections_sorted_by_size) + props_containment_map = MinimizeFWRules._build_props_containment_map(props_sorted_by_size) fw_rules_map = defaultdict(list) results_map = dict() - minimize_cs_opt = MinimizeCsFwRulesOpt(cluster_info, output_config) + minimize_cs = MinimizeCsFwRules(cluster_info, output_config) # build fw_rules_map: per connection - a set of its minimized fw rules - for connections, peer_props in connections_sorted_by_size: + for props, peer_props in props_sorted_by_size: # currently skip "no connections" - if not connections: + if not props: continue # TODO: figure out why we have pairs with (ip,ip) ? - peer_props_in_containing_connections = cs_containment_map[connections] - fw_rules, results_per_info = minimize_cs_opt.compute_minimized_fw_rules_per_connection( - connections, peer_props, peer_props_in_containing_connections) - fw_rules_map[connections] = fw_rules - results_map[connections] = results_per_info + peer_props_in_containing_props = props_containment_map[props] + fw_rules, results_per_info = minimize_cs.compute_minimized_fw_rules_per_prop( + props, peer_props, peer_props_in_containing_props) + fw_rules_map[props] = fw_rules + results_map[props] = results_per_info minimize_fw_rules = MinimizeFWRules(fw_rules_map, cluster_info, output_config, results_map) return minimize_fw_rules @@ -773,29 +192,48 @@ def _get_peer_pairs_filtered(peer_pairs): return set((src, dst) for (src, dst) in peer_pairs if not (isinstance(src, IpBlock) and isinstance(dst, IpBlock))) @staticmethod - def _build_connections_containment_map(connections_sorted_by_size): + def _build_props_containment_map(props_sorted_by_size): """ Build a map from a connection to a set of peer_pairs from connections it is contained in - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: a map from connection to a set of peer pairs from containing connections + :param list props_sorted_by_size: the connectivity map in fw-rules format + :return: a map from connectivity properties to a set of peer pairs from containing properties """ - cs_containment_map = defaultdict(set) - for (conn, _) in connections_sorted_by_size: - for (other_conn, peer_pairs) in connections_sorted_by_size: - if other_conn != conn and conn.contained_in(other_conn): - peer_pairs_filtered = MinimizeFWRules._get_peer_pairs_filtered(peer_pairs) - cs_containment_map[conn] |= peer_pairs_filtered - return cs_containment_map + props_containment_map = defaultdict(ConnectivityProperties) + for (props, _) in props_sorted_by_size: + for (other_props, peer_pairs) in props_sorted_by_size: + if other_props != props and props.contained_in(other_props): + props_containment_map[props] |= peer_pairs + return props_containment_map - def _build_connections_containment_map_opt(connections_sorted_by_size): + @staticmethod + def fw_rules_to_conn_props(fw_rules, connectivity_restriction=None): """ - Build a map from a connection to a set of peer_pairs from connections it is contained in - :param list connections_sorted_by_size: the original connectivity graph in fw-rules format - :return: a map from connection to a set of peer pairs from containing connections + Converting FWRules to ConnectivityProperties format. + This function is used for checking that the generated FWRules are semantically equal to connectivity properties + from which they were generated. This check is activated when running in the debug mode + :param MinimizeFWRules fw_rules: the given FWRules. + :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to + TCP / non-TCP , or not + :return: the resulting ConnectivityProperties. """ - cs_containment_map = defaultdict(ConnectivityProperties) - for (conn, _) in connections_sorted_by_size: - for (other_conn, peer_pairs) in connections_sorted_by_size: - if other_conn != conn and conn.contained_in(other_conn): - cs_containment_map[conn] |= peer_pairs - return cs_containment_map + if connectivity_restriction: + relevant_protocols = ProtocolSet() + if connectivity_restriction == 'TCP': + relevant_protocols.add_protocol('TCP') + else: # connectivity_restriction == 'non-TCP' + relevant_protocols = ProtocolSet.get_non_tcp_protocols() + else: + relevant_protocols = ProtocolSet(True) + + res = ConnectivityProperties.make_empty_props() + if fw_rules.fw_rules_map is None: + return res + for fw_rules_list in fw_rules.fw_rules_map.values(): + for fw_rule in fw_rules_list: + src_peers = fw_rule.src.get_peer_set() + dst_peers = fw_rule.dst.get_peer_set() + rule_props = \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_peers, "dst_peers": dst_peers, + "protocols": relevant_protocols}) & fw_rule.props + res |= rule_props + return res diff --git a/nca/NetworkConfig/NetworkConfig.py b/nca/NetworkConfig/NetworkConfig.py index 534223ca7..dbe2b8f03 100644 --- a/nca/NetworkConfig/NetworkConfig.py +++ b/nca/NetworkConfig/NetworkConfig.py @@ -5,9 +5,8 @@ from dataclasses import dataclass, field, replace from nca.CoreDS import Peer -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.Resources.PolicyResources.NetworkPolicy import NetworkPolicy, OptimizedPolicyConnections, PolicyConnectionsFilter +from nca.Resources.PolicyResources.NetworkPolicy import NetworkPolicy, PolicyConnections, PolicyConnectionsFilter from .NetworkLayer import NetworkLayersContainer, NetworkLayerName from nca.Utils.ExplTracker import ExplTracker @@ -49,7 +48,7 @@ class NetworkConfig: The class also contains the core algorithm of computing allowed connections between two endpoints. """ - def __init__(self, name, peer_container, policies_container, optimized_run='false'): + def __init__(self, name, peer_container, policies_container, debug=False): """ :param str name: A name for this config :param PeerContainer peer_container: The set of endpoints and their namespaces @@ -57,9 +56,8 @@ def __init__(self, name, peer_container, policies_container, optimized_run='fals self.name = name self.peer_container = peer_container self.policies_container = policies_container - self.optimized_run = optimized_run + self.debug = debug self.allowed_labels = None - self.referenced_ip_blocks = None def __eq__(self, other): if not isinstance(other, NetworkConfig): @@ -108,7 +106,7 @@ def clone_without_policies(self, name): """ policies_container = PoliciesContainer() res = NetworkConfig(name, peer_container=self.peer_container, policies_container=policies_container, - optimized_run=self.optimized_run) + debug=self.debug) return res def clone_without_policy(self, policy_to_exclude): @@ -193,22 +191,6 @@ def check_for_excluding_ipv6_addresses(self, exclude_ipv6): return False return True # getting here means all policies didn't reference ipv6, it is safe to exclude ipv6 addresses - def get_referenced_ip_blocks(self, exclude_non_ref_ipv6=False): - """ - :param bool exclude_non_ref_ipv6: indicates if to exclude non-referenced ipv_6 addresses from the result - :return: All ip ranges, referenced in any of the policies' rules - :rtype: Peer.PeerSet - """ - if self.referenced_ip_blocks is not None: - return self.referenced_ip_blocks - - exclude_non_ref_ipv6_from_policies = self.check_for_excluding_ipv6_addresses(exclude_non_ref_ipv6) - self.referenced_ip_blocks = Peer.PeerSet() - for policy in self.policies_container.policies.values(): - self.referenced_ip_blocks |= policy.referenced_ip_blocks(exclude_non_ref_ipv6_from_policies) - - return self.referenced_ip_blocks - def get_allowed_labels(self): if self.allowed_labels is not None: return self.allowed_labels @@ -217,76 +199,24 @@ def get_allowed_labels(self): self.allowed_labels |= policy.referenced_labels return self.allowed_labels - # return the allowed connections considering all layers in the config - def allowed_connections(self, from_peer, to_peer, layer_name=None): - """ - This is the core of the whole application - computes the set of allowed connections from one peer to another. - In our connectivity model, this function computes the labels for the edges in our directed graph. - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param NetworkLayerName layer_name: The name of the layer to use, if requested to use a specific layer only - :return: a 4-tuple with: - - allowed_conns: all allowed connections (captured/non-captured) - - captured_flag: flag to indicate if any of the policies captured one of the peers (src/dst) - - allowed_captured_conns: allowed captured connections (can be used only if the captured flag is True) - - denied_conns: connections denied by the policies (captured) - :rtype: ConnectionSet, bool, ConnectionSet, ConnectionSet - """ - if layer_name is not None: - if layer_name not in self.policies_container.layers: - return self.policies_container.layers.empty_layer_allowed_connections(layer_name, from_peer, to_peer) - return self.policies_container.layers[layer_name].allowed_connections(from_peer, to_peer) - - # connectivity of hostEndpoints is only determined by calico layer - if isinstance(from_peer, Peer.HostEP) or isinstance(to_peer, Peer.HostEP): - # maintain K8s_Calico layer as active if peer container has hostEndpoint - if NetworkLayerName.K8s_Calico not in self.policies_container.layers: - return self.policies_container.layers.empty_layer_allowed_connections(NetworkLayerName.K8s_Calico, - from_peer, to_peer) - return self.policies_container.layers[NetworkLayerName.K8s_Calico].allowed_connections(from_peer, to_peer) - - allowed_conns_res = ConnectionSet(True) - allowed_captured_conns_res = ConnectionSet() - captured_flag_res = False - denied_conns_res = ConnectionSet() - - for layer, layer_obj in self.policies_container.layers.items(): - allowed_conns_per_layer, captured_flag_per_layer, allowed_captured_conns_per_layer, \ - denied_conns_per_layer = layer_obj.allowed_connections(from_peer, to_peer) - - # all allowed connections: intersection of all allowed connections from all layers - allowed_conns_res &= allowed_conns_per_layer - - # all allowed captured connections: should be captured by at least one layer - allowed_captured_conns_res |= allowed_captured_conns_per_layer - captured_flag_res |= captured_flag_per_layer - - # denied conns: should be denied by at least one layer - denied_conns_res |= denied_conns_per_layer - - # an allowed captured conn (by at least one layer) has to be allowed by all layers (either implicitly or explicitly) - allowed_captured_conns_res &= allowed_conns_res - - return allowed_conns_res, captured_flag_res, allowed_captured_conns_res, denied_conns_res - - def allowed_connections_optimized(self, layer_name=None, res_conns_filter=PolicyConnectionsFilter()): + def allowed_connections(self, layer_name=None, res_conns_filter=PolicyConnectionsFilter()): """ Computes the set of allowed connections between any relevant peers. :param NetworkLayerName layer_name: The name of the layer to use, if requested to use a specific layer only :param PolicyConnectionsFilter res_conns_filter: filter of the required resulting connections (connections with False value will not be calculated) :return: allowed_conns: all allowed connections for relevant peers. - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ if ExplTracker().is_active(): ExplTracker().set_peers(self.peer_container.peer_set) if layer_name is not None: if layer_name not in self.policies_container.layers: - return self.policies_container.layers.empty_layer_allowed_connections_optimized(self.peer_container, - layer_name, - res_conns_filter) - return self.policies_container.layers[layer_name].allowed_connections_optimized(self.peer_container, - res_conns_filter) + return self.policies_container.layers.empty_layer_allowed_connections(self.peer_container, + layer_name, + res_conns_filter) + return self.policies_container.layers[layer_name].allowed_connections(self.peer_container, + res_conns_filter) all_peers = self.peer_container.get_all_peers_group() host_eps = Peer.PeerSet(set([peer for peer in all_peers if isinstance(peer, Peer.HostEP)])) @@ -296,16 +226,16 @@ def allowed_connections_optimized(self, layer_name=None, res_conns_filter=Policy if host_eps and NetworkLayerName.K8s_Calico not in self.policies_container.layers: # maintain K8s_Calico layer as active if peer container has hostEndpoint conns_res = \ - self.policies_container.layers.empty_layer_allowed_connections_optimized(self.peer_container, - NetworkLayerName.K8s_Calico, - res_conns_filter) + self.policies_container.layers.empty_layer_allowed_connections(self.peer_container, + NetworkLayerName.K8s_Calico, + res_conns_filter) conns_res.and_by_filter(conn_hep, replace(res_conns_filter, calc_all_allowed=False)) else: - conns_res = OptimizedPolicyConnections() + conns_res = PolicyConnections() if res_conns_filter.calc_all_allowed: conns_res.all_allowed_conns = ConnectivityProperties.get_all_conns_props_per_config_peers(self.peer_container) for layer, layer_obj in self.policies_container.layers.items(): - conns_per_layer = layer_obj.allowed_connections_optimized(self.peer_container, res_conns_filter) + conns_per_layer = layer_obj.allowed_connections(self.peer_container, res_conns_filter) # only K8s_Calico layer handles host_eps if layer != NetworkLayerName.K8s_Calico: # connectivity of hostEndpoints is only determined by calico layer @@ -339,7 +269,6 @@ def filter_conns_by_peer_types(self, conns): Filter the given connections by removing several connection kinds that are never allowed (such as IpBlock to IpBlock connections, connections from DNSEntries, and more). :param ConnectivityProperties conns: the given connections. - :param PeerSet all_peers: all peers in the system. :return The resulting connections. :rtype ConnectivityProperties """ diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 2aae664e1..c4b8507ef 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -2,22 +2,17 @@ # Copyright 2020- IBM Inc. All rights reserved # SPDX-License-Identifier: Apache2.0 # -import itertools import os -import time from abc import abstractmethod -from collections import defaultdict from enum import Enum from dataclasses import dataclass -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.Peer import PeerSet, IpBlock, Pod, Peer, DNSEntry, BasePeerSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.DimensionsManager import DimensionsManager from nca.FWRules.ConnectivityGraph import ConnectivityGraph from nca.FWRules.MinimizeFWRules import MinimizeFWRules -from nca.FWRules.MinimizeBasic import MinimizeBasic from nca.FWRules.ClusterInfo import ClusterInfo from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnectionsFilter from nca.Resources.PolicyResources.CalicoNetworkPolicy import CalicoNetworkPolicy @@ -25,7 +20,7 @@ from nca.Utils.OutputConfiguration import OutputConfiguration from .QueryOutputHandler import QueryAnswer, DictOutputHandler, StringOutputHandler, \ PoliciesAndRulesExplanations, PodsListsExplanations, ConnectionsDiffExplanation, IntersectPodsExplanation, \ - PoliciesWithCommonPods, PeersAndConnections, ComputedExplanation + PoliciesWithCommonPods, PeersAndConnectivityProperties, ComputedExplanation from .NetworkLayer import NetworkLayerName from nca.Utils.ExplTracker import ExplTracker from nca.NetworkConfig import PeerContainer @@ -89,19 +84,18 @@ def execute_and_compute_output_in_required_format(self, cmd_line_flag=False): BasePeerSet().get_peer_interval_of(peer_set)) DimensionsManager().set_domain("dst_peers", DimensionsManager.DimensionType.IntervalSet, BasePeerSet().get_peer_interval_of(peer_set)) - if self.get_configs()[0].optimized_run != 'false': - # update all optimized connectivity properties by reducing full src_peers/dst_peers dimensions - # according to their updated domains (above) - for config in self.get_configs(): - for policy in config.policies_container.policies.values(): - policy.reorganize_opt_props_by_new_domains() + # update all optimized connectivity properties by reducing full src_peers/dst_peers dimensions + # according to their updated domains (above) + for config in self.get_configs(): + for policy in config.policies_container.policies.values(): + policy.reorganize_props_by_new_domains() # run the query query_answer = self.execute(cmd_line_flag) - # restore peers domains and optimized connectivity properties original values + # restore peers domains and connectivity properties original values DimensionsManager.reset() for config in self.get_configs(): for policy in config.policies_container.policies.values(): - policy.restore_opt_props() + policy.restore_props() return query_answer.numerical_result, self._handle_output(query_answer), query_answer.query_not_executed def _handle_output(self, query_answer): @@ -152,18 +146,6 @@ def determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): return False # connectivity between external peers is not relevant either return True - @staticmethod - def compare_fw_rules(fw_rules1, fw_rules2, peer_container, rules_descr=""): - text_prefix = "Original and optimized fw-rules" - if rules_descr: - text_prefix += " for " + rules_descr - if fw_rules1.fw_rules_map == fw_rules2.fw_rules_map: - print(f"{text_prefix} are semantically equivalent") - return - conn_props1 = MinimizeBasic.fw_rules_to_conn_props(fw_rules1, peer_container) - conn_props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules2, peer_container) - BaseNetworkQuery.compare_conn_props(conn_props1, conn_props2, text_prefix) - @staticmethod def compare_conn_props(props1, props2, text_prefix): if props1 == props2: @@ -177,9 +159,9 @@ def compare_conn_props(props1, props2, text_prefix): assert False @staticmethod - def compare_fw_rules_to_conn_props(fw_rules, props, peer_container, connectivity_restriction=None): + def compare_fw_rules_to_conn_props(fw_rules, props, connectivity_restriction=None): text_prefix = "Connectivity properties and fw-rules generated from them" - props2 = MinimizeBasic.fw_rules_to_conn_props(fw_rules, peer_container, connectivity_restriction) + props2 = MinimizeFWRules.fw_rules_to_conn_props(fw_rules, connectivity_restriction) BaseNetworkQuery.compare_conn_props(props, props2, text_prefix) @@ -506,38 +488,15 @@ def other_policy_containing_deny(self, self_policy, config_with_self_policy, lay if not other_policy.has_deny_rules(): continue config_with_other_policy = self.config.clone_with_just_one_policy(other_policy.full_name()) - if self.config.optimized_run == 'false': - res = self.check_deny_containment_original(config_with_self_policy, config_with_other_policy, layer_name) - else: - res = self.check_deny_containment_optimized(config_with_self_policy, config_with_other_policy, layer_name) - if res: + if self.check_deny_containment(config_with_self_policy, config_with_other_policy, layer_name): return other_policy return None - def check_deny_containment_original(self, config_with_self_policy, config_with_other_policy, layer_name): - # calling get_all_peers_group does not require getting dnsEntry peers, since they are not relevant when computing - # deny connections - pods_to_compare = self.config.peer_container.get_all_peers_group() - pods_to_compare |= TwoNetworkConfigsQuery(self.config, config_with_other_policy).disjoint_referenced_ip_blocks() - for pod1 in pods_to_compare: - for pod2 in pods_to_compare: - if isinstance(pod1, IpBlock) and isinstance(pod2, IpBlock): - continue - if pod1 == pod2: - continue # no way to prevent a pod from communicating with itself - _, _, _, self_deny_conns = config_with_self_policy.allowed_connections(pod1, pod2, layer_name) - _, _, _, other_deny_conns = config_with_other_policy.allowed_connections(pod1, pod2, layer_name) - if not self_deny_conns: - continue - if not self_deny_conns.contained_in(other_deny_conns): - return False - return True - @staticmethod - def check_deny_containment_optimized(config_with_self_policy, config_with_other_policy, layer_name): + def check_deny_containment(config_with_self_policy, config_with_other_policy, layer_name): res_conns_filter = PolicyConnectionsFilter.only_denied_connections() - self_props = config_with_self_policy.allowed_connections_optimized(layer_name, res_conns_filter) - other_props = config_with_other_policy.allowed_connections_optimized(layer_name, res_conns_filter) + self_props = config_with_self_policy.allowed_connections(layer_name, res_conns_filter) + other_props = config_with_other_policy.allowed_connections(layer_name, res_conns_filter) return self_props.denied_conns.contained_in(other_props.denied_conns) def other_rule_containing(self, self_policy, self_rule_index, is_ingress, layer_name): @@ -781,154 +740,58 @@ def are_labels_all_included(target_labels, pool_labels): return False return True - def compute_connectivity_output_original(self): - """ - Compute connectivity output with original implementation (running for every pair of peers). - :return: a tuple of output result (in a required format), FwRules, tcp FWRules and non-tcp FWRules. - :rtype ([Union[str, dict], MinimizeFWRules, MinimizeFWRules], MinimizeFWRules) - """ - fw_rules = None - fw_rules_tcp = None - fw_rules_non_tcp = None - exclude_ipv6 = self.config.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) - connections = defaultdict(list) - # if dns entry peers exist but no istio policies are configured, - # then actually istio layer exists implicitly, connections to these peers will be considered with the - # default Istio outbound traffic mode - allow any - peers_to_compare = self.config.peer_container.get_all_peers_group(include_dns_entries=True) - ref_ip_blocks = IpBlock.disjoint_ip_blocks(self.config.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), exclude_ipv6) - peers_to_compare |= ref_ip_blocks - peers = PeerSet() - for peer1 in peers_to_compare: - for peer2 in peers_to_compare: - if self.is_in_subset(peer1): - peers.add(peer1) - elif not self.is_in_subset(peer2): - continue # skipping pairs if none of them are in the given subset - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - if peer1 == peer2: - # cannot restrict pod's connection to itself - connections[ConnectionSet(True)].append((peer1, peer2)) - else: - conns, _, _, _ = self.config.allowed_connections(peer1, peer2) - if conns: - connections[conns].append((peer1, peer2)) - # collect both peers, even if one of them is not in the subset - peers.add(peer1) - peers.add(peer2) - # if Istio is a layer in the network config - produce 2 maps, for TCP and for non-TCP - # because Istio policies can only capture TCP connectivity - if self.config.policies_container.layers.does_contain_istio_layers(): - output_res, fw_rules_tcp, fw_rules_non_tcp = \ - self.get_connectivity_output_split_by_tcp(connections, peers, peers_to_compare) - else: - output_res, fw_rules = self.get_connectivity_output_full(connections, peers, peers_to_compare) - return output_res, fw_rules, fw_rules_tcp, fw_rules_non_tcp - - def compute_connectivity_output_optimized(self): + def compute_connectivity_output(self): """ Compute connectivity output with optimized implementation. - :return: a tuple of output result (in a required format), FwRules, tcp FWRules and non-tcp FWRules. - :rtype: ([Union[str, dict], MinimizeFWRules, MinimizeFWRules, MinimizeFWRules) + :return: output result in a required format + :rtype: Union[str, dict] """ - opt_fw_rules = None - opt_fw_rules_tcp = None - opt_fw_rules_non_tcp = None exclude_ipv6 = self.config.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) res_conns_filter = PolicyConnectionsFilter.only_all_allowed_connections() - opt_conns = self.config.allowed_connections_optimized(res_conns_filter=res_conns_filter) - all_conns_opt = opt_conns.all_allowed_conns - opt_peers_to_compare = self.config.peer_container.get_all_peers_group(include_dns_entries=True) + conns = self.config.allowed_connections(res_conns_filter=res_conns_filter) + all_conns = conns.all_allowed_conns + peers_to_compare = self.config.peer_container.get_all_peers_group(include_dns_entries=True) # add all relevant IpBlocks, used in connections - opt_peers_to_compare |= all_conns_opt.get_all_peers() + peers_to_compare |= all_conns.get_all_peers() if exclude_ipv6: # remove connections where any of src_peers or dst_peers contain automatically-added IPv6 blocks, # while keeping connections with IPv6 blocks directly referenced in policies - opt_peers_to_compare.filter_ip_blocks_by_mask(IpBlock.get_all_ips_block(exclude_ipv6=True)) - all_conns_opt &= ConnectivityProperties.make_conn_props_from_dict({"src_peers": opt_peers_to_compare, - "dst_peers": opt_peers_to_compare}) - base_peers_num = len(opt_peers_to_compare) - subset_peers = self.compute_subset(opt_peers_to_compare) + peers_to_compare.filter_ip_blocks_by_mask(IpBlock.get_all_ips_block(exclude_ipv6=True)) + all_conns &= ConnectivityProperties.make_conn_props_from_dict({"src_peers": peers_to_compare, + "dst_peers": peers_to_compare}) + base_peers_num = len(peers_to_compare) + subset_peers = self.compute_subset(peers_to_compare) all_peers = subset_peers if len(subset_peers) != base_peers_num: # remove connections where both of src_peers and dst_peers are out of the subset subset_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": subset_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"dst_peers": subset_peers}) - all_conns_opt &= subset_conns - src_peers, dst_peers = ExplTracker().extract_peers(all_conns_opt) + all_conns &= subset_conns + src_peers, dst_peers = ExplTracker().extract_peers(all_conns) all_peers = src_peers | dst_peers - all_conns_opt = self.config.filter_conns_by_peer_types(all_conns_opt) - expl_conns = all_conns_opt + all_conns = self.config.filter_conns_by_peer_types(all_conns) + expl_conns = all_conns if self.config.policies_container.layers.does_contain_istio_layers(): - output_res, opt_fw_rules_tcp, opt_fw_rules_non_tcp = \ - self.get_props_output_split_by_tcp(all_conns_opt, opt_peers_to_compare) - expl_conns, _ = self.convert_props_to_split_by_tcp(all_conns_opt) + output_res = self.get_props_output_split_by_tcp(all_conns, peers_to_compare) + expl_conns, _ = self.convert_props_to_split_by_tcp(all_conns) else: - output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare) + output_res = self.get_props_output_full(all_conns, peers_to_compare) if ExplTracker().is_active(): ExplTracker().set_connections_and_peers(expl_conns, all_peers) - return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp + return output_res def exec(self): self.output_config.fullExplanation = True # assign true for this query - it is always ok to compare its results self.output_config.configName = os.path.basename(self.config.name) if self.config.name.startswith('./') else \ self.config.name res = QueryAnswer(True) - fw_rules = None - fw_rules_tcp = None - fw_rules_non_tcp = None - if self.config.optimized_run != 'true': - orig_start = time.time() - output_res, fw_rules, fw_rules_tcp, fw_rules_non_tcp = self.compute_connectivity_output_original() - orig_end = time.time() - print(f'Original loop: time: {(orig_end - orig_start):6.2f} seconds') - if self.output_config.outputFormat in ['json', 'yaml']: - res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] - else: - res.output_explanation = [ComputedExplanation(str_explanation=output_res)] - - if self.config.optimized_run != 'false': - opt_start = time.time() - output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp = \ - self.compute_connectivity_output_optimized() - opt_end = time.time() - print(f'Opt time: {(opt_end - opt_start):6.2f} seconds') - # the same result for opt == 'true'/'debug' - if self.output_config.outputFormat in ['json', 'yaml']: - res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] - else: - res.output_explanation = [ComputedExplanation(str_explanation=output_res)] - if self.config.optimized_run == 'debug': - if fw_rules and opt_fw_rules: - self.compare_fw_rules(fw_rules, opt_fw_rules, self.config.peer_container, - f"connectivity of {self.config.name}") - if fw_rules_tcp and opt_fw_rules_tcp: - self.compare_fw_rules(fw_rules_tcp, opt_fw_rules_tcp, self.config.peer_container, - f"connectivity - tcp only of {self.config.name}") - if fw_rules_non_tcp and opt_fw_rules_non_tcp: - self.compare_fw_rules(fw_rules_non_tcp, opt_fw_rules_non_tcp, self.config.peer_container, - f"connectivity - non-tcp only of {self.config.name}") - return res - def get_connectivity_output_full(self, connections, peers, peers_to_compare): - """ - get the connectivity map output considering all connections in the output - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for dot and txt_no_fw_rules output - :param PeerSet peers_to_compare: the peers to consider for fw-rules output - :rtype (Union[str,dict], MinimizeFWRules) - """ - if self.output_config.outputFormat in ['dot', 'jpg', 'html']: - dot_full = self.dot_format_from_connections_dict(connections, peers) - return dot_full, None - if self.output_config.outputFormat == 'txt_no_fw_rules': - conns_wo_fw_rules = self._txt_no_fw_rules_format_from_connections_dict(connections, peers) - return conns_wo_fw_rules, None - # handle other formats - formatted_rules, fw_rules = self.fw_rules_from_connections_dict(connections, peers_to_compare) - return formatted_rules, fw_rules + output_res = self.compute_connectivity_output() + if self.output_config.outputFormat in ['json', 'yaml']: + res.output_explanation = [ComputedExplanation(dict_explanation=output_res)] + else: + res.output_explanation = [ComputedExplanation(str_explanation=output_res)] + return res def get_props_output_full(self, props, all_peers): """ @@ -936,62 +799,18 @@ def get_props_output_full(self, props, all_peers): :param ConnectivityProperties props: properties describing allowed connections :param PeerSet all_peers: the peers to consider for dot/fw-rules output whereas all other values should be filtered out in the output - :rtype ([Union[str, dict], MinimizeFWRules]) + :rtype Union[str, dict] """ peers_to_compare = props.get_all_peers() if self.output_config.outputFormat in ['dot', 'jpg', 'html']: dot_full = self.dot_format_from_props(props, peers_to_compare) - return dot_full, None + return dot_full if self.output_config.outputFormat == 'txt_no_fw_rules': conns_wo_fw_rules = self.txt_no_fw_rules_format_from_props(props, peers_to_compare) - return conns_wo_fw_rules, None + return conns_wo_fw_rules # handle other formats - formatted_rules, fw_rules = self.fw_rules_from_props(props, all_peers) - return formatted_rules, fw_rules - - def get_connectivity_output_split_by_tcp(self, connections, peers, peers_to_compare): - """ - get the connectivity map output as two parts: TCP and non-TCP - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for dot output - :param PeerSet peers_to_compare: the peers to consider for fw-rules output - :rtype (Union[str, dict], MinimizeFWRules, MinimizeFWRules) - """ - connectivity_tcp_str = 'TCP' - connectivity_non_tcp_str = 'non-TCP' - connections_tcp, connections_non_tcp = self.convert_connections_to_split_by_tcp(connections) - if self.output_config.outputFormat in ['dot', 'jpg', 'html']: - dot_tcp = self.dot_format_from_connections_dict(connections_tcp, peers, connectivity_tcp_str) - dot_non_tcp = self.dot_format_from_connections_dict(connections_non_tcp, peers, connectivity_non_tcp_str) - # concatenate the two graphs into one dot file - res_str = dot_tcp + dot_non_tcp - return res_str, None, None - - if self.output_config.outputFormat == 'txt_no_fw_rules': - conns_msg_suffix = ' Connections:' - tcp_conns_wo_fw_rules = \ - self._txt_no_fw_rules_format_from_connections_dict(connections_tcp, peers, - connectivity_tcp_str + conns_msg_suffix) - non_tcp_conns_wo_fw_rules = \ - self._txt_no_fw_rules_format_from_connections_dict(connections_non_tcp, peers, - connectivity_non_tcp_str + conns_msg_suffix) - return tcp_conns_wo_fw_rules + '\n\n' + non_tcp_conns_wo_fw_rules, None, None - # handle formats other than dot and txt_no_fw_rules - formatted_rules_tcp, fw_rules_tcp = \ - self.fw_rules_from_connections_dict(connections_tcp, peers_to_compare, connectivity_tcp_str) - formatted_rules_non_tcp, fw_rules_non_tcp = \ - self.fw_rules_from_connections_dict(connections_non_tcp, peers_to_compare, connectivity_non_tcp_str) - if self.output_config.outputFormat in ['json', 'yaml']: - # get a dict object containing the two maps on different keys (TCP_rules and non-TCP_rules) - rules = formatted_rules_tcp - rules.update(formatted_rules_non_tcp) - return rules, fw_rules_tcp, fw_rules_non_tcp - # remaining formats: txt / csv / md : concatenate the two strings of the conn-maps - if self.output_config.outputFormat == 'txt': - res_str = f'{formatted_rules_tcp}\n{formatted_rules_non_tcp}' - else: - res_str = formatted_rules_tcp + formatted_rules_non_tcp - return res_str, fw_rules_tcp, fw_rules_non_tcp + formatted_rules = self.fw_rules_from_props(props, all_peers) + return formatted_rules def get_props_output_split_by_tcp(self, props, all_peers): """ @@ -999,7 +818,7 @@ def get_props_output_split_by_tcp(self, props, all_peers): :param ConnectivityProperties props: properties describing allowed connections :param PeerSet all_peers: the peers to consider for dot/fw-rules output whereas all other values should be filtered out in the output - :rtype (Union[str, dict], MinimizeFWRules, MinimizeFWRules) + :rtype Union[str, dict] """ peers_to_compare = props.get_all_peers() connectivity_tcp_str = 'TCP' @@ -1010,63 +829,27 @@ def get_props_output_split_by_tcp(self, props, all_peers): dot_non_tcp = self.dot_format_from_props(props_non_tcp, peers_to_compare, connectivity_non_tcp_str) # concatenate the two graphs into one dot file res_str = dot_tcp + dot_non_tcp - return res_str, None, None + return res_str if self.output_config.outputFormat in ['txt_no_fw_rules']: txt_no_fw_rules_tcp = self.txt_no_fw_rules_format_from_props(props_tcp, peers_to_compare, connectivity_tcp_str) txt_no_fw_rules_non_tcp = self.txt_no_fw_rules_format_from_props(props_non_tcp, peers_to_compare, connectivity_non_tcp_str) res_str = txt_no_fw_rules_tcp + '\n\n' + txt_no_fw_rules_non_tcp - return res_str, None, None + return res_str # handle formats other than dot and txt_no_fw_rules - formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, all_peers, connectivity_tcp_str) - formatted_rules_non_tcp, fw_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, all_peers, - connectivity_non_tcp_str) + formatted_rules_tcp = self.fw_rules_from_props(props_tcp, all_peers, connectivity_tcp_str) + formatted_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, all_peers, connectivity_non_tcp_str) if self.output_config.outputFormat in ['json', 'yaml']: # get a dict object containing the two maps on different keys (TCP_rules and non-TCP_rules) rules = formatted_rules_tcp rules.update(formatted_rules_non_tcp) - return rules, fw_rules_tcp, fw_rules_non_tcp + return rules # remaining formats: txt / csv / md : concatenate the two strings of the conn-maps if self.output_config.outputFormat == 'txt': res_str = f'{formatted_rules_tcp}\n{formatted_rules_non_tcp}' else: res_str = formatted_rules_tcp + formatted_rules_non_tcp - return res_str, fw_rules_tcp, fw_rules_non_tcp - - def _get_conn_graph(self, connections, peers): - """ - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for building connectivity graph - :rtype: ConnectivityGraph - :return the connectivity graph of the given connections and peers - """ - conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config) - conn_graph.add_edges(connections) - return conn_graph - - def _txt_no_fw_rules_format_from_connections_dict(self, connections, peers, connectivity_restriction=None): - """ - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for dot output - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP , or not - :rtype: str - :return the connectivity map in txt_no_fw_rules format: the connections between peers excluding connections - between workload to itself (without grouping as fw-rules). - """ - conn_graph = self._get_conn_graph(connections, peers) - return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction) - - def dot_format_from_connections_dict(self, connections, peers, connectivity_restriction=None): - """ - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers: the peers to consider for dot output - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to - TCP / non-TCP , or not - :rtype str - :return the connectivity map in dot-format, considering connectivity_restriction if required - """ - conn_graph = self._get_conn_graph(connections, peers) - return conn_graph.get_connectivity_dot_format_str(connectivity_restriction, self.output_config.simplifyGraph) + return res_str def dot_format_from_props(self, props, peers, connectivity_restriction=None): """ @@ -1096,20 +879,6 @@ def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restricti return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction + " Connections:" if connectivity_restriction else None) - def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None): - """ - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :param PeerSet peers_to_compare: the peers to consider for fw-rules output - :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to - TCP / non-TCP , or not - :return the connectivity map in fw-rules, considering connectivity_restriction if required - :rtype: (Union[str, dict], MinimizeFWRules) - """ - conn_graph = self._get_conn_graph(connections, peers_to_compare) - fw_rules = conn_graph.get_minimized_firewall_rules() - formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) - return formatted_rules, fw_rules - def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction=None): """ :param ConnectivityProperties props: properties describing allowed connections @@ -1118,7 +887,7 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to TCP / non-TCP , or not :return the connectivity map in fw-rules, considering connectivity_restriction if required - :rtype: (Union[str, dict], MinimizeFWRules) + :rtype: Union[str, dict] """ if self.output_config.fwRulesOverrideAllowedLabels: allowed_labels = set(label for label in self.output_config.fwRulesOverrideAllowedLabels.split(',')) @@ -1129,45 +898,10 @@ def fw_rules_from_props(self, props, peers_to_compare, connectivity_restriction= fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props, cluster_info, self.output_config, self.config.peer_container, connectivity_restriction) - if self.config.optimized_run == 'debug': - self.compare_fw_rules_to_conn_props(fw_rules, props, self.config.peer_container, - connectivity_restriction=connectivity_restriction) + if self.config.debug: + self.compare_fw_rules_to_conn_props(fw_rules, props, connectivity_restriction=connectivity_restriction) formatted_rules = fw_rules.get_fw_rules_in_required_format(connectivity_restriction=connectivity_restriction) - return formatted_rules, fw_rules - - def convert_connections_to_split_by_tcp(self, connections): - """ - given the connections' dict , convert it to two connection maps, one for TCP only, and the other - for non-TCP only. - :param dict connections: the connections' dict (map from connection-set to peer pairs) - :return: a tuple of the two connection maps : first for TCP, second for non-TCP - :rtype: tuple(dict, dict) - """ - connections_tcp = defaultdict(list) - connections_non_tcp = defaultdict(list) - for conn, peers_list in connections.items(): - tcp_conns, non_tcp_conns = self.split_to_tcp_and_non_tcp_conns(conn) - connections_tcp[tcp_conns] += peers_list - connections_non_tcp[non_tcp_conns] += peers_list - - return connections_tcp, connections_non_tcp - - @staticmethod - def split_to_tcp_and_non_tcp_conns(conns): - """ - split a ConnectionSet object to two objects: one within TCP only, the other within non-TCP protocols - :param ConnectionSet conns: a ConnectionSet object - :return: a tuple of the two ConnectionSet objects: first for TCP, second for non-TCP - :rtype: tuple(ConnectionSet, ConnectionSet) - """ - tcp_conns = conns - ConnectionSet.get_non_tcp_connections() - non_tcp_conns = conns - tcp_conns - if non_tcp_conns == ConnectionSet.get_non_tcp_connections(): - non_tcp_conns = ConnectionSet(True) # all connections in terms of non-TCP - if tcp_conns == ConnectionSet.get_all_tcp_connections(): - tcp_conns = ConnectionSet(True) # all connections in terms of TCP - - return tcp_conns, non_tcp_conns + return formatted_rules @staticmethod def convert_props_to_split_by_tcp(props): @@ -1227,19 +961,6 @@ def is_identical_topologies(self, check_same_policies=False): 'topology and the same set of policies.') return QueryAnswer(True) - def disjoint_referenced_ip_blocks(self): - """ - Returns disjoint ip-blocks in the policies of both configs - :return: A set of disjoint ip-blocks - :rtype: PeerSet - """ - exclude_ipv6 = self.config1.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) and \ - self.config2.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) - # TODO - consider including also non referenced IPBlocks, as in ConnectivityMapQuery - # (see issue https://github.com/IBM/network-config-analyzer/issues/522) - return IpBlock.disjoint_ip_blocks(self.config1.get_referenced_ip_blocks(exclude_ipv6), - self.config2.get_referenced_ip_blocks(exclude_ipv6), exclude_ipv6) - def filter_conns_by_input_or_internal_constraints(self, conns1, conns2): """ Given two allowed connections (in config1 and in config2 respectively), filter those connections @@ -1271,20 +992,20 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, :param bool props_based_on_config1: whether conn_diff_props represent connections present in config1 but not in config2 (the value True) or connections present in config2 but not in config1 (the value False) """ - no_conns = ConnectionSet() + no_props = ConnectivityProperties() for cube in conn_diff_props: conn_cube = conn_diff_props.get_connectivity_cube(cube) conns, src_peers, dst_peers = \ - MinimizeBasic.get_connection_set_and_peers_from_cube(conn_cube, self.config1.peer_container) - conns1 = conns if props_based_on_config1 else no_conns - conns2 = no_conns if props_based_on_config1 else conns - if self.output_config.fullExplanation: # the same result for opt == 'true'/'debug' + ConnectivityProperties.extract_src_dst_peers_from_cube(conn_cube, self.config1.peer_container) + conns1 = conns if props_based_on_config1 else no_props + conns2 = no_props if props_based_on_config1 else conns + if self.output_config.fullExplanation: src_peers_str_sorted = str(sorted([str(peer) for peer in src_peers])) dst_peers_str_sorted = str(sorted([str(peer) for peer in dst_peers])) - different_conns_list.append(PeersAndConnections(src_peers_str_sorted, dst_peers_str_sorted, - conns1, conns2)) + different_conns_list.append(PeersAndConnectivityProperties(src_peers_str_sorted, dst_peers_str_sorted, + conns1, conns2)) else: - different_conns_list.append(PeersAndConnections(src_peers.rep(), dst_peers.rep(), conns1, conns2)) + different_conns_list.append(PeersAndConnectivityProperties(src_peers.rep(), dst_peers.rep(), conns1, conns2)) return @staticmethod @@ -1329,40 +1050,12 @@ def exec(self, cmd_line_flag=False, layer_name=None): if query_answer.output_result: query_answer.numerical_result = not query_answer.bool_result return query_answer - if self.config1.optimized_run == 'false': - return self.check_equivalence_original(layer_name) - else: - return self.check_equivalence_optimized(layer_name) - - def check_equivalence_original(self, layer_name=None): - peers_to_compare = \ - self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - peers_to_compare |= self.disjoint_referenced_ip_blocks() - captured_pods = self.config1.get_captured_pods(layer_name) | self.config2.get_captured_pods(layer_name) - different_conns_list = [] - for peer1 in peers_to_compare: - for peer2 in peers_to_compare if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - conns1, _, _, _ = self.config1.allowed_connections(peer1, peer2, layer_name) - conns2, _, _, _ = self.config2.allowed_connections(peer1, peer2, layer_name) - if conns1 != conns2: - different_conns_list.append(PeersAndConnections(str(peer1), str(peer2), conns1, conns2)) - if not self.output_config.fullExplanation: - return self._query_answer_with_relevant_explanation(different_conns_list) - - if different_conns_list: - return self._query_answer_with_relevant_explanation(sorted(different_conns_list)) - - return QueryAnswer(True, self.name1 + ' and ' + self.name2 + ' are semantically equivalent.', - numerical_result=0) + return self.check_equivalence(layer_name) - def check_equivalence_optimized(self, layer_name=None): + def check_equivalence(self, layer_name=None): res_conns_filter = PolicyConnectionsFilter.only_all_allowed_connections() - conn_props1 = self.config1.allowed_connections_optimized(layer_name, res_conns_filter) - conn_props2 = self.config2.allowed_connections_optimized(layer_name, res_conns_filter) + conn_props1 = self.config1.allowed_connections(layer_name, res_conns_filter) + conn_props2 = self.config2.allowed_connections(layer_name, res_conns_filter) all_conns1, all_conns2 = self.filter_conns_by_input_or_internal_constraints(conn_props1.all_allowed_conns, conn_props2.all_allowed_conns) if all_conns1 == all_conns2: @@ -1416,90 +1109,7 @@ def _get_updated_key(key, is_added): """ return key.replace("Changed", "Added") if is_added else key.replace("Changed", "Removed") - @staticmethod - def get_explanation_from_conn_graph(conn_graph, is_first_connectivity_result): - """ - :param conn_graph: a ConnectivityGraph with added/removed connections - :param is_first_connectivity_result: bool flag indicating if this is the first connectivity fw-rules computation - for the current semantic-diff query - :return: fw-rules summarizing added/removed connections (in required format and as MinimizeFWRules) - :rtype: Union[str, dict], MinimizeFWRules (dict if required format is yaml/json , str otherwise) - """ - fw_rules = conn_graph.get_minimized_firewall_rules() - # for csv format, adding the csv header only for the first connectivity fw-rules computation - fw_rules_output = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) - return fw_rules_output, fw_rules - - def compute_explanation_for_key(self, key, is_added, conn_graph, is_first_connectivity_result): - """ - computes the explanation for given key and conn_graph with description and fw-rules results - prepares the description and explanation - description text is written for txt, yaml and json formats - other formats description already included in the conn_graph data - :param str key: the key describing the changes - :param bool is_added: a bool flag indicating if connections are added or removed - :param ConnectivityGraph conn_graph: a ConnectivityGraph with added/removed connections - :param bool is_first_connectivity_result: flag indicating if this is the first connectivity fw-rules computation - for the current semantic-diff query - :return the computedExplanation of the current key and conn_graph considering the outputFormat, - and fw_rules from which the explanation was computed - :rtype: ComputedExplanation, Union[None, MinimizeFWRules] - """ - updated_key = self._get_updated_key(key, is_added) - topology_config_name = self.name2 if is_added else self.name1 - connectivity_changes_header = f'{updated_key} (based on topology from config: {topology_config_name}) :' - fw_rules = None - if self.output_config.outputFormat == 'txt_no_fw_rules': - conn_graph_explanation = conn_graph.get_connections_without_fw_rules_txt_format( - connectivity_changes_header, exclude_self_loop_conns=False) + '\n' - else: - conn_graph_explanation, fw_rules = self.get_explanation_from_conn_graph(conn_graph, is_first_connectivity_result) - - if self.output_config.outputFormat in ['json', 'yaml']: - explanation_dict = {'description': updated_key} - explanation_dict.update(conn_graph_explanation) - key_explanation = ComputedExplanation(dict_explanation=explanation_dict) - else: - str_explanation = f'\n{connectivity_changes_header}\n' if self.output_config.outputFormat == 'txt' else '' - str_explanation += conn_graph_explanation - key_explanation = ComputedExplanation(str_explanation=str_explanation) - - return key_explanation, fw_rules - - def get_results_for_computed_fw_rules(self, keys_list, conn_graph_removed_per_key, conn_graph_added_per_key): - """ - Compute accumulated explanation and res for all keys of changed connections categories - :param keys_list: the list of keys - :param conn_graph_removed_per_key: map from key to ConnectivityGraph of removed connections - :param conn_graph_added_per_key: map from key to ConnectivityGraph of added connections - :return: - res (int): number of categories with diffs - explanation (list): list of ComputedExplanation, the diffs' explanations, one for each category - :rtype: int, list[ComputedExplanation] - """ - explanation = [] - add_explanation = self.output_config.outputFormat in SemanticDiffQuery.get_supported_output_formats() - res = 0 - for key in keys_list: - conn_graph_added_conns = conn_graph_added_per_key[key] - conn_graph_removed_conns = conn_graph_removed_per_key[key] - is_added = conn_graph_added_conns is not None and conn_graph_added_conns.conn_graph_has_fw_rules() - is_removed = conn_graph_removed_conns is not None and conn_graph_removed_conns.conn_graph_has_fw_rules() - if is_added: - if add_explanation: - key_explanation, _ = self.compute_explanation_for_key(key, True, conn_graph_added_conns, res == 0) - explanation.append(key_explanation) - res += 1 - - if is_removed: - if add_explanation: - key_explanation, _ = self.compute_explanation_for_key(key, False, conn_graph_removed_conns, res == 0) - explanation.append(key_explanation) - res += 1 - - return res, explanation - - def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_connectivity_result): + def compute_explanation_for_key(self, key, is_added, props_data, is_first_connectivity_result): """ computes the explanation for given key and conn_graph with description and fw-rules results prepares the description and explanation @@ -1528,8 +1138,8 @@ def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_co fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props(props_data.props, props_data.cluster_info, props_data.output_config, props_data.peer_container, None) - if self.config1.optimized_run == 'debug': - self.compare_fw_rules_to_conn_props(fw_rules, props_data.props, props_data.peer_container) + if self.config1.debug: + self.compare_fw_rules_to_conn_props(fw_rules, props_data.props) conn_graph_explanation = fw_rules.get_fw_rules_in_required_format(False, is_first_connectivity_result) if self.output_config.outputFormat in ['json', 'yaml']: @@ -1543,7 +1153,7 @@ def compute_explanation_for_key_opt(self, key, is_added, props_data, is_first_co return key_explanation, fw_rules - def get_results_for_computed_fw_rules_opt(self, keys_list, removed_props_per_key, added_props_per_key): + def get_results_for_computed_fw_rules(self, keys_list, removed_props_per_key, added_props_per_key): """ Compute accumulated explanation and res for all keys of changed connections categories :param keys_list: the list of keys @@ -1564,281 +1174,21 @@ def get_results_for_computed_fw_rules_opt(self, keys_list, removed_props_per_key is_removed = removed_props is not None and removed_props.props if is_added: if add_explanation: - key_explanation, _ = self.compute_explanation_for_key_opt(key, True, added_props, res == 0) + key_explanation, _ = self.compute_explanation_for_key(key, True, added_props, res == 0) explanation.append(key_explanation) res += 1 if is_removed: if add_explanation: - key_explanation, _ = self.compute_explanation_for_key_opt(key, False, removed_props, res == 0) + key_explanation, _ = self.compute_explanation_for_key(key, False, removed_props, res == 0) explanation.append(key_explanation) res += 1 return res, explanation - def get_results_for_computed_fw_rules_and_compare_orig_to_opt(self, keys_list, orig_conn_graph_removed_per_key, - orig_conn_graph_added_per_key, - removed_props_per_key, added_props_per_key): - """ - Compute accumulated explanation and res for all keys of changed connections categories. - Also, compare original and optimized results. - :param keys_list: the list of keys - :param orig_conn_graph_removed_per_key: map from key to ConnectivityGraph of original removed connections - :param orig_conn_graph_added_per_key: map from key to ConnectivityGraph of original added connections - :param removed_props_per_key: map from key to PropsAndExplanationData of optimized removed connections - :param added_props_per_key: map from key to PropsAndExplanationData of optimized added connections - :return: - res (int): number of categories with diffs - explanation (list): list of ComputedExplanation, the diffs' explanations, one for each category - :rtype: int, list[ComputedExplanation] - """ - explanation = [] - add_explanation = self.output_config.outputFormat in SemanticDiffQuery.get_supported_output_formats() - res = 0 - for key in keys_list: - orig_conn_graph_added_conns = orig_conn_graph_added_per_key[key] - orig_conn_graph_removed_conns = orig_conn_graph_removed_per_key[key] - is_added = orig_conn_graph_added_conns is not None and orig_conn_graph_added_conns.conn_graph_has_fw_rules() - is_removed = orig_conn_graph_removed_conns is not None and orig_conn_graph_removed_conns.conn_graph_has_fw_rules() - if is_added: - if add_explanation: - key_explanation, orig_fw_rules = self.compute_explanation_for_key( - key, True, orig_conn_graph_added_conns, res == 0) - if not orig_fw_rules: - orig_fw_rules = orig_conn_graph_added_conns.get_minimized_firewall_rules() - added_props = added_props_per_key[key] - assert added_props - opt_key_explanation, opt_fw_rules = self.compute_explanation_for_key_opt( - key, True, added_props, res == 0) - if not opt_fw_rules: - opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( - added_props.props, added_props.cluster_info, added_props.output_config, - added_props.peer_container, None) - if self.config1.optimized_run == 'debug': - self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config2.peer_container, - self._get_updated_key(key, True) + - f'between {self.config1.name} and {self.config2.name}') - explanation.append(opt_key_explanation) - res += 1 - - if is_removed: - if add_explanation: - key_explanation, orig_fw_rules = self.compute_explanation_for_key( - key, False, orig_conn_graph_removed_conns, res == 0) - if not orig_fw_rules: - orig_fw_rules = orig_conn_graph_removed_conns.get_minimized_firewall_rules() - removed_props = removed_props_per_key[key] - assert removed_props - opt_key_explanation, opt_fw_rules = self.compute_explanation_for_key_opt( - key, False, removed_props, res == 0) - if not opt_fw_rules: - opt_fw_rules = MinimizeFWRules.get_minimized_firewall_rules_from_props( - removed_props.props, removed_props.cluster_info, removed_props.output_config, - removed_props.peer_container, None) - if self.config1.optimized_run == 'debug': - self.compare_fw_rules(orig_fw_rules, opt_fw_rules, self.config1.peer_container, - self._get_updated_key(key, False) + - f'between {self.config1.name} and {self.config2.name}') - explanation.append(opt_key_explanation) - res += 1 - - return res, explanation - - def get_conn_graph_changed_conns(self, key, ip_blocks, is_added): - """ - create a ConnectivityGraph for changed (added/removed) connections per given key - :param key: the key (category) of changed connections - :param ip_blocks: a PeerSet of ip-blocks to be added for the topology peers - :param is_added: a bool flag indicating if connections are added or removed - :return: a ConnectivityGraph object - """ - old_peers = self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - new_peers = self.config2.peer_container.get_all_peers_group(include_dns_entries=True) - allowed_labels = (self.config1.get_allowed_labels()).union(self.config2.get_allowed_labels()) - topology_peers = new_peers | ip_blocks if is_added else old_peers | ip_blocks - # following query_name update is for adding query line descriptions for csv and md formats - updated_key = self._get_updated_key(key, is_added) - if self.output_config.queryName: - query_name = f'semantic_diff, config1: {self.config1.name}, config2: {self.config2.name}, key: {updated_key}' - else: - # omit the query name prefix if self.output_config.queryName is empty (single query from command line) - query_name = updated_key - output_config = OutputConfiguration(self.output_config, query_name) - return ConnectivityGraph(topology_peers, allowed_labels, output_config) - - def compute_diff_original(self): # noqa: C901 - """ - Compute changed connections as following: - - 1.1. lost connections between removed peers - 1.2. lost connections between removed peers and ipBlocks - - 2.1. lost connections between removed peers and intersected peers - - 3.1. lost/new connections between intersected peers due to changes in policies and labels of pods/namespaces - 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels - - 4.1. new connections between intersected peers and added peers - - 5.1. new connections between added peers - 5.2. new connections between added peers and ipBlocks - - Some sections might be empty and can be dropped. - - :return: - keys_list (list[str]): list of names of connection categories, - being the keys in conn_graph_removed_per_key/conn_graph_added_per_key - conn_graph_removed_per_key (dict): a dictionary of removed connections connectivity graphs per category - conn_graph_added_per_key (dict): a dictionary of added connections connectivity graphs per category - :rtype: list[str], dict, dict - """ - old_peers = self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - new_peers = self.config2.peer_container.get_all_peers_group(include_dns_entries=True) - intersected_peers = old_peers & new_peers - removed_peers = old_peers - intersected_peers - added_peers = new_peers - intersected_peers - captured_pods = (self.config1.get_captured_pods() | self.config2.get_captured_pods()) & intersected_peers - exclude_ipv6 = self.config1.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) and \ - self.config2.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) - old_ip_blocks = IpBlock.disjoint_ip_blocks(self.config1.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), - exclude_ipv6) - new_ip_blocks = IpBlock.disjoint_ip_blocks(self.config2.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), - exclude_ipv6) - - conn_graph_removed_per_key = dict() - conn_graph_added_per_key = dict() - keys_list = [] - - # 1.1. lost connections between removed peers - key = 'Lost connections between removed peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = None - for pair in itertools.permutations(removed_peers, 2): - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - continue - lost_conns, _, _, _ = self.config1.allowed_connections(pair[0], pair[1]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[0], pair[1], lost_conns) - - # 1.2. lost connections between removed peers and ipBlocks - key = 'Lost connections between removed peers and ipBlocks' - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, old_ip_blocks, False) - conn_graph_added_per_key[key] = None - for pair in itertools.product(removed_peers, old_ip_blocks): - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - lost_conns, _, _, _ = self.config1.allowed_connections(pair[0], pair[1]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[0], pair[1], lost_conns) - - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[1], pair[0]): - lost_conns, _, _, _ = self.config1.allowed_connections(pair[1], pair[0]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[1], pair[0], lost_conns) - - # 2.1. lost connections between removed peers and intersected peers - key = 'Lost connections between removed peers and persistent peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = None - for pair in itertools.product(removed_peers, intersected_peers): - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - lost_conns, _, _, _ = self.config1.allowed_connections(pair[0], pair[1]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[0], pair[1], lost_conns) - - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[1], pair[0]): - lost_conns, _, _, _ = self.config1.allowed_connections(pair[1], pair[0]) - if lost_conns: - conn_graph_removed_per_key[key].add_edge(pair[1], pair[0], lost_conns) - - # 3.1. lost/new connections between intersected peers due to changes in policies and labels of pods/namespaces - key = 'Changed connections between persistent peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), False) - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) - for peer1 in intersected_peers: - for peer2 in intersected_peers if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - old_conns, _, _, _ = self.config1.allowed_connections(peer1, peer2) - new_conns, _, _, _ = self.config2.allowed_connections(peer1, peer2) - if new_conns != old_conns: - conn_graph_removed_per_key[key].add_edge(peer1, peer2, old_conns - new_conns) - conn_graph_added_per_key[key].add_edge(peer1, peer2, new_conns - old_conns) - - # 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels - key = 'Changed connections between persistent peers and ipBlocks' - disjoint_ip_blocks = IpBlock.disjoint_ip_blocks(old_ip_blocks, new_ip_blocks, exclude_ipv6) - peers = captured_pods | disjoint_ip_blocks - keys_list.append(key) - conn_graph_removed_per_key[key] = self.get_conn_graph_changed_conns(key, disjoint_ip_blocks, False) - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, disjoint_ip_blocks, True) - for peer1 in peers: - for peer2 in disjoint_ip_blocks if peer1 in captured_pods else captured_pods: - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - old_conns, _, _, _ = self.config1.allowed_connections(peer1, peer2) - new_conns, _, _, _ = self.config2.allowed_connections(peer1, peer2) - if new_conns != old_conns: - conn_graph_removed_per_key[key].add_edge(peer1, peer2, old_conns - new_conns) - conn_graph_added_per_key[key].add_edge(peer1, peer2, new_conns - old_conns) - - # 4.1. new connections between intersected peers and added peers - key = 'New connections between persistent peers and added peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) - for pair in itertools.product(intersected_peers, added_peers): - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - new_conns, _, _, _ = self.config2.allowed_connections(pair[0], pair[1]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[0], pair[1], new_conns) - - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[1], pair[0]): - new_conns, _, _, _ = self.config2.allowed_connections(pair[1], pair[0]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[1], pair[0], new_conns) - - # 5.1. new connections between added peers - key = 'New connections between added peers' - keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, PeerSet(), True) - for pair in itertools.permutations(added_peers, 2): - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - continue - new_conns, _, _, _ = self.config2.allowed_connections(pair[0], pair[1]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[0], pair[1], new_conns) - - # 5.2. new connections between added peers and ipBlocks - key = 'New connections between added peers and ipBlocks' - keys_list.append(key) - conn_graph_removed_per_key[key] = None - conn_graph_added_per_key[key] = self.get_conn_graph_changed_conns(key, new_ip_blocks, True) - - for pair in itertools.product(added_peers, new_ip_blocks): - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[0], pair[1]): - new_conns, _, _, _ = self.config2.allowed_connections(pair[0], pair[1]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[0], pair[1], new_conns) - - if self.determine_whether_to_compute_allowed_conns_for_peer_types(pair[1], pair[0]): - new_conns, _, _, _ = self.config2.allowed_connections(pair[1], pair[0]) - if new_conns: - conn_graph_added_per_key[key].add_edge(pair[1], pair[0], new_conns) - - return keys_list, conn_graph_removed_per_key, conn_graph_added_per_key - def get_changed_props_expl_data(self, key, ip_blocks, is_added, props, peer_container): """ - create a ConnectivityGraph for changed (added/removed) connections per given key + create an explanation for changed (added/removed) connections per given key :param key: the key (category) of changed connections :param ip_blocks: a PeerSet of ip-blocks to be added for the topology peers :param is_added: a bool flag indicating if connections are added or removed @@ -1861,7 +1211,7 @@ def get_changed_props_expl_data(self, key, ip_blocks, is_added, props, peer_cont return SemanticDiffQuery.PropsAndExplanationData(props, ClusterInfo(topology_peers, allowed_labels), output_config, peer_container) - def compute_diff_optimized(self): # noqa: C901 + def compute_diff(self): # noqa: C901 """ Compute changed connections (by optimized implementation) as following: @@ -1896,21 +1246,18 @@ def compute_diff_optimized(self): # noqa: C901 captured_pods = (self.config1.get_captured_pods() | self.config2.get_captured_pods()) & intersected_peers exclude_ipv6 = self.config1.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) and \ self.config2.check_for_excluding_ipv6_addresses(self.output_config.excludeIPv6Range) - old_ip_blocks = IpBlock.disjoint_ip_blocks(self.config1.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), - exclude_ipv6) - new_ip_blocks = IpBlock.disjoint_ip_blocks(self.config2.get_referenced_ip_blocks(exclude_ipv6), - IpBlock.get_all_ips_block_peer_set(exclude_ipv6), - exclude_ipv6) + all_ip_blocks = IpBlock.get_all_ips_block_peer_set(exclude_ipv6) removed_props_per_key = dict() added_props_per_key = dict() keys_list = [] res_conns_filter = PolicyConnectionsFilter.only_all_allowed_connections() - old_conns = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter) - new_conns = self.config2.allowed_connections_optimized(res_conns_filter=res_conns_filter) + old_conns = self.config1.allowed_connections(res_conns_filter=res_conns_filter) + new_conns = self.config2.allowed_connections(res_conns_filter=res_conns_filter) old_props, new_props = self.filter_conns_by_input_or_internal_constraints(old_conns.all_allowed_conns, new_conns.all_allowed_conns) + old_minus_new_props = old_props - new_props + new_minus_old_props = new_props - old_props # 1.1. lost connections between removed peers key = 'Lost connections between removed peers' @@ -1927,11 +1274,11 @@ def compute_diff_optimized(self): # noqa: C901 key = 'Lost connections between removed peers and ipBlocks' keys_list.append(key) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": removed_peers, - "dst_peers": old_ip_blocks}) | \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": old_ip_blocks, + "dst_peers": all_ip_blocks}) | \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_ip_blocks, "dst_peers": removed_peers}) props &= old_props - removed_props_per_key[key] = self.get_changed_props_expl_data(key, old_ip_blocks, False, props, + removed_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, False, props, self.config1.peer_container) added_props_per_key[key] = None @@ -1955,28 +1302,25 @@ def compute_diff_optimized(self): # noqa: C901 "dst_peers": intersected_peers}) | \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": intersected_peers, "dst_peers": captured_pods}) - props1 = old_props & props - props1 = props1.props_without_auto_conns() - props2 = new_props & props - props2 = props2.props_without_auto_conns() - removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, props1 - props2, + removed_props = (old_minus_new_props & props).props_without_auto_conns() + added_props = (new_minus_old_props & props).props_without_auto_conns() + removed_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), False, removed_props, self.config1.peer_container) - added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, props2 - props1, + added_props_per_key[key] = self.get_changed_props_expl_data(key, PeerSet(), True, added_props, self.config2.peer_container) # 3.2. lost/new connections between intersected peers and ipBlocks due to changes in policies and labels key = 'Changed connections between persistent peers and ipBlocks' - disjoint_ip_blocks = IpBlock.disjoint_ip_blocks(old_ip_blocks, new_ip_blocks, exclude_ipv6) keys_list.append(key) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": captured_pods, - "dst_peers": disjoint_ip_blocks}) | \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": disjoint_ip_blocks, + "dst_peers": all_ip_blocks}) | \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_ip_blocks, "dst_peers": captured_pods}) - props1 = old_props & props - props2 = new_props & props - removed_props_per_key[key] = self.get_changed_props_expl_data(key, disjoint_ip_blocks, False, props1 - props2, + removed_props = old_minus_new_props & props + added_props = new_minus_old_props & props + removed_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, False, removed_props, self.config1.peer_container) - added_props_per_key[key] = self.get_changed_props_expl_data(key, disjoint_ip_blocks, True, props2 - props1, + added_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, True, added_props, self.config2.peer_container) # 4.1. new connections between intersected peers and added peers @@ -2007,12 +1351,12 @@ def compute_diff_optimized(self): # noqa: C901 key = 'New connections between added peers and ipBlocks' keys_list.append(key) props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": added_peers, - "dst_peers": new_ip_blocks}) | \ - ConnectivityProperties.make_conn_props_from_dict({"src_peers": new_ip_blocks, + "dst_peers": all_ip_blocks}) | \ + ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_ip_blocks, "dst_peers": added_peers}) props &= new_props removed_props_per_key[key] = None - added_props_per_key[key] = self.get_changed_props_expl_data(key, new_ip_blocks, True, props, + added_props_per_key[key] = self.get_changed_props_expl_data(key, all_ip_blocks, True, props, self.config2.peer_container) return keys_list, removed_props_per_key, added_props_per_key @@ -2022,25 +1366,9 @@ def exec(self, cmd_line_flag): query_answer = self.is_identical_topologies(True) if query_answer.bool_result and query_answer.output_result: return query_answer - orig_conn_graph_removed_per_key = dict() - orig_conn_graph_added_per_key = dict() - res = 0 - explanation = "" - if self.config1.optimized_run != 'true': - keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key = self.compute_diff_original() - if self.config1.optimized_run == 'false': - res, explanation = self.get_results_for_computed_fw_rules(keys_list, orig_conn_graph_removed_per_key, - orig_conn_graph_added_per_key) - if self.config1.optimized_run != 'false': - keys_list, removed_props_per_key, added_props_per_key = self.compute_diff_optimized() - if self.config1.optimized_run == 'true': - res, explanation = self.get_results_for_computed_fw_rules_opt(keys_list, removed_props_per_key, - added_props_per_key) - else: - res, explanation = self.get_results_for_computed_fw_rules_and_compare_orig_to_opt( - keys_list, orig_conn_graph_removed_per_key, orig_conn_graph_added_per_key, - removed_props_per_key, added_props_per_key) - + keys_list, removed_props_per_key, added_props_per_key = self.compute_diff() + res, explanation = self.get_results_for_computed_fw_rules(keys_list, removed_props_per_key, + added_props_per_key) if res > 0: return QueryAnswer(bool_result=False, output_result=f'{self.name1} and {self.name2} are not semantically equivalent.', @@ -2113,44 +1441,16 @@ def exec(self, cmd_line_flag=False, only_captured=False): return QueryAnswer(False, f'{self.name1} is not contained in {self.name2} ', output_explanation=[final_explanation], numerical_result=0 if not cmd_line_flag else 1) - if self.config1.optimized_run == 'false': - return self.check_containment_original(cmd_line_flag, only_captured) - else: - return self.check_containment_optimized(cmd_line_flag, only_captured) - - def check_containment_original(self, cmd_line_flag=False, only_captured=False): - config1_peers = self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - peers_to_compare = config1_peers | self.disjoint_referenced_ip_blocks() - captured_pods = self.config1.get_captured_pods() | self.config2.get_captured_pods() - not_contained_list = [] - for peer1 in peers_to_compare: - for peer2 in peers_to_compare if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - conns1_all, captured1_flag, conns1_captured, _ = self.config1.allowed_connections(peer1, peer2) - if only_captured and not captured1_flag: - continue - conns1 = conns1_captured if only_captured else conns1_all - conns2, _, _, _ = self.config2.allowed_connections(peer1, peer2) - if not conns1.contained_in(conns2): - not_contained_list.append(PeersAndConnections(str(peer1), str(peer2), conns1)) - if not self.output_config.fullExplanation: - return self._query_answer_with_relevant_explanation(not_contained_list, cmd_line_flag) - if not_contained_list: - return self._query_answer_with_relevant_explanation(sorted(not_contained_list), cmd_line_flag) - return QueryAnswer(True, self.name1 + ' is contained in ' + self.name2, - numerical_result=1 if not cmd_line_flag else 0) + return self.check_containment(cmd_line_flag, only_captured) - def check_containment_optimized(self, cmd_line_flag=False, only_captured=False): + def check_containment(self, cmd_line_flag=False, only_captured=False): if only_captured: res_conns_filter1 = PolicyConnectionsFilter.only_allowed_connections() else: res_conns_filter1 = PolicyConnectionsFilter.only_all_allowed_connections() res_conns_filter2 = PolicyConnectionsFilter.only_all_allowed_connections() - conn_props1 = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter1) - conn_props2 = self.config2.allowed_connections_optimized(res_conns_filter=res_conns_filter2) + conn_props1 = self.config1.allowed_connections(res_conns_filter=res_conns_filter1) + conn_props2 = self.config2.allowed_connections(res_conns_filter=res_conns_filter2) conns1, conns2 = self.filter_conns_by_input_or_internal_constraints( conn_props1.allowed_conns if only_captured else conn_props1.all_allowed_conns, conn_props2.all_allowed_conns) @@ -2264,42 +1564,13 @@ def exec(self, cmd_line_flag): else not query_answer.bool_result return query_answer - if self.config1.optimized_run == 'false': - return self.check_interferes_original(cmd_line_flag) - else: - return self.check_interferes_optimized(cmd_line_flag) + return self.check_interferes(cmd_line_flag) - def check_interferes_original(self, cmd_line_flag): - peers_to_compare = \ - self.config2.peer_container.get_all_peers_group(include_dns_entries=True) - peers_to_compare |= self.disjoint_referenced_ip_blocks() - captured_pods = self.config2.get_captured_pods() | self.config1.get_captured_pods() - extended_conns_list = [] - for peer1 in peers_to_compare: - for peer2 in peers_to_compare if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - _, captured2_flag, conns2_captured, _ = self.config2.allowed_connections(peer1, peer2) - if not captured2_flag: - continue - _, captured1_flag, conns1_captured, _ = self.config1.allowed_connections(peer1, peer2) - if captured1_flag and not conns1_captured.contained_in(conns2_captured): - extended_conns_list.append(PeersAndConnections(str(peer1), str(peer2), conns1_captured, - conns2_captured)) - if not self.output_config.fullExplanation: - return self._query_answer_with_relevant_explanation(extended_conns_list, cmd_line_flag) - if extended_conns_list: - return self._query_answer_with_relevant_explanation(sorted(extended_conns_list), cmd_line_flag) - return QueryAnswer(False, self.name1 + ' does not interfere with ' + self.name2, - numerical_result=0 if not cmd_line_flag else 1) - - def check_interferes_optimized(self, cmd_line_flag=False): + def check_interferes(self, cmd_line_flag=False): res_conns_filter = PolicyConnectionsFilter.only_allowed_connections() - conn_props1 = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter) - conn_props2 = self.config2.allowed_connections_optimized(res_conns_filter=res_conns_filter) + conn_props1 = self.config1.allowed_connections(res_conns_filter=res_conns_filter) + conn_props2 = self.config2.allowed_connections(res_conns_filter=res_conns_filter) conns1, conns2 = self.filter_conns_by_input_or_internal_constraints(conn_props1.allowed_conns, conn_props2.allowed_conns) if conns1.contained_in(conns2): @@ -2347,48 +1618,16 @@ def exec(self, cmd_line_flag=False, only_captured=True): if query_answer.output_result: return query_answer - if self.config1.optimized_run == 'false': - return self.check_intersects_original() - else: - return self.check_intersects_optimized() - - def check_intersects_original(self, only_captured=True): - peers_to_compare = \ - self.config1.peer_container.get_all_peers_group(include_dns_entries=True) - peers_to_compare |= self.disjoint_referenced_ip_blocks() - captured_pods = self.config1.get_captured_pods() | self.config2.get_captured_pods() - intersect_connections_list = [] - for peer1 in peers_to_compare: - for peer2 in peers_to_compare if peer1 in captured_pods else captured_pods: - if peer1 == peer2: - continue - if not self.determine_whether_to_compute_allowed_conns_for_peer_types(peer1, peer2): - continue - conns1_all, captured1_flag, conns1_captured, _ = self.config1.allowed_connections(peer1, peer2) - if only_captured and not captured1_flag: - continue - conns1 = conns1_captured if only_captured else conns1_all - conns2, _, _, _ = self.config2.allowed_connections(peer1, peer2) - conns_in_both = conns2 & conns1 - if bool(conns_in_both): - intersect_connections_list.append(PeersAndConnections(str(peer1), str(peer2), conns_in_both)) - if not self.output_config.fullExplanation: - return self._query_answer_with_relevant_explanation(intersect_connections_list) - - if intersect_connections_list: - return self._query_answer_with_relevant_explanation(sorted(intersect_connections_list)) - - return QueryAnswer(False, f'The connections allowed by {self.name1}' - f' do not intersect the connections allowed by {self.name2}', numerical_result=1) + return self.check_intersects() - def check_intersects_optimized(self, only_captured=True): + def check_intersects(self, only_captured=True): if only_captured: res_conns_filter1 = PolicyConnectionsFilter.only_allowed_connections() else: res_conns_filter1 = PolicyConnectionsFilter.only_all_allowed_connections() res_conns_filter2 = PolicyConnectionsFilter.only_all_allowed_connections() - conn_props1 = self.config1.allowed_connections_optimized(res_conns_filter=res_conns_filter1) - conn_props2 = self.config2.allowed_connections_optimized(res_conns_filter=res_conns_filter2) + conn_props1 = self.config1.allowed_connections(res_conns_filter=res_conns_filter1) + conn_props2 = self.config2.allowed_connections(res_conns_filter=res_conns_filter2) conns1, conns2 = self.filter_conns_by_input_or_internal_constraints( conn_props1.allowed_conns if only_captured else conn_props1.all_allowed_conns, conn_props2.all_allowed_conns) diff --git a/nca/NetworkConfig/NetworkLayer.py b/nca/NetworkConfig/NetworkLayer.py index affb7d817..52a1fd6c5 100644 --- a/nca/NetworkConfig/NetworkLayer.py +++ b/nca/NetworkConfig/NetworkLayer.py @@ -5,14 +5,13 @@ from bisect import insort from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet -from nca.CoreDS.Peer import IpBlock, HostEP, PeerSet, DNSEntry +from nca.CoreDS.Peer import IpBlock, HostEP, PeerSet from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.ProtocolSet import ProtocolSet from nca.Resources.PolicyResources.IstioNetworkPolicy import IstioNetworkPolicy from nca.Resources.PolicyResources.GatewayPolicy import GatewayPolicy -from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy, \ +from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, NetworkPolicy, \ PolicyConnectionsFilter from nca.Utils.ExplTracker import ExplTracker @@ -99,30 +98,17 @@ def does_contain_istio_layers(self): return bool({NetworkLayerName.Istio, NetworkLayerName.IstioGateway} & set(self.keys())) @staticmethod - def empty_layer_allowed_connections(layer_name, from_peer, to_peer): - """ - Get allowed connections between two peers for an empty layer (no policies). - :param NetworkLayerName layer_name: The empty layer name - :param Peer.Peer from_peer: the source peer - :param Peer.Peer to_peer: the target peer - :rtype: ConnectionSet, bool, ConnectionSet, ConnectionSet - """ - empty_layer_obj = layer_name.create_network_layer([]) - return empty_layer_obj.allowed_connections(from_peer, to_peer) - - @staticmethod - def empty_layer_allowed_connections_optimized(peer_container, layer_name, - res_conns_filter=PolicyConnectionsFilter()): + def empty_layer_allowed_connections(peer_container, layer_name, res_conns_filter=PolicyConnectionsFilter()): """ Get allowed connections between for all relevant peers for an empty layer (no policies). :param PeerContainer peer_container: holds all the peers :param NetworkLayerName layer_name: The empty layer name :param PolicyConnectionsFilter res_conns_filter: filter of the required resulting connections (connections with None value will not be calculated) - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ empty_layer_obj = layer_name.create_network_layer([]) - return empty_layer_obj.allowed_connections_optimized(peer_container, res_conns_filter) + return empty_layer_obj.allowed_connections(peer_container, res_conns_filter) class NetworkLayer: @@ -144,39 +130,7 @@ def add_policy(self, policy): """ insort(self.policies_list, policy) - def allowed_connections(self, from_peer, to_peer): - """ - Compute per network layer the allowed connections between from_peer and to_peer, considering - all layer's policies (and defaults) - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :return: a 4-tuple with: - - allowed_conns: all allowed connections (captured/non-captured) - - captured_flag: flag to indicate if any of the policies captured one of the peers (src/dst) - - allowed_captured_conns: allowed captured connections (can be used only if the captured flag is True) - - denied_conns: connections denied by the policies (captured) - :rtype: ConnectionSet, bool, ConnectionSet, ConnectionSet - """ - if isinstance(to_peer, IpBlock): - ingress_conns = PolicyConnections(captured=False, all_allowed_conns=ConnectionSet(True)) - else: - ingress_conns = self._allowed_xgress_conns(from_peer, to_peer, True) - - if isinstance(from_peer, IpBlock): - egress_conns = PolicyConnections(captured=False, all_allowed_conns=ConnectionSet(True)) - else: - egress_conns = self._allowed_xgress_conns(from_peer, to_peer, False) - - captured_flag = ingress_conns.captured or egress_conns.captured - denied_conns = ingress_conns.denied_conns | egress_conns.denied_conns - allowed_conns = ingress_conns.all_allowed_conns & egress_conns.all_allowed_conns - # captured connections are where at least one of ingress / egress is captured - allowed_captured_conns = (ingress_conns.allowed_conns & egress_conns.all_allowed_conns) | \ - (egress_conns.allowed_conns & ingress_conns.all_allowed_conns) - - return allowed_conns, captured_flag, allowed_captured_conns, denied_conns - - def allowed_connections_optimized(self, peer_container, res_conns_filter=PolicyConnectionsFilter()): + def allowed_connections(self, peer_container, res_conns_filter=PolicyConnectionsFilter()): """ Compute per network layer the allowed connections between any relevant peers, considering all layer's policies (and defaults) @@ -184,11 +138,11 @@ def allowed_connections_optimized(self, peer_container, res_conns_filter=PolicyC :param PolicyConnectionsFilter res_conns_filter: filter of the required resulting connections (connections with None value will not be calculated) :return: all allowed, denied and captured connections - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ - res_conns = OptimizedPolicyConnections() - ingress_conns = self._allowed_xgress_conns_optimized(True, peer_container, res_conns_filter) - egress_conns = self._allowed_xgress_conns_optimized(False, peer_container, res_conns_filter) + res_conns = PolicyConnections() + ingress_conns = self._allowed_xgress_conns(True, peer_container, res_conns_filter) + egress_conns = self._allowed_xgress_conns(False, peer_container, res_conns_filter) all_pods_peer_set = peer_container.get_all_peers_group() all_ips_peer_set = IpBlock.get_all_ips_block_peer_set() if res_conns_filter.calc_all_allowed: @@ -209,51 +163,13 @@ def allowed_connections_optimized(self, peer_container, res_conns_filter=PolicyC (egress_conns.allowed_conns & ingress_conns.all_allowed_conns) return res_conns - def _allowed_xgress_conns(self, from_peer, to_peer, is_ingress): - """ - Implemented by derived classes to get allowed and denied ingress/egress connections between from_peer and to_pee - """ - return NotImplemented - - def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): + def _allowed_xgress_conns(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): """ Implemented by derived classes to get ingress/egress connections between any relevant peers - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ return NotImplemented - def collect_policies_conns(self, from_peer, to_peer, is_ingress, - captured_func=lambda policy: True): - """ - Collect allowed/denied/pass connections between two peers, considering all layer's policies that capture the - relevant peers. - :param Peer.Peer from_peer: the source peer - :param Peer.Peer to_peer: the dest peer - :param bool is_ingress: indicates whether to return ingress connections or egress connections - :param captured_func: callable that returns True if the policy satisfies additional conditions required for - considering the target pod as captured and not applying the default connections to it. - :return: (allowed_conns, denied_conns, pass_conns, captured_res) - :rtype: (ConnectionSet, ConnectionSet, ConnectionSet, bool) - """ - allowed_conns = ConnectionSet() - denied_conns = ConnectionSet() - pass_conns = ConnectionSet() - captured_res = False - for policy in self.policies_list: - policy_conns = policy.allowed_connections(from_peer, to_peer, is_ingress) - if policy_conns.captured: - captured_res |= captured_func(policy) - policy_conns.denied_conns -= allowed_conns - policy_conns.denied_conns -= pass_conns - policy_conns.allowed_conns -= denied_conns - policy_conns.allowed_conns -= pass_conns - policy_conns.pass_conns -= denied_conns - policy_conns.pass_conns -= allowed_conns - denied_conns |= policy_conns.denied_conns - allowed_conns |= policy_conns.allowed_conns - pass_conns |= policy_conns.pass_conns - return allowed_conns, denied_conns, pass_conns, captured_res - def collect_policies_conns_optimized(self, is_ingress, captured_func=lambda policy: True): """ Collect all connections (between all relevant peers), considering all layer's policies that capture the @@ -262,11 +178,11 @@ def collect_policies_conns_optimized(self, is_ingress, captured_func=lambda poli :param captured_func: callable that returns True if the policy satisfies additional conditions required for considering captured pods instead of applying the default connections. :return: allowed_conns, denied_conns and set of peers to be added to captured peers - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() for policy in self.policies_list: - policy_conns = policy.allowed_connections_optimized(is_ingress) + policy_conns = policy.allowed_connections(is_ingress) if policy_conns.captured: # not empty if captured_func(policy): res_conns.captured |= policy_conns.captured @@ -285,25 +201,7 @@ def collect_policies_conns_optimized(self, is_ingress, captured_func=lambda poli class K8sCalicoNetworkLayer(NetworkLayer): - def _allowed_xgress_conns(self, from_peer, to_peer, is_ingress): - allowed_conns, denied_conns, pass_conns, captured_res = self.collect_policies_conns(from_peer, to_peer, - is_ingress) - - allowed_non_captured_conns = ConnectionSet() - captured_peer_is_host_endpoint = (is_ingress and isinstance(to_peer, HostEP)) or \ - (not is_ingress and isinstance(from_peer, HostEP)) - if not captured_res and not captured_peer_is_host_endpoint: - # default Allow-all in k8s / calico - # (assuming only calico's default profiles for pods with connectivity rules exist) - # assuming host endpoints have no profiles - allowed_non_captured_conns = ConnectionSet(True) - elif pass_conns and not captured_peer_is_host_endpoint: - # assuming only default profiles generated by calico exist, which allow all for pods - allowed_conns |= pass_conns - return PolicyConnections(captured_res, allowed_conns, denied_conns, - all_allowed_conns=allowed_conns | allowed_non_captured_conns) - - def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): + def _allowed_xgress_conns(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): res_conns = self.collect_policies_conns_optimized(is_ingress) # Note: The below computation of non-captured conns cannot be done during the parse stage, # since before computing non-captured conns we should collect all policies conns @@ -356,23 +254,7 @@ def captured_cond_func(policy): return policy.action == GatewayPolicy.ActionType.Allow return True # only for Istio AuthorizationPolicy the captured condition is more refined with 'Allow' policies - def _allowed_xgress_conns(self, from_peer, to_peer, is_ingress): - # in istio applying default-allow if there is no capturing policy with action allow - - allowed_conns, denied_conns, _, captured_res = self.collect_policies_conns(from_peer, to_peer, is_ingress, - IstioNetworkLayer.captured_cond_func) - # for istio initialize non-captured conns with non-TCP connections - allowed_non_captured_conns = ConnectionSet.get_non_tcp_connections() - if not captured_res: # no allow policies for target - # add connections allowed by default that are not captured - allowed_non_captured_conns |= (ConnectionSet(True) - denied_conns) - # exception: update allowed non-captured conns to DNSEntry dst with TCP only - if isinstance(to_peer, DNSEntry): - allowed_non_captured_conns = ConnectionSet.get_all_tcp_connections() - denied_conns - return PolicyConnections(captured_res, allowed_conns, denied_conns, - all_allowed_conns=allowed_conns | allowed_non_captured_conns) - - def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): + def _allowed_xgress_conns(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): res_conns = self.collect_policies_conns_optimized(is_ingress, IstioNetworkLayer.captured_cond_func) if not res_conns_filter.calc_all_allowed: return res_conns diff --git a/nca/NetworkConfig/PoliciesFinder.py b/nca/NetworkConfig/PoliciesFinder.py index e9c3dfadb..9fa6e3a14 100644 --- a/nca/NetworkConfig/PoliciesFinder.py +++ b/nca/NetworkConfig/PoliciesFinder.py @@ -24,11 +24,10 @@ class PoliciesFinder: This class is responsible for finding the network policies in the relevant input resources The class contains several ways to build the set of policies (from cluster, from file-system, from GitHub). """ - def __init__(self, optimized_run='false'): + def __init__(self): self.policies_container = PoliciesContainer() self._parse_queue = deque() self.peer_container = None - self.optimized_run = optimized_run # following missing resources fields are relevant for "livesim" mode, # where certain resources are added to enable the analysis self.missing_istio_gw_pods_with_labels = set() @@ -73,11 +72,11 @@ def parse_policies_in_parse_queue(self): # noqa: C901 for policy, file_name, policy_type in self._parse_queue: parsed_policy = None if policy_type == NetworkPolicy.PolicyType.CalicoProfile: - parsed_element = CalicoPolicyYamlParser(policy, self.peer_container, file_name, self.optimized_run) + parsed_element = CalicoPolicyYamlParser(policy, self.peer_container, file_name) # only during parsing adding extra labels from profiles (not supporting profiles with rules) parsed_policy = parsed_element.parse_policy() elif policy_type == NetworkPolicy.PolicyType.K8sNetworkPolicy: - parsed_element = K8sPolicyYamlParser(policy, self.peer_container, file_name, self.optimized_run) + parsed_element = K8sPolicyYamlParser(policy, self.peer_container, file_name) parsed_policy = parsed_element.parse_policy() self._add_policy(parsed_policy) # add info about missing resources @@ -109,7 +108,7 @@ def parse_policies_in_parse_queue(self): # noqa: C901 istio_vs_parser = IstioVirtualServiceYamlParser(self.peer_container) istio_vs_parser.parse_virtual_service(policy, file_name) else: - parsed_element = CalicoPolicyYamlParser(policy, self.peer_container, file_name, self.optimized_run) + parsed_element = CalicoPolicyYamlParser(policy, self.peer_container, file_name) parsed_policy = parsed_element.parse_policy() self._add_policy(parsed_policy) # the name is sometimes modified when parsed, like in the ingress case, when "allowed" is added diff --git a/nca/NetworkConfig/QueryOutputHandler.py b/nca/NetworkConfig/QueryOutputHandler.py index a57fd6925..11d79ca44 100644 --- a/nca/NetworkConfig/QueryOutputHandler.py +++ b/nca/NetworkConfig/QueryOutputHandler.py @@ -5,7 +5,7 @@ from abc import abstractmethod from dataclasses import dataclass, field -from nca.CoreDS.ConnectionSet import ConnectionSet +from nca.CoreDS.ConnectivityProperties import ConnectivityProperties @dataclass @@ -43,7 +43,8 @@ def get_explanation_in_dict(self): # following classes describe possible OutputExplanation patterns (derived from it), each class consists of the # explanation fields that may appear together in one output_explanation and additional info for writing # the explanation if required -# PoliciesWithCommonPods and PeersAndConnections classes are helping classes for storing info on some OutputExplanation +# PoliciesWithCommonPods and PeersAndConnectivityProperties classes are helper classes +# for storing info on some OutputExplanation @dataclass class PoliciesWithCommonPods: """ @@ -230,14 +231,14 @@ def get_explanation_in_str(self): @dataclass -class PeersAndConnections: +class PeersAndConnectivityProperties: """ A class for holding info on connections between same peers pairs in two different configs """ src_peer: str = '' dst_peer: str = '' - conns1: ConnectionSet = field(default_factory=ConnectionSet) # connections from src to dst in first config - conns2: ConnectionSet = field(default_factory=ConnectionSet) # connections from src to dst in second config + conns1: ConnectivityProperties = field(default_factory=ConnectivityProperties) # connections in first config + conns2: ConnectivityProperties = field(default_factory=ConnectivityProperties) # connections in second config def __lt__(self, other): if self.src_peer == other.src_peer: @@ -250,17 +251,17 @@ class ConnectionsDiffExplanation(OutputExplanation): # used in following TwoNetworkConfigs queries that compare connections of pairs of peers in both configs: # EquivalenceQuery, StrongEquivalenceQuery, ContainmentQuery, TwoWayContainmentQuery, PermitsQuery, InterferesQuery, # PairwiseInterferesQuery, and ForbidsQuery - peers_diff_connections_list: list = field(default_factory=list) # list of PeersAndConnections objects, + peers_diff_connections_list: list = field(default_factory=list) # list of PeersAndConnectivityProperties objects, # storing info of pairs of peers and their connection in the config/s configs: list = field(default_factory=list) # list[str]: configs names, relevant only when we have the - # conns1 and conns2 in PeersAndConnections items , so we need them when calling ConnectionSet.print_diff - # in get_explanation_in_str + # conns1 and conns2 in PeersAndConnectivityProperties items, + # so we need them when calling ConnectivityProperties.print_diff in get_explanation_in_str conns_diff: bool = False def get_explanation_in_dict(self): """ returns the explanation results of ConnectionsDiffExplanation and its description arranged in dict. - if self.conns_diff is True, i.e. PeersAndConnections items contain two connections, then for each + if self.conns_diff is True, i.e. PeersAndConnectivityProperties items contain two connections, then for each (src, dst) pair , connections from both configs will be presented to emphasize the differences :rtype list[dict] """ @@ -278,8 +279,8 @@ def get_explanation_in_dict(self): def get_explanation_in_str(self): """ returns the explanation result of ConnectionsDiffExplanation and its description in str. - When self.conns_diff is True, i.e. having conns1 and conns2 in PeersAndConnections items, the diff between - connection of each pair is printed + When self.conns_diff is True, i.e. having conns1 and conns2 in PeersAndConnectivityProperties items, + the diff between connection of each pair is printed otherwise (having only conns1, connections from first config is printed) :rtype str """ diff --git a/nca/NetworkConfig/ResourcesHandler.py b/nca/NetworkConfig/ResourcesHandler.py index 6f9f1d76f..741bfa165 100644 --- a/nca/NetworkConfig/ResourcesHandler.py +++ b/nca/NetworkConfig/ResourcesHandler.py @@ -44,7 +44,7 @@ def __init__(self): self.global_pods_finder = None self.global_ns_finder = None - def set_global_peer_container(self, global_ns_list, global_pod_list, global_resource_list, optimized_run='false'): + def set_global_peer_container(self, global_ns_list, global_pod_list, global_resource_list): """ builds the global peer container based on global input resources, it also saves the global pods and namespaces finder, to use in case specific configs missing one of them. @@ -54,7 +54,7 @@ def set_global_peer_container(self, global_ns_list, global_pod_list, global_reso :param Union[list[str], None] global_resource_list: list of global entries of namespaces/pods to handle in case specific list is None """ - global_resources_parser = ResourcesParser(optimized_run) + global_resources_parser = ResourcesParser() self._set_config_peer_container(global_ns_list, global_pod_list, global_resource_list, 'global', True, global_resources_parser) @@ -122,7 +122,7 @@ def analyze_livesim(policy_finder): return livesim_configuration_addons - def parse_elements(self, ns_list, pod_list, resource_list, config_name, save_flag, np_list, optimized_run): + def parse_elements(self, ns_list, pod_list, resource_list, config_name, save_flag, np_list): """ Parse the elements and build peer container. :param Union[list[str], None] ns_list: namespaces entries @@ -135,7 +135,7 @@ def parse_elements(self, ns_list, pod_list, resource_list, config_name, save_fla :param Union[list[str], None] np_list: networkPolicies entries :return: PeerContainer, ResourcesParser, str """ - resources_parser = ResourcesParser(optimized_run) + resources_parser = ResourcesParser() # build peer container peer_container = \ self._set_config_peer_container(ns_list, pod_list, resource_list, config_name, save_flag, resources_parser) @@ -146,7 +146,7 @@ def parse_elements(self, ns_list, pod_list, resource_list, config_name, save_fla return peer_container, resources_parser, cfg def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_name='global', save_flag=False, - optimized_run='false'): + debug=False): """ First tries to build a peer_container using the input resources (NetworkConfigs's resources) If fails, it uses the global peer container. @@ -158,6 +158,7 @@ def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_n if the specific list is None :param str config_name: name of the config :param bool save_flag: used in cmdline queries with two configs, if save flag is True + :param bool debug: for performing some correctness checks will save the peer container as global to use it for base config's peer resources in case are missing :rtype NetworkConfig """ @@ -167,8 +168,7 @@ def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_n resource_list, config_name, save_flag, - np_list, - optimized_run) + np_list) NcaLogger().unmute() # check if LiveSim can add anything. livesim_addons = self.analyze_livesim(resources_parser.policies_finder) @@ -189,8 +189,7 @@ def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_n resource_list, config_name, save_flag, - np_list, - optimized_run) + np_list) else: # no relevant livesim resources to add NcaLogger().flush_messages() @@ -201,7 +200,7 @@ def get_network_config(self, np_list, ns_list, pod_list, resource_list, config_n # build and return the networkConfig return NetworkConfig(name=config_name, peer_container=peer_container, policies_container=resources_parser.policies_finder.policies_container, - optimized_run=optimized_run) + debug=debug) def _set_config_peer_container(self, ns_list, pod_list, resource_list, config_name, save_flag, resources_parser): success, res_type = resources_parser.parse_lists_for_topology(ns_list, pod_list, resource_list) @@ -253,8 +252,8 @@ class ResourcesParser: """ This class parses the input resources for topology (pods, namespaces, services) and policies. """ - def __init__(self, optimized_run='false'): - self.policies_finder = PoliciesFinder(optimized_run) + def __init__(self): + self.policies_finder = PoliciesFinder() self.pods_finder = PodsFinder() self.ns_finder = NamespacesFinder() self.services_finder = ServicesFinder() diff --git a/nca/Parsers/CalicoPolicyYamlParser.py b/nca/Parsers/CalicoPolicyYamlParser.py index 672db2e47..fef0949b8 100644 --- a/nca/Parsers/CalicoPolicyYamlParser.py +++ b/nca/Parsers/CalicoPolicyYamlParser.py @@ -11,7 +11,6 @@ from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.DimensionsManager import DimensionsManager -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.Resources.PolicyResources.NetworkPolicy import NetworkPolicy from nca.Resources.PolicyResources.CalicoNetworkPolicy import CalicoNetworkPolicy, CalicoPolicyRule from .GenericYamlParser import GenericYamlParser @@ -22,7 +21,7 @@ class CalicoPolicyYamlParser(GenericYamlParser): A parser for Calico NetworkPolicy/GlobalNetworkPolicy/Profile objects """ - def __init__(self, policy, peer_container, policy_file_name='', optimized_run='false'): + def __init__(self, policy, peer_container, policy_file_name=''): """ :param dict policy: The policy object as provided by the yaml parser :param PeerContainer peer_container: The policy will be evaluated against this set of peers @@ -34,7 +33,6 @@ def __init__(self, policy, peer_container, policy_file_name='', optimized_run='f self.namespace = None # collecting labels used in calico network policy for fw-rules computation self.referenced_labels = set() - self.optimized_run = optimized_run def _parse_selector_expr(self, expr, origin_map, namespace, is_namespace_selector): """ @@ -380,9 +378,7 @@ def _parse_icmp(self, icmp_data, not_icmp_data, protocol, src_pods, dst_pods): :param: str protocol: the ICMP-like protocol :param PeerSet src_pods: the source pods :param PeerSet dst_pods: the destination pods - :return: a tuple (ConnectivityProperties, ConnectivityProperties), - where the first ConnectivityProperties is an original-format ICMP connections, - and the second ConnectivityProperties is an optimized-format ICMP connections, including src and dst pods. + :return: a ConnectivityProperties, representing ICMP properties, including src and dst pods. :rtype: tuple (ConnectivityProperties, ConnectivityProperties) """ icmp_type = icmp_data.get('type') if icmp_data is not None else None @@ -413,41 +409,25 @@ def _parse_icmp(self, icmp_data, not_icmp_data, protocol, src_pods, dst_pods): not_conn_cube["icmp_type"] = not_icmp_type if not_icmp_code: not_conn_cube["icmp_code"] = not_icmp_code - opt_conn_cube = conn_cube.copy() - opt_not_conn_cube = not_conn_cube.copy() - if self.optimized_run != 'false': - opt_conn_cube.update({"src_peers": src_pods, "dst_peers": dst_pods, "protocols": protocols}) - opt_not_conn_cube.update({"src_peers": src_pods, "dst_peers": dst_pods, "protocols": protocols}) + conn_cube.update({"src_peers": src_pods, "dst_peers": dst_pods, "protocols": protocols}) + not_conn_cube.update({"src_peers": src_pods, "dst_peers": dst_pods, "protocols": protocols}) - opt_props = ConnectivityProperties.make_empty_props() if icmp_data is not None: - res = ConnectivityProperties.make_conn_props(conn_cube) - if self.optimized_run != 'false': - opt_props = ConnectivityProperties.make_conn_props(opt_conn_cube) + res_props = ConnectivityProperties.make_conn_props(conn_cube) if not_icmp_data is not None: if icmp_type == not_icmp_type and icmp_code == not_icmp_code: - res = ConnectivityProperties.make_empty_props() self.warning('icmp and notICMP are conflicting - no traffic will be matched', not_icmp_data) elif icmp_type == not_icmp_type and icmp_code is None: # this is the only case where it makes sense to combine icmp and notICMP - tmp = ConnectivityProperties.make_conn_props(not_conn_cube) - res -= tmp - if self.optimized_run != 'false': - tmp_opt_props = ConnectivityProperties.make_conn_props(opt_not_conn_cube) - opt_props -= tmp_opt_props + res_props -= ConnectivityProperties.make_conn_props(not_conn_cube) else: self.warning('notICMP has no effect', not_icmp_data) elif not_icmp_data is not None: - res = ConnectivityProperties.make_conn_props(conn_cube) - \ - ConnectivityProperties.make_conn_props(not_conn_cube) - if self.optimized_run != 'false': - opt_props = ConnectivityProperties.make_conn_props(opt_conn_cube) - \ - ConnectivityProperties.make_conn_props(opt_not_conn_cube) + res_props = ConnectivityProperties.make_conn_props(conn_cube) - \ + ConnectivityProperties.make_conn_props(not_conn_cube) else: # no icmp_data or no_icmp_data; only protocol - res = ConnectivityProperties.make_conn_props(conn_cube) - if self.optimized_run != 'false': - opt_props = ConnectivityProperties.make_conn_props(opt_conn_cube) - return res, opt_props + res_props = ConnectivityProperties.make_conn_props(conn_cube) + return res_props def _parse_protocol(self, protocol, rule): """ @@ -475,8 +455,8 @@ def _parse_xgress_rule(self, rule, is_ingress, policy_selected_eps, is_profile): :param bool is_ingress: Whether this is an ingress rule :param PeerSet policy_selected_eps: The endpoints the policy captured :param bool is_profile: Whether the parsed policy is a Profile object - :return: A tuple (CalicoPolicyRule, ConnectivityProperties) with the proper PeerSets, ConnectionSets and Action, - where ConnectivityProperties is an optimized rule format with protocols, src_peers and dst_peers in a HyperCubeSet + :return: A tuple (CalicoPolicyRule, ConnectivityProperties) with the proper PeerSets, connectivity properties + and Action :rtype: tuple(CalicoPolicyRule, ConnectivityProperties) """ allowed_keys = {'action': 1, 'protocol': 0, 'notProtocol': 0, 'icmp': 0, 'notICMP': 0, 'ipVersion': 0, @@ -490,7 +470,7 @@ def _parse_xgress_rule(self, rule, is_ingress, policy_selected_eps, is_profile): self.warning('Pass actions in Profile rules will be ignored', rule) protocol = self._parse_protocol(rule.get('protocol'), rule) - protocol_supports_ports = ConnectionSet.protocol_supports_ports(protocol) + protocol_supports_ports = ProtocolSet.protocol_supports_ports(protocol) not_protocol = self._parse_protocol(rule.get('notProtocol'), rule) src_entity_rule = rule.get('source') if src_entity_rule: @@ -511,7 +491,6 @@ def _parse_xgress_rule(self, rule, is_ingress, policy_selected_eps, is_profile): else: src_res_pods &= policy_selected_eps - connections = ConnectionSet() conn_props = ConnectivityProperties.make_empty_props() if protocol is not None: protocols = ProtocolSet.get_protocol_set_with_single_protocol(protocol) @@ -522,68 +501,33 @@ def _parse_xgress_rule(self, rule, is_ingress, policy_selected_eps, is_profile): self.warning('notProtocol field has no effect', rule) else: if protocol_supports_ports: - conn_cube = ConnectivityCube.make_from_dict({"src_ports": src_res_ports, "dst_ports": dst_res_ports}) - connections.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) - if self.optimized_run != 'false': - conn_cube.update({"protocols": protocols, "src_peers": src_res_pods, "dst_peers": dst_res_pods}) - conn_props = ConnectivityProperties.make_conn_props(conn_cube) - elif ConnectionSet.protocol_is_icmp(protocol): - icmp_props, conn_props = self._parse_icmp(rule.get('icmp'), rule.get('notICMP'), - protocol, src_res_pods, dst_res_pods) - connections.add_connections(protocol, icmp_props) + conn_props = ConnectivityProperties.make_conn_props_from_dict( + {"src_ports": src_res_ports, "dst_ports": dst_res_ports, "protocols": protocols, + "src_peers": src_res_pods, "dst_peers": dst_res_pods}) + elif ProtocolSet.protocol_is_icmp(protocol): + conn_props = self._parse_icmp(rule.get('icmp'), rule.get('notICMP'), protocol, + src_res_pods, dst_res_pods) else: - connections.add_connections(protocol, True) - if self.optimized_run != 'false': - conn_props = ConnectivityProperties.make_conn_props_from_dict({"protocols": protocols, - "src_peers": src_res_pods, - "dst_peers": dst_res_pods}) + conn_props = ConnectivityProperties.make_conn_props_from_dict({"protocols": protocols, + "src_peers": src_res_pods, + "dst_peers": dst_res_pods}) elif not_protocol is not None: - connections.add_all_connections() - connections.remove_protocol(not_protocol) - if self.optimized_run != 'false' and src_res_pods and dst_res_pods: + if src_res_pods and dst_res_pods: protocols = ProtocolSet(True) protocols.remove_protocol(not_protocol) conn_props = ConnectivityProperties.make_conn_props_from_dict({"protocols": protocols, "src_peers": src_res_pods, "dst_peers": dst_res_pods}) else: - connections.allow_all = True - if self.optimized_run != 'false': - conn_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_res_pods, - "dst_peers": dst_res_pods}) - self._verify_named_ports(rule, dst_res_pods, connections) + conn_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_res_pods, + "dst_peers": dst_res_pods}) if not src_res_pods and policy_selected_eps and (is_ingress or not is_profile): self.warning('Rule selects no source endpoints', rule) if not dst_res_pods and policy_selected_eps and (not is_ingress or not is_profile): self.warning('Rule selects no destination endpoints', rule) - return CalicoPolicyRule(src_res_pods, dst_res_pods, connections, action, conn_props) - - def _verify_named_ports(self, rule, rule_eps, rule_conns): - """ - Check the validity of named ports in a given rule: whether a relevant ep refers to the named port and whether - the protocol defined in the policy matches the protocol defined by the ep. Issue warnings as required. - :param dict rule: The unparsed rule (for reference in warnings) - :param Peer.PeerSet rule_eps: The set of eps in which the named ports should be defined - :param ConnectionSet rule_conns: The rule-specified connections, possibly containing named ports - :return: None - """ - if not rule_conns.has_named_ports(): - return - named_ports = rule_conns.get_named_ports() - for protocol, rule_ports in named_ports: - for port in rule_ports: - port_used = False - for pod in rule_eps: - pod_named_port = pod.get_named_ports().get(port) - if pod_named_port: - port_used = True - if ProtocolNameResolver.get_protocol_number(pod_named_port[1]) != protocol: - self.warning(f'Protocol mismatch for named port {port} (vs. Pod {pod.full_name()})', rule) - - if not port_used: - self.warning(f'Named port {port} is not defined in any selected pod', rule) + return CalicoPolicyRule(src_res_pods, dst_res_pods, action, conn_props) def _apply_extra_labels(self, policy_spec, is_profile, profile_name): """ @@ -667,7 +611,7 @@ def _get_selected_peers(self, policy_spec, is_profile, policy_name): def parse_policy(self): """ Parses the input object to create a CalicoNetworkPolicy object - :return: a CalicoNetworkPolicy object with proper PeerSets, ConnectionSets and Actions + :return: a CalicoNetworkPolicy object with proper PeerSets, connectivity properties and Actions :rtype: CalicoNetworkPolicy """ policy_name, policy_ns = \ diff --git a/nca/Parsers/GenericGatewayYamlParser.py b/nca/Parsers/GenericGatewayYamlParser.py index 33b354071..85c1c2dd9 100644 --- a/nca/Parsers/GenericGatewayYamlParser.py +++ b/nca/Parsers/GenericGatewayYamlParser.py @@ -10,7 +10,6 @@ from nca.CoreDS.PortSet import PortSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.Resources.PolicyResources.GatewayPolicy import GatewayPolicyRule from .GenericYamlParser import GenericYamlParser @@ -78,8 +77,6 @@ def _make_allow_rules(conn_props, src_peers): :param PeerSet src_peers: the source peers to add to optimized props :return: the list of IngressPolicyRules """ - assert not conn_props.named_ports - assert not conn_props.excluded_named_ports res = [] assert not conn_props.is_active_dimension("src_peers") # extract dst_peers dimension from cubes @@ -91,10 +88,7 @@ def _make_allow_rules(conn_props, src_peers): rule_opt_props = ConnectivityProperties.make_conn_props(conn_cube) dst_peer_set = new_conn_cube["dst_peers"] new_conn_cube.unset_dim("dst_peers") - new_props = ConnectivityProperties.make_conn_props(new_conn_cube) - new_conns = ConnectionSet() - new_conns.add_connections('TCP', new_props) - res.append(GatewayPolicyRule(dst_peer_set, new_conns, rule_opt_props)) + res.append(GatewayPolicyRule(dst_peer_set, rule_opt_props)) return res @staticmethod diff --git a/nca/Parsers/IstioGatewayPolicyGenerator.py b/nca/Parsers/IstioGatewayPolicyGenerator.py index 5579b67db..c9cdd9619 100644 --- a/nca/Parsers/IstioGatewayPolicyGenerator.py +++ b/nca/Parsers/IstioGatewayPolicyGenerator.py @@ -7,7 +7,6 @@ from nca.CoreDS.MinDFA import MinDFA from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.Resources.PolicyResources.GatewayPolicy import GatewayPolicy, GatewayPolicyRule from nca.Resources.PolicyResources.NetworkPolicy import NetworkPolicy @@ -212,14 +211,12 @@ def create_allow_rule(self, source_peers, dest, this_route_conn_cube, is_ingress """ conn_cube = this_route_conn_cube.copy() conn_cube["dst_ports"] = dest.ports - conns = ConnectionSet() - conns.add_connections(self.protocol_name, ConnectivityProperties.make_conn_props(conn_cube)) conn_cube.update({"src_peers": source_peers, "dst_peers": dest.pods, "protocols": self.protocols}) opt_props = ConnectivityProperties.make_conn_props(conn_cube) if is_ingress: - return GatewayPolicyRule(source_peers, conns, opt_props) + return GatewayPolicyRule(source_peers, opt_props) else: - return GatewayPolicyRule(dest.pods, conns, opt_props) + return GatewayPolicyRule(dest.pods, opt_props) @staticmethod def create_deny_rule(source_peers, dst_peers): @@ -229,7 +226,7 @@ def create_deny_rule(source_peers, dst_peers): """ opt_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": source_peers, "dst_peers": dst_peers}) - return GatewayPolicyRule(dst_peers, ConnectionSet(True), opt_props) + return GatewayPolicyRule(dst_peers, opt_props) def create_gtw_to_mesh_and_deny_policies(self, vs, route, route_cnt, gtw_to_hosts, used_gateways): """ diff --git a/nca/Parsers/IstioPolicyYamlParser.py b/nca/Parsers/IstioPolicyYamlParser.py index 9beeb507f..e70302767 100644 --- a/nca/Parsers/IstioPolicyYamlParser.py +++ b/nca/Parsers/IstioPolicyYamlParser.py @@ -7,7 +7,6 @@ from nca.CoreDS.MinDFA import MinDFA from nca.CoreDS.DimensionsManager import DimensionsManager from nca.CoreDS.Peer import IpBlock, PeerSet -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.PortSet import PortSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.MethodSet import MethodSet @@ -465,8 +464,7 @@ def parse_ingress_rule(self, rule, selected_peers): Parse a single ingress rule, producing a IstioPolicyRule. :param dict rule: The dict with the rule fields :param PeerSet selected_peers: The selected peers of the policy - :return: A tuple (IstioPolicyRule, ConnectivityProperties) with the proper PeerSet and ConnectionSet, - where ConnectivityProperties is an optimized rule format in a HyperCubeSet format + :return: A tuple (IstioPolicyRule, ConnectivityProperties) with the proper PeerSet and connectivity properties :rtype: tuple(IstioPolicyRule, ConnectivityProperties) """ if rule is None: @@ -495,11 +493,8 @@ def parse_ingress_rule(self, rule, selected_peers): if to_array is not None: for operation_dict in to_array: conn_props |= self.parse_operation(operation_dict) - connections = ConnectionSet() - connections.add_connections('TCP', conn_props) conn_props &= tcp_props else: # no 'to' in the rule => all connections allowed - connections = ConnectionSet(True) conn_props = ConnectivityProperties.get_all_conns_props_per_config_peers(self.peer_container) # condition possible result value: @@ -507,7 +502,6 @@ def parse_ingress_rule(self, rule, selected_peers): # should update either res_pods or condition_props according to the condition condition_array = rule.get('when') # this array can be empty (unlike 'to' and 'from') # the combined condition ("AND" of all conditions) should be applied - condition_conns = ConnectionSet(True) condition_props = ConnectivityProperties.make_all_props() if condition_array is not None: for condition in condition_array: @@ -516,8 +510,6 @@ def parse_ingress_rule(self, rule, selected_peers): res_peers &= condition_res elif isinstance(condition_res, ConnectivityProperties): condition_props &= condition_res - condition_conns = ConnectionSet() - condition_conns.add_connections('TCP', condition_props) condition_props &= tcp_props if not res_peers: self.warning('Rule selects no pods', rule) @@ -526,9 +518,8 @@ def parse_ingress_rule(self, rule, selected_peers): else: condition_props &= ConnectivityProperties.make_conn_props_from_dict({"src_peers": res_peers, "dst_peers": selected_peers}) - connections &= condition_conns conn_props &= condition_props - return IstioPolicyRule(res_peers, connections, conn_props) + return IstioPolicyRule(res_peers, conn_props) @staticmethod def parse_policy_action(action): @@ -545,7 +536,7 @@ def parse_policy_action(action): def parse_policy(self): """ Parses the input object to create a IstioNetworkPolicy object - :return: a IstioNetworkPolicy object with proper PeerSets and ConnectionSets + :return: a IstioNetworkPolicy object with proper PeerSets and connectivity properties :rtype: IstioNetworkPolicy """ policy_name, policy_ns = self.parse_generic_yaml_objects_fields(self.policy, ['AuthorizationPolicy'], diff --git a/nca/Parsers/K8sPolicyYamlParser.py b/nca/Parsers/K8sPolicyYamlParser.py index 8b4e5737f..9921280d8 100644 --- a/nca/Parsers/K8sPolicyYamlParser.py +++ b/nca/Parsers/K8sPolicyYamlParser.py @@ -5,9 +5,7 @@ import re from nca.CoreDS import Peer -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.PortSet import PortSet -from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.ProtocolNameResolver import ProtocolNameResolver from nca.CoreDS.ProtocolSet import ProtocolSet @@ -21,7 +19,7 @@ class K8sPolicyYamlParser(GenericYamlParser): A parser for k8s NetworkPolicy objects """ - def __init__(self, policy, peer_container, policy_file_name='', optimized_run='false'): + def __init__(self, policy, peer_container, policy_file_name=''): """ :param dict policy: The policy object as provided by the yaml parser :param PeerContainer peer_container: The policy will be evaluated against this set of peers @@ -32,7 +30,6 @@ def __init__(self, policy, peer_container, policy_file_name='', optimized_run='f self.peer_container = peer_container self.namespace = None self.referenced_labels = set() - self.optimized_run = optimized_run # a set of (key, value) pairs (note, the set may contain pods with labels having same keys but different values self.missing_pods_with_labels = set() @@ -330,57 +327,26 @@ def parse_ingress_egress_rule(self, rule, peer_array_key, policy_selected_pods): src_pods = policy_selected_pods dst_pods = res_pods - res_opt_props = ConnectivityProperties.make_empty_props() + res_props = ConnectivityProperties.make_empty_props() ports_array = rule.get('ports', []) if ports_array: - res_conns = ConnectionSet() for port in ports_array: protocol, dest_port_set = self.parse_port(port) if isinstance(protocol, str): protocol = ProtocolNameResolver.get_protocol_number(protocol) - conn_cube = ConnectivityCube.make_from_dict({"dst_ports": dest_port_set}) # K8s doesn't reason about src ports - res_conns.add_connections(protocol, ConnectivityProperties.make_conn_props(conn_cube)) - if self.optimized_run != 'false' and src_pods and dst_pods: + if src_pods and dst_pods: protocols = ProtocolSet.get_protocol_set_with_single_protocol(protocol) - conn_cube.update({"protocols": protocols, "src_peers": src_pods, "dst_peers": dst_pods}) - conn_props = ConnectivityProperties.make_conn_props(conn_cube) - res_opt_props |= conn_props + conn_props = ConnectivityProperties.make_conn_props_from_dict( + {"dst_ports": dest_port_set, "protocols": protocols, "src_peers": src_pods, + "dst_peers": dst_pods}) + res_props |= conn_props else: - res_conns = ConnectionSet(True) - if self.optimized_run != 'false': - res_opt_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_pods, - "dst_peers": dst_pods}) + res_props = ConnectivityProperties.make_conn_props_from_dict({"src_peers": src_pods, "dst_peers": dst_pods}) if not res_pods: self.warning('Rule selects no pods', rule) - return K8sPolicyRule(res_pods, res_conns, res_opt_props) - - def verify_named_ports(self, rule, rule_pods, rule_conns): - """ - Check the validity of named ports in a given rule: whether a relevant pod refers to the named port and whether - the protocol defined in the policy matches the protocol defined by the Pod. Issue warnings as required. - :param dict rule: The unparsed rule (for reference in warnings) - :param Peer.PeerSet rule_pods: The set of Pods in which the named ports should be defined - :param ConnectionSet rule_conns: The rule-specified connections, possibly containing named ports - :return: None - """ - if not rule_conns.has_named_ports(): - return - named_ports = rule_conns.get_named_ports() - for protocol, rule_ports in named_ports: - for port in rule_ports: - port_used = False - for pod in rule_pods: - pod_named_port = pod.named_ports.get(port) - if pod_named_port: - port_used = True - if ProtocolNameResolver.get_protocol_number(pod_named_port[1]) != protocol: - self.warning(f'Protocol mismatch for named port {port} (vs. Pod {pod.full_name()})', - rule['ports']) - - if not port_used: - self.warning(f'Named port {port} is not defined in any selected pod', rule['ports']) + return K8sPolicyRule(res_pods, res_props) def parse_ingress_rule(self, rule, policy_selected_pods): """ @@ -393,7 +359,6 @@ def parse_ingress_rule(self, rule, policy_selected_pods): :rtype: tuple(K8sPolicyRule, ConnectivityProperties) """ res_rule = self.parse_ingress_egress_rule(rule, 'from', policy_selected_pods) - self.verify_named_ports(rule, policy_selected_pods, res_rule.port_set) return res_rule def parse_egress_rule(self, rule, policy_selected_pods): @@ -407,13 +372,12 @@ def parse_egress_rule(self, rule, policy_selected_pods): :rtype: tuple(K8sPolicyRule, ConnectivityProperties) """ res_rule = self.parse_ingress_egress_rule(rule, 'to', policy_selected_pods) - self.verify_named_ports(rule, res_rule.peer_set, res_rule.port_set) return res_rule def parse_policy(self): """ Parses the input object to create a K8sNetworkPolicy object - :return: a K8sNetworkPolicy object with proper PeerSets and ConnectionSets + :return: a K8sNetworkPolicy object with proper PeerSets and connectivity properties :rtype: K8sNetworkPolicy """ policy_name, policy_ns = self.parse_generic_yaml_objects_fields(self.policy, ['NetworkPolicy'], diff --git a/nca/Resources/PolicyResources/CalicoNetworkPolicy.py b/nca/Resources/PolicyResources/CalicoNetworkPolicy.py index 38570d534..b9a178513 100644 --- a/nca/Resources/PolicyResources/CalicoNetworkPolicy.py +++ b/nca/Resources/PolicyResources/CalicoNetworkPolicy.py @@ -4,10 +4,9 @@ # from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS import Peer -from .NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from .NetworkPolicy import PolicyConnections, NetworkPolicy class CalicoPolicyRule: @@ -23,24 +22,22 @@ class ActionType(Enum): Log = 2 Pass = 3 - def __init__(self, src_peers, dst_peers, connections, action, opt_props): + def __init__(self, src_peers, dst_peers, action, props): """ :param Peer.PeerSet src_peers: The source peers this rule refers to :param Peer.PeerSet dst_peers: The destination peers this rule refers to - :param ConnectionSet connections: The connections allowed/denied/passed by this rule :param ActionType action: The rule action + :param ConnectivityProperties props: the connectivity properties represented by this rule """ self.src_peers = src_peers self.dst_peers = dst_peers - self.connections = connections self.action = action - self.optimized_props = opt_props + self.props = props # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.src_peers == other.src_peers and self.dst_peers == other.dst_peers and \ - self.connections == other.connections and self.action == other.action + return self.props == other.props and self.action == other.action def contained_in(self, other): """ @@ -48,8 +45,7 @@ def contained_in(self, other): :return: Whether all connections specified by 'self' are also specified by 'other' (regardless of action) :rtype: bool """ - return self.src_peers.issubset(other.src_peers) and self.dst_peers.issubset(other.dst_peers) and \ - self.connections.contained_in(other.connections) + return self.props.contained_in(other.props) @staticmethod def action_str_to_action_type(action_str): @@ -85,82 +81,42 @@ def __eq__(self, other): def _update_opt_props_by_order(self, is_ingress): # handle the order of rules for rule in self.ingress_rules if is_ingress else self.egress_rules: - props = rule.optimized_props.copy() + props = rule.props.copy() if rule.action == CalicoPolicyRule.ActionType.Allow: - props -= self._optimized_deny_ingress_props if is_ingress else self._optimized_deny_egress_props - props -= self._optimized_pass_ingress_props if is_ingress else self._optimized_pass_egress_props + props -= self._deny_ingress_props if is_ingress else self._deny_egress_props + props -= self._pass_ingress_props if is_ingress else self._pass_egress_props if is_ingress: - self._optimized_allow_ingress_props |= props + self._allow_ingress_props |= props else: - self._optimized_allow_egress_props |= props + self._allow_egress_props |= props elif rule.action == CalicoPolicyRule.ActionType.Deny: - props -= self._optimized_allow_ingress_props if is_ingress else self._optimized_allow_egress_props - props -= self._optimized_pass_ingress_props if is_ingress else self._optimized_pass_egress_props + props -= self._allow_ingress_props if is_ingress else self._allow_egress_props + props -= self._pass_ingress_props if is_ingress else self._pass_egress_props if is_ingress: - self._optimized_deny_ingress_props |= props + self._deny_ingress_props |= props else: - self._optimized_deny_egress_props |= props + self._deny_egress_props |= props elif rule.action == CalicoPolicyRule.ActionType.Pass: - props -= self._optimized_allow_ingress_props if is_ingress else self._optimized_allow_egress_props - props -= self._optimized_deny_ingress_props if is_ingress else self._optimized_deny_egress_props + props -= self._allow_ingress_props if is_ingress else self._allow_egress_props + props -= self._deny_ingress_props if is_ingress else self._deny_egress_props if is_ingress: - self._optimized_pass_ingress_props |= props + self._pass_ingress_props |= props else: - self._optimized_pass_egress_props |= props + self._pass_egress_props |= props - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), + If optimized props of the policy are not synchronized (self.props_in_sync is False), compute optimized props of the policy according to the optimized props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() + self._init_props() self._update_opt_props_by_order(True) self._update_opt_props_by_order(False) - self.optimized_props_in_sync = True + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this policy allows/denies/passes between two peers - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only - :return: A PolicyConnections object containing sets of allowed/denied/pass connections - :rtype: PolicyConnections - """ - captured = is_ingress and self.affects_ingress and to_peer in self.selected_peers or \ - not is_ingress and self.affects_egress and from_peer in self.selected_peers - if not captured: - return PolicyConnections(False) - - allowed_conns = ConnectionSet() - denied_conns = ConnectionSet() - pass_conns = ConnectionSet() - rules = self.ingress_rules if is_ingress else self.egress_rules - for rule in rules: - if from_peer in rule.src_peers and to_peer in rule.dst_peers: - rule_conns = rule.connections.copy() # we need a copy because convert_named_ports is destructive - rule_conns.convert_named_ports(to_peer.get_named_ports()) - - if rule.action == CalicoPolicyRule.ActionType.Allow: - rule_conns -= denied_conns - rule_conns -= pass_conns - allowed_conns |= rule_conns - elif rule.action == CalicoPolicyRule.ActionType.Deny: - rule_conns -= allowed_conns - rule_conns -= pass_conns - denied_conns |= rule_conns - elif rule.action == CalicoPolicyRule.ActionType.Pass: - rule_conns -= allowed_conns - rule_conns -= denied_conns - pass_conns |= rule_conns - else: - pass # Nothing to do for Log action - does not affect connectivity - - return PolicyConnections(True, allowed_conns, denied_conns, pass_conns) - - def allowed_connections_optimized(self, is_ingress): + def allowed_connections(self, is_ingress): """ Evaluate the set of connections this policy allows/denies/passes between any two peers :param bool is_ingress: whether we evaluate ingress rules only or egress rules only @@ -169,16 +125,16 @@ def allowed_connections_optimized(self, is_ingress): and the peer set of captured peers by this policy. :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet) """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() - res_conns.denied_conns = self.optimized_deny_ingress_props().copy() - res_conns.pass_conns = self.optimized_pass_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() + res_conns.denied_conns = self.deny_ingress_props().copy() + res_conns.pass_conns = self.pass_ingress_props().copy() res_conns.captured = self.selected_peers if self.affects_ingress else Peer.PeerSet() else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() - res_conns.denied_conns = self.optimized_deny_egress_props().copy() - res_conns.pass_conns = self.optimized_pass_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() + res_conns.denied_conns = self.deny_egress_props().copy() + res_conns.pass_conns = self.pass_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else Peer.PeerSet() return res_conns @@ -204,25 +160,6 @@ def clone_without_rule(self, rule_to_exclude, ingress_rule): res.add_ingress_rule(rule) return res - def referenced_ip_blocks(self, exclude_ipv6=False): - """ - :param bool exclude_ipv6: indicates if to exclude the automatically added IPv6 addresses in the referenced ip_blocks. - IPv6 addresses that are referenced in the policy by the user will always be included - :return: A set of all ipblocks referenced in one of the policy rules (one Peer object per one ip range) - :rtype: Peer.PeerSet - """ - res = Peer.PeerSet() - for rule in self.egress_rules: - for peer in rule.dst_peers: - if isinstance(peer, Peer.IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - for rule in self.ingress_rules: - for peer in rule.src_peers: - if isinstance(peer, Peer.IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - - return res - def has_empty_rules(self, config_name=''): """ Checks whether the policy contains empty rules (rules that do not select any peers) diff --git a/nca/Resources/PolicyResources/GatewayPolicy.py b/nca/Resources/PolicyResources/GatewayPolicy.py index f48815e29..5450bc287 100644 --- a/nca/Resources/PolicyResources/GatewayPolicy.py +++ b/nca/Resources/PolicyResources/GatewayPolicy.py @@ -4,30 +4,27 @@ # from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.Peer import PeerSet -from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, NetworkPolicy class GatewayPolicyRule: """ A class representing a single rule in a GatewayPolicy object """ - def __init__(self, peer_set, connections, opt_props): + def __init__(self, peer_set, props): """ :param Peer.PeerSet peer_set: The set of peers this rule allows connection to - :param ConnectionSet connections: The set of connections allowed by this rule - :param ConnectivityProperties opt_props: the optimized connections + :param ConnectivityProperties props: the connections """ self.peer_set = peer_set - self.connections = connections - self.optimized_props = opt_props - # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props = props + # copy of props (used by src_peers/dst_peers domain-updating mechanism) + self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.connections == other.connections + return self.props == other.props def contained_in(self, other): """ @@ -35,7 +32,7 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.connections.contained_in(other.connections) + return self.props.contained_in(other.props) class GatewayPolicy(NetworkPolicy): @@ -94,70 +91,42 @@ def add_egress_rules(self, rules): """ self.egress_rules.extend(rules) - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), - compute optimized props of the policy according to the optimized props of its rules + If props of the policy are not synchronized (self.props_in_sync is False), + compute props of the policy according to the props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() + self._init_props() for rule in self.ingress_rules: if self.action == GatewayPolicy.ActionType.Allow: - self._optimized_allow_ingress_props |= rule.optimized_props + self._allow_ingress_props |= rule.props elif self.action == GatewayPolicy.ActionType.Deny: - self._optimized_deny_ingress_props |= rule.optimized_props + self._deny_ingress_props |= rule.props for rule in self.egress_rules: if self.action == GatewayPolicy.ActionType.Allow: - self._optimized_allow_egress_props |= rule.optimized_props + self._allow_egress_props |= rule.props elif self.action == GatewayPolicy.ActionType.Deny: - self._optimized_deny_egress_props |= rule.optimized_props - self.optimized_props_in_sync = True + self._deny_egress_props |= rule.props + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this gateway policy allows between two peers - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only. - :return: A PolicyConnections object containing sets of allowed/denied connections - :rtype: PolicyConnections - """ - - captured = is_ingress and self.affects_ingress and to_peer in self.selected_peers or \ - not is_ingress and self.affects_egress and from_peer in self.selected_peers - if not captured: - return PolicyConnections(False) - - conns = ConnectionSet() - rules = self.ingress_rules if is_ingress else self.egress_rules - other_peer = from_peer if is_ingress else to_peer - for rule in rules: - if other_peer in rule.peer_set: - assert not rule.connections.has_named_ports() - conns |= rule.connections - - if self.action == self.ActionType.Allow: - return PolicyConnections(True, allowed_conns=conns) - else: # Deny - return PolicyConnections(True, denied_conns=conns) - - def allowed_connections_optimized(self, is_ingress): + def allowed_connections(self, is_ingress): """ Evaluate the set of connections this ingress resource allows between any two peers :param bool is_ingress: whether we evaluate ingress rules only or egress rules only. :return: A OptimizedPolicyConnections object containing all allowed/denied connections for any peers and the peer set of captured peers by this policy. - :rtype: OptimizedPolicyConnections + :rtype: PolicyConnections """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() - res_conns.denied_conns = self.optimized_deny_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() + res_conns.denied_conns = self.deny_ingress_props().copy() res_conns.captured = self.selected_peers if self.affects_ingress else PeerSet() else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() - res_conns.denied_conns = self.optimized_deny_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() + res_conns.denied_conns = self.deny_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else PeerSet() return res_conns diff --git a/nca/Resources/PolicyResources/IstioNetworkPolicy.py b/nca/Resources/PolicyResources/IstioNetworkPolicy.py index 54b29a487..cf0ac2cd5 100644 --- a/nca/Resources/PolicyResources/IstioNetworkPolicy.py +++ b/nca/Resources/PolicyResources/IstioNetworkPolicy.py @@ -4,10 +4,9 @@ # from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.CoreDS.Peer import PeerSet, IpBlock -from .NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from nca.CoreDS.Peer import PeerSet +from .NetworkPolicy import PolicyConnections, NetworkPolicy class IstioPolicyRule: @@ -15,20 +14,18 @@ class IstioPolicyRule: A class representing a single ingress rule in a Istio AuthorizationPolicy object """ - def __init__(self, peer_set, connections, opt_props): + def __init__(self, peer_set, props): """ :param Peer.PeerSet peer_set: The set of peers this rule allows connection from - :param ConnectionSet connections: The set of connections allowed/denied by this rule (the action resides in the policy) + :param ConnectivityProperties props: the connections """ - # TODO: extend connections (ConnectionSet) to represent HTTP/grpc requests attributes self.peer_set = peer_set - self.connections = connections - self.optimized_props = opt_props - # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props = props + # copy of props (used by src_peers/dst_peers domain-updating mechanism) + self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.connections == other.connections + return self.props == other.props def contained_in(self, other): """ @@ -36,7 +33,7 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.connections.contained_in(other.connections) + return self.props.contained_in(other.props) class IstioNetworkPolicy(NetworkPolicy): @@ -68,52 +65,24 @@ def __lt__(self, other): # required so we can evaluate the policies according t return self.action == IstioNetworkPolicy.ActionType.Deny return False - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), - compute optimized props of the policy according to the optimized props of its rules + If props of the policy are not synchronized (self.props_in_sync is False), + compute props of the policy according to the optimized props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() + self._init_props() for rule in self.ingress_rules: if self.action == IstioNetworkPolicy.ActionType.Allow: - self._optimized_allow_ingress_props |= rule.optimized_props + self._allow_ingress_props |= rule.props elif self.action == IstioNetworkPolicy.ActionType.Deny: - self._optimized_deny_ingress_props |= rule.optimized_props + self._deny_ingress_props |= rule.props self._optimized_allow_egress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers() - self.optimized_props_in_sync = True + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this policy allows/denies/passes between two peers - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only - :return: A PolicyConnections object containing sets of allowed/denied/pass connections - :rtype: PolicyConnections - """ - - # TODO: currently not handling egress, istio authorization policies have no egress rules - if not is_ingress: - return PolicyConnections(False, ConnectionSet(True)) - - captured = to_peer in self.selected_peers - if not captured: - return PolicyConnections(False) - - allowed_conns = ConnectionSet() - denied_conns = ConnectionSet() - - collected_conns = allowed_conns if self.action == IstioNetworkPolicy.ActionType.Allow else denied_conns - for rule in self.ingress_rules: - if from_peer in rule.peer_set: - collected_conns |= rule.connections - - return PolicyConnections(True, allowed_conns, denied_conns) - - def allowed_connections_optimized(self, is_ingress): + def allowed_connections(self, is_ingress): """ Evaluate the set of connections this policy allows/denied/passed between any two peers :param bool is_ingress: whether we evaluate ingress rules only or egress rules only @@ -122,31 +91,17 @@ def allowed_connections_optimized(self, is_ingress): and the peer set of captured peers by this policy. :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet) """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() - res_conns.denied_conns = self.optimized_deny_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() + res_conns.denied_conns = self.deny_ingress_props().copy() res_conns.captured = self.selected_peers else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() - res_conns.denied_conns = self.optimized_deny_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() + res_conns.denied_conns = self.deny_egress_props().copy() res_conns.captured = PeerSet() return res_conns - def referenced_ip_blocks(self, exclude_ipv6=False): - """ - :param bool exclude_ipv6: indicates if to exclude the automatically added IPv6 addresses in the referenced ip_blocks. - IPv6 addresses that are referenced in the policy by the user will always be included - :return: A set of all ipblocks referenced in one of the policy rules (one Peer object per one ip range) - :rtype: Peer.PeerSet - """ - res = PeerSet() - for rule in self.ingress_rules: - for peer in rule.peer_set: - if isinstance(peer, IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - return res - def has_empty_rules(self, config_name=''): """ Checks whether the policy contains empty rules (rules that do not select any peers) diff --git a/nca/Resources/PolicyResources/IstioSidecar.py b/nca/Resources/PolicyResources/IstioSidecar.py index 9555c49c6..37f1d6068 100644 --- a/nca/Resources/PolicyResources/IstioSidecar.py +++ b/nca/Resources/PolicyResources/IstioSidecar.py @@ -5,11 +5,10 @@ from dataclasses import dataclass from enum import Enum -from nca.CoreDS.ConnectionSet import ConnectionSet -from nca.CoreDS.Peer import IpBlock, PeerSet, DNSEntry +from nca.CoreDS.Peer import IpBlock, PeerSet from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from nca.Resources.PolicyResources.NetworkPolicy import PolicyConnections, NetworkPolicy @dataclass @@ -29,9 +28,9 @@ def __init__(self, peer_set, peers_for_ns_compare): self.special_egress_peer_set = peers_for_ns_compare # set of peers captured by a global sidecar with hosts of # './' form - then peers in this set will be in allowed connections only if are in the same namespace of the # source peer captured by the sidecar - self.optimized_props = ConnectivityProperties() - # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props = ConnectivityProperties() + # copy of props (used by src_peers/dst_peers domain-updating mechanism) + self.props_copy = ConnectivityProperties() class IstioSidecar(NetworkPolicy): @@ -51,63 +50,28 @@ def __init__(self, name, namespace): def __eq__(self, other): return super().__eq__(other) and self.default_sidecar == other.default_sidecar - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), - compute optimized props of the policy according to the optimized props of its rules + If props of the policy are not synchronized (self.props_in_sync is False), + compute props of the policy according to the props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() - self._optimized_allow_ingress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers() + self._init_props() + self._allow_ingress_props = ConnectivityProperties.get_all_conns_props_per_domain_peers() for rule in self.egress_rules: - self._optimized_allow_egress_props |= rule.optimized_props - self.optimized_props_in_sync = True + self._allow_egress_props |= rule.props + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this policy allows/denies/passes between two peers - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only - :return: A PolicyConnections object containing sets of allowed/denied/pass connections - :rtype: PolicyConnections - """ - # currently not handling ingress - if is_ingress: - return PolicyConnections(False, ConnectionSet(True)) - - captured = from_peer in self.selected_peers - # if not captured, or captured but the sidecar is not in from_peer top priority, don't consider connections - if not captured: - return PolicyConnections(False) - - # connections to IP-block is enabled only if the outbound mode is allow-any (disabled for registry only) - if isinstance(to_peer, IpBlock) and self.outbound_mode == IstioSidecar.OutboundMode.ALLOW_ANY: - return PolicyConnections(True, allowed_conns=ConnectionSet(True)) - - # since sidecar rules include only peer sets for now, if a to_peer appears in any rule then connections allowed - for rule in self.egress_rules: - if isinstance(to_peer, DNSEntry) and \ - (to_peer in rule.egress_peer_set or to_peer in rule.special_egress_peer_set): - return PolicyConnections(True, allowed_conns=ConnectionSet.get_all_tcp_connections()) - if to_peer in rule.egress_peer_set or \ - (to_peer in rule.special_egress_peer_set and from_peer.namespace == to_peer.namespace): - return PolicyConnections(True, allowed_conns=ConnectionSet(True)) - - # egress from from_peer to to_peer is not allowed : if to_peer not been captured in the rules' egress_peer_set, - # or if the sidecar is global and to_peer is not in same namespace of from_peer while rule host's ns is '.' - return PolicyConnections(True, allowed_conns=ConnectionSet()) - - def allowed_connections_optimized(self, is_ingress): - res_conns = OptimizedPolicyConnections() + def allowed_connections(self, is_ingress): + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() - res_conns.denied_conns = self.optimized_deny_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() + res_conns.denied_conns = self.deny_ingress_props().copy() res_conns.captured = PeerSet() else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() - res_conns.denied_conns = self.optimized_deny_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() + res_conns.denied_conns = self.deny_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else PeerSet() return res_conns @@ -169,7 +133,7 @@ def create_opt_egress_props(self, peer_container): # connections to IP-block is enabled only if the outbound mode is allow-any (disabled for registry only) if self.outbound_mode == IstioSidecar.OutboundMode.ALLOW_ANY: ip_blocks = IpBlock.get_all_ips_block_peer_set() - rule.optimized_props |= \ + rule.props |= \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": self.selected_peers, "dst_peers": ip_blocks}) @@ -177,19 +141,19 @@ def create_opt_egress_props(self, peer_container): dst_dns_entries = dns_entries & (rule.egress_peer_set | rule.special_egress_peer_set) if self.selected_peers and dst_dns_entries: protocols = ProtocolSet.get_protocol_set_with_single_protocol('TCP') - rule.optimized_props |= \ + rule.props |= \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": self.selected_peers, "dst_peers": dst_dns_entries, "protocols": protocols}) if self.selected_peers and rule.egress_peer_set: - rule.optimized_props |= \ + rule.props |= \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": self.selected_peers, "dst_peers": rule.egress_peer_set}) peers_sets_by_ns = self.combine_peer_sets_by_ns(self.selected_peers, rule.special_egress_peer_set, peer_container) for (from_peers, to_peers) in peers_sets_by_ns: if from_peers and to_peers: - rule.optimized_props |= \ + rule.props |= \ ConnectivityProperties.make_conn_props_from_dict({"src_peers": from_peers, "dst_peers": to_peers}) diff --git a/nca/Resources/PolicyResources/K8sNetworkPolicy.py b/nca/Resources/PolicyResources/K8sNetworkPolicy.py index bee0f242b..8a7223587 100644 --- a/nca/Resources/PolicyResources/K8sNetworkPolicy.py +++ b/nca/Resources/PolicyResources/K8sNetworkPolicy.py @@ -2,29 +2,27 @@ # Copyright 2020- IBM Inc. All rights reserved # SPDX-License-Identifier: Apache2.0 # -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS import Peer -from .NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy +from .NetworkPolicy import PolicyConnections, NetworkPolicy class K8sPolicyRule: """ A class representing a single ingress/egress rule in a K8s NetworkPolicy object """ - def __init__(self, peer_set, port_set, opt_props): + def __init__(self, peer_set, props): """ :param Peer.PeerSet peer_set: The set of peers this rule allows connection to/from - :param ConnectionSet port_set: The set of connections allowed by this rule + :param ConnectivityProperties props: the connections """ self.peer_set = peer_set - self.port_set = port_set - self.optimized_props = opt_props - # copy of optimized props (used by src_peers/dst_peers domain-updating mechanism) - self.optimized_props_copy = ConnectivityProperties() + self.props = props + # copy of props (used by src_peers/dst_peers domain-updating mechanism) + self.props_copy = ConnectivityProperties() def __eq__(self, other): - return self.peer_set == other.peer_set and self.port_set == other.port_set + return self.props == other.props def contained_in(self, other): """ @@ -32,54 +30,28 @@ def contained_in(self, other): :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ - return self.peer_set.issubset(other.peer_set) and self.port_set.contained_in(other.port_set) + return self.props.contained_in(other.props) class K8sNetworkPolicy(NetworkPolicy): """ This class implements K8s-specific logic for NetworkPolicies """ - def sync_opt_props(self): + def sync_props(self): """ - If optimized props of the policy are not synchronized (self.optimized_props_in_sync is False), - compute optimized props of the policy according to the optimized props of its rules + If props of the policy are not synchronized (self.props_in_sync is False), + compute props of the policy according to the props of its rules """ - if self.optimized_props_in_sync: + if self.props_in_sync: return - self._init_opt_props() + self._init_props() for rule in self.ingress_rules: - self._optimized_allow_ingress_props |= rule.optimized_props + self._allow_ingress_props |= rule.props for rule in self.egress_rules: - self._optimized_allow_egress_props |= rule.optimized_props - self.optimized_props_in_sync = True + self._allow_egress_props |= rule.props + self.props_in_sync = True - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Evaluate the set of connections this policy allows between two peers - (either the allowed ingress into to_peer or the allowed egress from from_peer). - :param Peer.Peer from_peer: The source peer - :param Peer.Peer to_peer: The target peer - :param bool is_ingress: whether we evaluate ingress rules only or egress rules only - :return: A PolicyConnections object containing sets of allowed connections - :rtype: PolicyConnections - """ - captured = is_ingress and self.affects_ingress and to_peer in self.selected_peers or \ - not is_ingress and self.affects_egress and from_peer in self.selected_peers - if not captured: - return PolicyConnections(False) - - allowed_conns = ConnectionSet() - rules = self.ingress_rules if is_ingress else self.egress_rules - other_peer = from_peer if is_ingress else to_peer - for rule in rules: - if other_peer in rule.peer_set: - rule_conns = rule.port_set.copy() # we need a copy because convert_named_ports is destructive - rule_conns.convert_named_ports(to_peer.get_named_ports()) - allowed_conns |= rule_conns - - return PolicyConnections(True, allowed_conns) - - def allowed_connections_optimized(self, is_ingress): + def allowed_connections(self, is_ingress): """ Return the set of connections this policy allows between any two peers (either ingress or egress). @@ -89,12 +61,12 @@ def allowed_connections_optimized(self, is_ingress): and the peer set of captured peers by this policy. :rtype: tuple (ConnectivityProperties, ConnectivityProperties, PeerSet) """ - res_conns = OptimizedPolicyConnections() + res_conns = PolicyConnections() if is_ingress: - res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() + res_conns.allowed_conns = self.allow_ingress_props().copy() res_conns.captured = self.selected_peers if self.affects_ingress else Peer.PeerSet() else: - res_conns.allowed_conns = self.optimized_allow_egress_props().copy() + res_conns.allowed_conns = self.allow_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else Peer.PeerSet() return res_conns @@ -119,25 +91,6 @@ def clone_without_rule(self, rule_to_exclude, ingress_rule): res.add_ingress_rule(rule) return res - def referenced_ip_blocks(self, exclude_ipv6=False): - """ - :param bool exclude_ipv6: indicates if to exclude the automatically added IPv6 addresses in the referenced ip_blocks. - IPv6 addresses that are referenced in the policy by the user will always be included - :return: A set of all ipblocks referenced in one of the policy rules (one Peer object per one ip range) - :rtype: Peer.PeerSet - """ - res = Peer.PeerSet() - for rule in self.egress_rules: - for peer in rule.peer_set: - if isinstance(peer, Peer.IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - for rule in self.ingress_rules: - for peer in rule.peer_set: - if isinstance(peer, Peer.IpBlock) and self._include_ip_block(peer, exclude_ipv6): - res |= peer.split() - - return res - def has_empty_rules(self, config_name=''): """ Checks whether the policy contains empty rules (rules that do not select any peers) diff --git a/nca/Resources/PolicyResources/NetworkPolicy.py b/nca/Resources/PolicyResources/NetworkPolicy.py index 1d3a45959..1e64abbb9 100644 --- a/nca/Resources/PolicyResources/NetworkPolicy.py +++ b/nca/Resources/PolicyResources/NetworkPolicy.py @@ -5,7 +5,6 @@ from enum import Enum from dataclasses import dataclass -from nca.CoreDS.ConnectionSet import ConnectionSet from nca.CoreDS.Peer import PeerSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties @@ -55,12 +54,12 @@ def __init__(self, name, namespace): self.ingress_rules = [] self.egress_rules = [] - # The flag below is used for lazy calculation of optimized policy connections (as a union of rules connections) + # The flag below is used for lazy calculation of policy connections (as a union of rules connections) # The flag is set to False for new policies (including in redundancy query, when removing a rule from policy by # creating a new policy with a subset of rules), or after changing peers domains (per query). - # When this flag is False, the sync_opt_props function will (re)calculate optimized policy connections. - self.optimized_props_in_sync = False - self._init_opt_props() + # When this flag is False, the sync_props function will (re)calculate policy connections. + self.props_in_sync = False + self._init_props() self.affects_ingress = False # whether the policy affects the ingress of the selected peers self.affects_egress = False # whether the policy affects the egress of the selected peers @@ -70,46 +69,46 @@ def __init__(self, name, namespace): self.has_ipv6_addresses = False # whether the policy referenced ip addresses (by user) # if this flag is False, excluding ipv6 addresses from the query results will be enabled - def _init_opt_props(self): + def _init_props(self): """ The members below are used for lazy evaluation of policy connectivity properties. NOTE: THEY CANNOT BE ACCESSED DIRECTLY, ONLY BY 'GETTER' METHODS BELOW! """ - self._optimized_allow_ingress_props = ConnectivityProperties.make_empty_props() - self._optimized_deny_ingress_props = ConnectivityProperties.make_empty_props() - self._optimized_pass_ingress_props = ConnectivityProperties.make_empty_props() - self._optimized_allow_egress_props = ConnectivityProperties.make_empty_props() - self._optimized_deny_egress_props = ConnectivityProperties.make_empty_props() - self._optimized_pass_egress_props = ConnectivityProperties.make_empty_props() + self._allow_ingress_props = ConnectivityProperties.make_empty_props() + self._deny_ingress_props = ConnectivityProperties.make_empty_props() + self._pass_ingress_props = ConnectivityProperties.make_empty_props() + self._allow_egress_props = ConnectivityProperties.make_empty_props() + self._deny_egress_props = ConnectivityProperties.make_empty_props() + self._pass_egress_props = ConnectivityProperties.make_empty_props() - def optimized_allow_ingress_props(self): - self.sync_opt_props() - return self._optimized_allow_ingress_props + def allow_ingress_props(self): + self.sync_props() + return self._allow_ingress_props - def optimized_deny_ingress_props(self): - self.sync_opt_props() - return self._optimized_deny_ingress_props + def deny_ingress_props(self): + self.sync_props() + return self._deny_ingress_props - def optimized_pass_ingress_props(self): - self.sync_opt_props() - return self._optimized_pass_ingress_props + def pass_ingress_props(self): + self.sync_props() + return self._pass_ingress_props - def optimized_allow_egress_props(self): - self.sync_opt_props() - return self._optimized_allow_egress_props + def allow_egress_props(self): + self.sync_props() + return self._allow_egress_props - def optimized_deny_egress_props(self): - self.sync_opt_props() - return self._optimized_deny_egress_props + def deny_egress_props(self): + self.sync_props() + return self._deny_egress_props - def optimized_pass_egress_props(self): - self.sync_opt_props() - return self._optimized_pass_egress_props + def pass_egress_props(self): + self.sync_props() + return self._pass_egress_props - def sync_opt_props(self): + def sync_props(self): """ - Implemented by derived policies to compute optimized props of the policy according to the optimized props - of its rules, in case optimized props are not currently synchronized. + Implemented by derived policies to compute props of the policy according to the props + of its rules, in case props are not currently synchronized. """ return NotImplemented @@ -118,8 +117,8 @@ def __str__(self): def __eq__(self, other): if isinstance(self, type(other)): - self.sync_opt_props() - other.sync_opt_props() + self.sync_props() + other.sync_props() return \ self.name == other.name and \ self.namespace == other.namespace and \ @@ -128,12 +127,12 @@ def __eq__(self, other): self.selected_peers == other.selected_peers and \ self.ingress_rules == other.ingress_rules and \ self.egress_rules == other.egress_rules and \ - self._optimized_allow_ingress_props == other._optimized_allow_ingress_props and \ - self._optimized_deny_ingress_props == other._optimized_deny_ingress_props and \ - self._optimized_pass_ingress_props == other._optimized_pass_ingress_props and \ - self._optimized_allow_egress_props == other._optimized_allow_egress_props and \ - self._optimized_deny_egress_props == other._optimized_deny_egress_props and \ - self._optimized_pass_egress_props == other._optimized_pass_egress_props + self._allow_ingress_props == other._allow_ingress_props and \ + self._deny_ingress_props == other._deny_ingress_props and \ + self._pass_ingress_props == other._pass_ingress_props and \ + self._allow_egress_props == other._allow_egress_props and \ + self._deny_egress_props == other._deny_egress_props and \ + self._pass_egress_props == other._pass_egress_props return False def __lt__(self, other): # required so we can evaluate the policies according to their order @@ -187,37 +186,37 @@ def add_egress_rule(self, rule): """ self.egress_rules.append(rule) - def reorganize_opt_props_by_new_domains(self): + def reorganize_props_by_new_domains(self): """ This method is called to allow reduction of src_peers/dst_peers to inactive dimensions - in optimized properties of every rule. It is called when running in a context of a certain query + in properties of every rule. It is called when running in a context of a certain query and after updating the domain accordingly in DimensionsManager. - It also saves a copy of the optimized connectivity properties before reduction, to allow restoring to + It also saves a copy of the connectivity properties before reduction, to allow restoring to these values after the query's run. Note: there is an assumption that rules of all derived policies have - optimized_props and optimized_props_copy members + props and props_copy members """ for rule in self.ingress_rules + self.egress_rules: - if not rule.optimized_props_copy: + if not rule.props_copy: # to avoid calling with the same rule multiple times - rule.optimized_props_copy = rule.optimized_props.copy() - rule.optimized_props.reduce_active_dimensions() - self.optimized_props_in_sync = False + rule.props_copy = rule.props.copy() + rule.props.reduce_active_dimensions() + self.props_in_sync = False - def restore_opt_props(self): + def restore_props(self): """ - This method is called to restore optimized connectivity properties of every rule to their original values, + This method is called to restore connectivity properties of every rule to their original values, before the reduction of src_peers/dst_peers dimensions, s.t. the values of those dimensions will be with respect to the "full" default domain of these dimensions. Note: there is an assumption that rules of all derived policies have - optimized_props and optimized_props_copy members + props and props_copy members """ for rule in self.ingress_rules + self.egress_rules: - if rule.optimized_props_copy: + if rule.props_copy: # to avoid calling with the same rule multiple times - rule.optimized_props = rule.optimized_props_copy - rule.optimized_props_copy = ConnectivityProperties() - self.optimized_props_in_sync = False + rule.props = rule.props_copy + rule.props_copy = ConnectivityProperties() + self.props_in_sync = False @staticmethod def get_policy_type_from_dict(policy): # noqa: C901 @@ -316,28 +315,6 @@ def egress_rule_containing(self, other_policy, other_egress_rule_index): return self.rule_containing(other_policy, other_policy.egress_rules[other_egress_rule_index - 1], other_egress_rule_index, self.egress_rules) - def referenced_ip_blocks(self, exclude_ipv6=False): - """ - Returns ip blocks referenced by this policy, or empty PeerSet - :param bool exclude_ipv6: indicates if to exclude the automatically added IPv6 addresses in the referenced ip_blocks. - IPv6 addresses that are referenced in the policy by the user will always be included - :return: PeerSet of the referenced ip blocks - """ - return PeerSet() # default value, can be overridden in derived classes - - @staticmethod - def _include_ip_block(ip_block, exclude_ipv6): - """ - returns whether to include or not the ipblock in the policy's referenced_ip_blocks - :param IpBlock ip_block: the ip_block to check - :param bool exclude_ipv6 : indicates if to exclude ipv6 addresses - excluding the ip_block will be enabled only if the policy didn't reference any ipv6 addresses. - if policy referenced only ipv4 addresses ,then the parser didn't add auto ip_blocks, all will be included. - otherwise, if the policy didn't reference any ips, this mean automatic ip_block with all ips was added, - this is the ip_block to be excluded - so query results will not consider the ipv6 full range - """ - return ip_block.is_ipv4_block() or not exclude_ipv6 - def get_order(self): """ :return: the order of the policy @@ -351,12 +328,6 @@ def clone_without_rule(self, rule_to_exclude, ingress_rule): """ return NotImplemented - def allowed_connections(self, from_peer, to_peer, is_ingress): - """ - Implemented by derived classes to evaluate the set of connections this policy allows between two peers - """ - return NotImplemented - def policy_type_str(self): if self.policy_kind == NetworkPolicy.PolicyType.Ingress: return "Ingress resource" @@ -366,21 +337,9 @@ def policy_type_str(self): return "NetworkPolicy" -@dataclass -class PolicyConnections: - """ - A class to contain the effect of applying policies to a pair of peers - """ - captured: bool # Whether policy(ies) selectors captured relevant peers (can have empty allowed-conns with captured==True) - allowed_conns: ConnectionSet = ConnectionSet() # Connections allowed (and captured) by the policy(ies) - denied_conns: ConnectionSet = ConnectionSet() # Connections denied by the policy(ies) - pass_conns: ConnectionSet = ConnectionSet() # Connections specified as PASS by the policy(ies) - all_allowed_conns: ConnectionSet = ConnectionSet() # all (captured+ non-captured) Connections allowed by the policy(ies) - - -# TODO - making OptimizedPolicyConnections a dataclass does not work +# TODO - making PolicyConnections a dataclass does not work # (probably because PeerSet and ConnectivityProperties are mutable) -class OptimizedPolicyConnections: +class PolicyConnections: """ A class to contain the effect of applying policies to all src and dst peers It also serves as a filter for lazy evaluations of connections: diff --git a/nca/SchemeRunner.py b/nca/SchemeRunner.py index f936345d1..c42fa7b6b 100644 --- a/nca/SchemeRunner.py +++ b/nca/SchemeRunner.py @@ -18,11 +18,7 @@ class SchemeRunner(GenericYamlParser): This class takes a scheme file, build all its network configurations and runs all its queries """ - implemented_opt_queries = {'connectivityMap', 'equivalence', 'vacuity', 'redundancy', 'strongEquivalence', - 'containment', 'twoWayContainment', 'permits', 'interferes', 'pairwiseInterferes', - 'forbids', 'emptiness', 'disjointness', 'allCaptured', 'sanity', 'semanticDiff'} - - def __init__(self, scheme_file_name, output_format=None, output_path=None, optimized_run='true'): + def __init__(self, scheme_file_name, output_format=None, output_path=None, debug=False): GenericYamlParser.__init__(self, scheme_file_name) self.network_configs = {} self.global_res = 0 @@ -31,7 +27,7 @@ def __init__(self, scheme_file_name, output_format=None, output_path=None, optim self.output_config_from_cli_args['outputFormat'] = output_format if output_path is not None: self.output_config_from_cli_args['outputPath'] = output_path - self.optimized_run = optimized_run + self.debug = debug scanner = TreeScannerFactory.get_scanner(scheme_file_name) for yaml_file in scanner.get_yamls(): @@ -40,10 +36,6 @@ def __init__(self, scheme_file_name, output_format=None, output_path=None, optim if not isinstance(self.scheme, dict): self.syntax_error("The scheme's top-level object must be a map") - @staticmethod - def has_implemented_opt_queries(queries): - return SchemeRunner.implemented_opt_queries.intersection(queries) - def _get_input_file(self, given_path, out_flag=False): """ Attempts to locate a file specified in the scheme file (possibly relatively to the scheme file) @@ -83,7 +75,7 @@ def _handle_resources_list(self, resources_list): input_file_list.append(resource_path) return input_file_list - def _add_config(self, config_entry, resources_handler, optimized_run): + def _add_config(self, config_entry, resources_handler): """ Produces a NetworkConfig object for a given entry in the scheme file. Increases self.global_res if the number of warnings/error in the config does not match the expected number. @@ -111,7 +103,7 @@ def _add_config(self, config_entry, resources_handler, optimized_run): expected_error = config_entry.get('expectedError') try: network_config = resources_handler.get_network_config(np_list, ns_list, pod_list, resource_list, - config_name, optimized_run=optimized_run) + config_name, debug=self.debug) if not network_config: self.warning(f'networkPolicyList {network_config.name} contains no networkPolicies', np_list) @@ -153,13 +145,12 @@ def run_scheme(self): query_array = self.scheme.get('queries', []) if not self.activate_exp_tracker(query_array): return - resources_handler.set_global_peer_container(global_ns_list, global_pod_list, global_resource_list, - self.optimized_run) + resources_handler.set_global_peer_container(global_ns_list, global_pod_list, global_resource_list) # specified configs (non-global) start = time.time() for config_entry in self.scheme.get('networkConfigList', []): - self._add_config(config_entry, resources_handler, self.optimized_run) + self._add_config(config_entry, resources_handler) end_parse = time.time() print(f'Finished parsing in {(end_parse - start):6.2f} seconds') self.run_queries(query_array) @@ -199,7 +190,7 @@ def activate_exp_tracker(self, query_array): n_need_exp = len([needs_exp for needs_exp in need_exp if needs_exp]) if n_need_exp == 0: return True - elif n_need_exp == 1 and need_exp[0] and self.optimized_run == 'true': + elif n_need_exp == 1 and need_exp[0]: ExplTracker().activate(out_configs[0]['outputFormat']) return True elif n_need_exp == 1 and need_exp[0]: @@ -236,11 +227,6 @@ def run_queries(self, query_array): not_executed = 0 self.check_fields_validity(query, 'query', allowed_elements) query_name = query['name'] - if self.optimized_run == 'debug' or self.optimized_run == 'true': - # TODO - update/remove the optimization below when all queries are supported in optimized implementation - if not self.has_implemented_opt_queries(set(query.keys())): - print(f'Skipping query {query_name} since it does not have optimized implementation yet') - continue print('Running query', query_name) output_config_obj = self.get_query_output_config_obj(query) expected_output = self._get_input_file(query.get('expectedOutput', None), True) diff --git a/nca/Utils/ExplTracker.py b/nca/Utils/ExplTracker.py index 24e9762bb..32cdeada9 100644 --- a/nca/Utils/ExplTracker.py +++ b/nca/Utils/ExplTracker.py @@ -239,8 +239,8 @@ def are_peers_connected(self, src, dst): def add_policy_to_peers(self, policy): for peer in policy.selected_peers: - src_peers, _ = self.extract_peers(policy.optimized_allow_ingress_props()) - _, dst_peers = self.extract_peers(policy.optimized_allow_egress_props()) + src_peers, _ = self.extract_peers(policy.allow_ingress_props()) + _, dst_peers = self.extract_peers(policy.allow_egress_props()) peer_name = peer.full_name() self.add_peer_policy(peer_name, policy.name, dst_peers, src_peers) diff --git a/nca/nca_cli.py b/nca/nca_cli.py index 53cc558f4..a605518d0 100644 --- a/nca/nca_cli.py +++ b/nca/nca_cli.py @@ -146,7 +146,7 @@ def run_args(args): # noqa: C901 # so that configs from certain run do not affect a potential following run. BasePeerSet.reset() if args.scheme: - return SchemeRunner(args.scheme, args.output_format, args.file_out, args.optimized_run).run_scheme() + return SchemeRunner(args.scheme, args.output_format, args.file_out, args.debug).run_scheme() ns_list = args.ns_list pod_list = args.pod_list resource_list = args.resource_list @@ -185,16 +185,12 @@ def run_args(args): # noqa: C901 all_labels.append(lbl_dict) output_config['subset'].update({'label_subset': all_labels}) - if args.explain is not None and args.optimized_run == 'true': + if args.explain is not None: output_config['explain'] = args.explain ExplTracker().activate(output_config.outputEndpoints) if args.output_format == 'html': - if args.optimized_run == 'true': - ExplTracker().activate(output_config.outputEndpoints) - else: - print('Not creating html format. html format has only optimized implementation') - return _compute_return_value(0, 0, 1) + ExplTracker().activate(output_config.outputEndpoints) if args.equiv is not None: np_list = args.equiv if args.equiv != [''] else None @@ -230,16 +226,10 @@ def run_args(args): # noqa: C901 pair_query_flag = True expected_output = args.expected_output or None - if args.optimized_run == 'debug' or args.optimized_run == 'true': - # TODO - update/remove the optimization below when all queries are supported in optimized implementation - if not SchemeRunner.has_implemented_opt_queries({query_name}): - print(f'Not running query {query_name} since it does not have optimized implementation yet') - return _compute_return_value(0, 0, 1) - resources_handler = ResourcesHandler() network_config = resources_handler.get_network_config(_make_recursive(np_list), _make_recursive(ns_list), _make_recursive(pod_list), _make_recursive(resource_list), - save_flag=pair_query_flag, optimized_run=args.optimized_run) + save_flag=pair_query_flag) if pair_query_flag: base_np_list = args.base_np_list base_resource_list = args.base_resource_list @@ -248,8 +238,7 @@ def run_args(args): # noqa: C901 base_network_config = resources_handler.get_network_config(_make_recursive(base_np_list), _make_recursive(base_ns_list), _make_recursive(base_pod_list), - _make_recursive(base_resource_list), - optimized_run=args.optimized_run) + _make_recursive(base_resource_list)) if base_as_second: network_configs_array = [network_config, base_network_config] else: @@ -339,12 +328,9 @@ def nca_main(argv=None): parser.add_argument('--pr_url', type=str, help='The full api url for adding a PR comment') parser.add_argument('--return_0', action='store_true', help='Force a return value 0') parser.add_argument('--version', '-v', action='store_true', help='Print version and exit') - parser.add_argument('--debug', '-d', action='store_true', help='Print debug information') + parser.add_argument('--debug', '-d', action='store_true', help='Run correctness checks and print debug information') parser.add_argument('--output_endpoints', choices=['pods', 'deployments'], help='Choose endpoints type in output (pods/deployments)', default='deployments') - parser.add_argument('--optimized_run', '-opt', type=str, - help='Whether to run optimized run (-opt=true) - the default, original run (-opt=false) ' - 'or the comparison of the both (debug)', default='true') parser.add_argument('--print_ipv6', action='store_true', help='Display IPv6 addresses connections too. ' 'If the policy reference IPv6 addresses, ' 'their connections will be printed anyway') diff --git a/tests/calico_testcases/example_policies/testcase15-ports/testcase15-scheme.yaml b/tests/calico_testcases/example_policies/testcase15-ports/testcase15-scheme.yaml index 3f605d7be..103b3ee19 100644 --- a/tests/calico_testcases/example_policies/testcase15-ports/testcase15-scheme.yaml +++ b/tests/calico_testcases/example_policies/testcase15-ports/testcase15-scheme.yaml @@ -15,7 +15,7 @@ networkConfigList: - name: named-ports networkPolicyList: - testcase15-named-ports.yaml - expectedWarnings: 12 + expectedWarnings: 0 - name: equiv-games1 networkPolicyList: diff --git a/tests/calico_testcases/example_policies/testcase15-ports/testcase15-with-ingress-scheme.yaml b/tests/calico_testcases/example_policies/testcase15-ports/testcase15-with-ingress-scheme.yaml index 70f516ee2..00a28ad8b 100644 --- a/tests/calico_testcases/example_policies/testcase15-ports/testcase15-with-ingress-scheme.yaml +++ b/tests/calico_testcases/example_policies/testcase15-ports/testcase15-with-ingress-scheme.yaml @@ -32,7 +32,7 @@ networkConfigList: - name: named-ports networkPolicyList: - testcase15-named-ports.yaml - expectedWarnings: 12 + expectedWarnings: 0 - name: equiv-games1 networkPolicyList: diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json index 6918997f7..1a488bc22 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.json @@ -14,7 +14,7 @@ { "src": "['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc']", "dst": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", - "conns_config1": "Protocol: TCP", + "conns_config1": "{'protocols': 'TCP'}", "conns_config2": "No connections" }, { diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt index 9fe82f7e6..af0973acf 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.txt @@ -1,4 +1,4 @@ global_np interferes with local_np Allowed connections from local_np which are extended in global_np: -src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: global_np allows communication using protocol TCP while local_np does not. +src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: global_np allows communication on [protocols=TCP] while local_np does not src: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], description: global_np allows all connections while local_np does not. diff --git a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml index 7dca5f580..456a28b2e 100644 --- a/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml +++ b/tests/calico_testcases/expected_output/global-interferes-local-print-all-pairs.yaml @@ -14,7 +14,7 @@ ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', ''kube-system/vpn-858f6d9777-2bw5m'']' - conns_config1: 'Protocol: TCP' + conns_config1: '{''protocols'': ''TCP''}' conns_config2: No connections - src: '[''kube-system/calico-node-mgdlr'', ''kube-system/file-plugin-7bfb8b69bf-p86gk'', ''kube-system/keepalived-watcher-57ghx'', ''kube-system/keepalived-watcher-gzdfm'', diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json index 5a01ea44b..1eafa5e2c 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json @@ -14,7 +14,7 @@ { "src": "['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd']", "dst": "['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m']", - "conns_config1": "Protocol: TCP", + "conns_config1": "{'protocols': 'TCP'}", "conns_config2": "No connections" } ] diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt index ce3a46ba8..2ca69e33d 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt @@ -1,3 +1,3 @@ np_SupsetAllowFirst and np_SubsetDenyFirst are not semantically equivalent. Connections allowed in np_SupsetAllowFirst which are different in np_SubsetDenyFirst: -src: ['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: np_SupsetAllowFirst allows communication using protocol TCP while np_SubsetDenyFirst does not. +src: ['kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/storage-watcher-8494b4b8bb-f8csd'], dst: ['kube-system/calico-node-mgdlr', 'kube-system/file-plugin-7bfb8b69bf-p86gk', 'kube-system/keepalived-watcher-57ghx', 'kube-system/keepalived-watcher-gzdfm', 'kube-system/keepalived-watcher-wczq8', 'kube-system/kube-fluentd-h6rjg', 'kube-system/storage-watcher-8494b4b8bb-f8csd', 'kube-system/tiller-deploy-5c45c9966b-nqwz6', 'kube-system/vpn-858f6d9777-2bw5m'], description: np_SupsetAllowFirst allows communication on [protocols=TCP] while np_SubsetDenyFirst does not diff --git a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml index c6f78cb50..9d7995fec 100644 --- a/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml +++ b/tests/calico_testcases/expected_output/sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml @@ -16,5 +16,5 @@ ''kube-system/keepalived-watcher-wczq8'', ''kube-system/kube-fluentd-h6rjg'', ''kube-system/storage-watcher-8494b4b8bb-f8csd'', ''kube-system/tiller-deploy-5c45c9966b-nqwz6'', ''kube-system/vpn-858f6d9777-2bw5m'']' - conns_config1: 'Protocol: TCP' + conns_config1: '{''protocols'': ''TCP''}' conns_config2: No connections diff --git a/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt index ef33ae76f..a59203723 100644 --- a/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase15_with_ingress_connectivity_map.txt @@ -2,31 +2,31 @@ final fw rules for query: connectivity_map, config: ip: src: 0.0.0.0/0,::/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [calico-node] conn: TCP {'dst_ports': '210', 'hosts': 'first.bar.com', 'paths': '(/abc(/*)?)-(/abc/def(/*)?)'} -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [file-plugin-7bfb8b69bf] conn: TCP {'dst_ports': '80', 'hosts': 'first.bar.com', 'paths': '/abc/def(/*)?'} -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 213 -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-fluentd] conn: TCP {'dst_ports': '80', 'hosts': 'second.bar.com', 'paths': '(/xyz(/*)?)-(/xyz)'} -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: TCP {'dst_ports': '102', 'hosts': 'second.bar.com', 'paths': '/xyz'} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [calico-node] conn: {protocols:TCP,dst_ports:210,hosts:first.bar.com,paths:(/abc(/*)?)-(/abc/def(/*)?)} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [file-plugin-7bfb8b69bf] conn: {protocols:TCP,dst_ports:80,hosts:first.bar.com,paths:/abc/def(/*)?} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: {protocols:TCP,dst_ports:213} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [kube-fluentd] conn: {protocols:TCP,dst_ports:80,hosts:second.bar.com,paths:(/xyz(/*)?)-(/xyz)} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: {protocols:TCP,dst_ports:102,hosts:second.bar.com,paths:/xyz} src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections final fw rules for query: connectivity_map, config: global-simple: -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [!has(app)] conn: TCP 200-250 -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [vendor-system] dst_pods: [*] conn: TCP 200-250 +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [!has(app)] conn: {protocols:TCP,dst_ports:200-250} +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:200-250} final fw rules for query: connectivity_map, config: global-simple-with-ingress: -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [calico-node] conn: TCP {'dst_ports': '210', 'hosts': 'first.bar.com', 'paths': '(/abc(/*)?)-(/abc/def(/*)?)'} -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 213 +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [calico-node] conn: {protocols:TCP,dst_ports:210,hosts:first.bar.com,paths:(/abc(/*)?)-(/abc/def(/*)?)} +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [kube-dns-amd64-d66bf76db] conn: {protocols:TCP,dst_ports:213} final fw rules for query: connectivity_map, config: global-not-simple/testcase15-global-ports-not-simple-match-ingress-egress: -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 +src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:101-104} final fw rules for query: connectivity_map, config: global-not-simple/testcase15-global-ports-not-simple-mismatch-ingress-egress: final fw rules for query: connectivity_map, config: global-not-simple: -src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 +src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:101-104} final fw rules for query: connectivity_map, config: global-not-simple-with-ingress: -src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: TCP {'dst_ports': '102', 'hosts': 'second.bar.com', 'paths': '/xyz'} -src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP 101-104 +src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:101-104} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [storage-watcher-8494b4b8bb] conn: {protocols:TCP,dst_ports:102,hosts:second.bar.com,paths:/xyz} +src_ns: [kube-system] src_pods: [calico-kube-controllers-7694668c77, calico-node, file-plugin-7bfb8b69bf, heapster-7df8cb8c66, kube-dns-amd64-d66bf76db, kube-dns-autoscaler-78f5fdbd46, kube-fluentd, kubernetes-dashboard-5b5f985bcf, public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f, storage-watcher-8494b4b8bb, tiller-deploy-5c45c9966b, vpn-858f6d9777] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP,dst_ports:101-104} diff --git a/tests/calico_testcases/expected_output/testcase16-scheme_output.txt b/tests/calico_testcases/expected_output/testcase16-scheme_output.txt index d1e1d5d0e..8b7841d95 100644 --- a/tests/calico_testcases/expected_output/testcase16-scheme_output.txt +++ b/tests/calico_testcases/expected_output/testcase16-scheme_output.txt @@ -4,4 +4,4 @@ src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connectio src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [!has(tier)] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [!has(tier)] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst: 64.0.0.0-255.255.255.255 conn: TCP +src_ns: [kube-system] src_pods: [*] dst: 64.0.0.0-255.255.255.255 conn: {protocols:TCP} diff --git a/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt index fb613ac88..1ba0afd52 100644 --- a/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase18_connectivity_map.txt @@ -8,5 +8,5 @@ final fw rules for query: connectivity_map, config: np-ports-based: src: 0.0.0.0/0,::/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: TCP -src_ns: [kube-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: TCP +src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0,::/0 conn: {protocols:TCP} +src_ns: [kube-system] src_pods: [*] dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: {protocols:TCP} diff --git a/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt index 6c3fb3e22..a724e6f67 100644 --- a/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt @@ -1,2 +1,2 @@ final fw rules for query: connectivity, config: testcase25-config-1: -src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP +src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} diff --git a/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map_2.txt b/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map_2.txt index 9a6c885c2..a8af6998e 100644 --- a/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map_2.txt +++ b/tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map_2.txt @@ -4,4 +4,4 @@ src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [!has(tier)] conn: All connection src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [!has(tier)] conn: All connections -src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: TCP +src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:TCP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt index 20007690b..90a0d997d 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt index 239f0fbb8..de72db829 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-6, config: testcase26-config-1-k8s-calico-istio-ingress-2: src: 0.0.0.0/0 dst_ns: [ingress-nginx] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {dst_ports:9080,paths:/details(/*)?} For connections of type non-TCP, final fw rules for query: connectivity-6, config: testcase26-config-1-k8s-calico-istio-ingress-2: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt index 6037c6402..2eb4ce2e7 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-3, config: testcase26-config-1-k8s-calico-istio-ingress: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt index 64cdc6ddf..8039b248a 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio_connectivity_map.txt @@ -1,5 +1,5 @@ For connections of type TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} For connections of type non-TCP, final fw rules for query: connectivity-4, config: testcase26-config-1-k8s-calico-istio: -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: UDP +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {protocols:UDP} diff --git a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt index 56236fbd2..02470117d 100644 --- a/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt +++ b/tests/calico_testcases/expected_output/testcase26-config-1-k8s-istio-ingress_connectivity_map.txt @@ -6,8 +6,8 @@ src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pod src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [app!=ratings] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [productpage-v1-6b746f74dc] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: TCP {'methods': 'GET'} -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} +src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {dst_ports:9080,paths:/details(/*)?} src_ns: [istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [app in (details,reviews)] conn: All connections src_ns: [istio-system] src_pods: [*] dst_ns: [ingress-nginx,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt index e2906fca9..a85e676a0 100644 --- a/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt +++ b/tests/calico_testcases/expected_output/testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt @@ -1,10 +1,10 @@ testcase26-config-1-calico-ingress and allow-all-config are not semantically equivalent. Added connections between persistent peers (based on topology from config: allow-all-config) : -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All but TCP,UDP +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All but {protocols:TCP, UDP} src_ns: [default] src_pods: [app in (details,reviews)] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections src_ns: [ingress-nginx,istio-system] src_pods: [*] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: All connections -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but TCP {'dst_ports': '9080', 'paths': '/details(/*)?'} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:9080,paths:/details(/*)?} src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [app in (ratings,reviews)] conn: All connections src_ns: [ingress-nginx] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt b/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt index 8a263c506..95d7ffd87 100644 --- a/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt +++ b/tests/calico_testcases/expected_output/testcase8-semantic-diff-query.txt @@ -3,7 +3,7 @@ np1/kube-system/ingress-networkpolicy-with-conflict-destination and global-allow Added connections between persistent peers (based on topology from config: global-allow-all) : src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [app=kube-fluentd] conn: All connections src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: All but TCP +src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:TCP} Added connections between persistent peers and ipBlocks (based on topology from config: global-allow-all) : src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [app=kube-fluentd] conn: All connections diff --git a/tests/classes_unit_tests/testConnectivityPropertiesNamedPorts.py b/tests/classes_unit_tests/testConnectivityPropertiesNamedPorts.py index ee9d1b684..c2ac6e1c5 100644 --- a/tests/classes_unit_tests/testConnectivityPropertiesNamedPorts.py +++ b/tests/classes_unit_tests/testConnectivityPropertiesNamedPorts.py @@ -1,5 +1,4 @@ import unittest -from nca.CoreDS.CanonicalIntervalSet import CanonicalIntervalSet from nca.CoreDS.PortSet import PortSet from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties @@ -9,93 +8,6 @@ class TestNamedPorts(unittest.TestCase): - def test_k8s_flow(self): - """ - dest ports with named ports, and 'or' between Tcp properties with named ports - """ - src_res_ports = PortSet(True) - dst_res_ports = PortSet() - dst_res_ports.add_port("x") - conn_cube = ConnectivityCube.make_from_dict({"src_ports": src_res_ports, "dst_ports": dst_res_ports}) - tcp_properties1 = ConnectivityProperties.make_conn_props(conn_cube) - dst_res_ports2 = PortSet() - dst_res_ports2.add_port("y") - conn_cube["dst_ports"] = dst_res_ports2 - tcp_properties2 = ConnectivityProperties.make_conn_props(conn_cube) - tcp_properties_res = tcp_properties1 | tcp_properties2 - named_ports_dict = {"x": (15, 6), "z": (20, 6), "y": (16, 6)} - tcp_properties_res.convert_named_ports(named_ports_dict, 6) - # print(tcp_properties_res) - cubes_list = tcp_properties_res._get_cubes_list_from_layers() - expected_res_cubes = [[CanonicalIntervalSet.get_interval_set(15, 16)]] - self.assertEqual(expected_res_cubes, cubes_list) - - def test_calico_flow_1(self): - """ - dest ports containing only positive named ports - """ - src_res_ports = PortSet() - dst_res_ports = PortSet() - src_res_ports.add_port_range(1, 100) - dst_res_ports.add_port("x") - dst_res_ports.add_port("y") - dst_res_ports.add_port("z") - dst_res_ports.add_port("w") - conn_cube = ConnectivityCube.make_from_dict({"src_ports": src_res_ports, "dst_ports": dst_res_ports}) - tcp_properties = ConnectivityProperties.make_conn_props(conn_cube) - tcp_properties_2 = tcp_properties.copy() - - self.assertTrue(tcp_properties.has_named_ports()) - self.assertEqual(tcp_properties.get_named_ports(), {"x","y","z", "w"}) - named_ports_dict = {"x": (15, 6), "z": (20, 6), "y": (200, 17)} - tcp_properties.convert_named_ports(named_ports_dict, 6) - #print(tcp_properties) - expected_res_cubes = {(CanonicalIntervalSet.get_interval_set(1,100), CanonicalIntervalSet.get_interval_set(15,15) | CanonicalIntervalSet.get_interval_set(20,20))} - self.assertEqual(expected_res_cubes, tcp_properties._get_cubes_set()) - - self.assertTrue(tcp_properties_2.has_named_ports()) - self.assertEqual(tcp_properties_2.get_named_ports(), {"x","y","z", "w"}) - tcp_properties_2.convert_named_ports(named_ports_dict, 17) - #print(tcp_properties_2) - expected_res_cubes = {(CanonicalIntervalSet.get_interval_set(1,100), CanonicalIntervalSet.get_interval_set(200,200))} - self.assertEqual(expected_res_cubes, tcp_properties_2._get_cubes_set()) - - def test_calico_flow_2(self): - """ - dest ports containing only negative named ports - """ - src_res_ports = PortSet() - not_ports = PortSet() - not_ports.add_port("x") - not_ports.add_port("y") - not_ports.add_port("z") - not_ports.add_port("w") - dst_res_ports = PortSet(True) - dst_res_ports -= not_ports - src_res_ports.add_port_range(1, 100) - conn_cube = ConnectivityCube.make_from_dict({"src_ports": src_res_ports, "dst_ports": dst_res_ports}) - tcp_properties = ConnectivityProperties.make_conn_props(conn_cube) - tcp_properties_2 = tcp_properties.copy() - - self.assertTrue(tcp_properties.has_named_ports()) - self.assertEqual(tcp_properties.get_named_ports(), {"x","y","z", "w"}) - named_ports_dict = {"x": (15, 6), "z": (20, 6), "y": (200, 17)} - tcp_properties.convert_named_ports(named_ports_dict, 6) - #print(tcp_properties) - expected_res_cubes = {(CanonicalIntervalSet.get_interval_set(1,100), - CanonicalIntervalSet.get_interval_set(1,14) | - CanonicalIntervalSet.get_interval_set(16,19) | - CanonicalIntervalSet.get_interval_set(21,65535))} - self.assertEqual(expected_res_cubes, tcp_properties._get_cubes_set()) - - self.assertTrue(tcp_properties_2.has_named_ports()) - self.assertEqual(tcp_properties_2.get_named_ports(), {"x","y","z", "w"}) - tcp_properties_2.convert_named_ports(named_ports_dict, 17) - #print(tcp_properties_2) - expected_res_cubes = {(CanonicalIntervalSet.get_interval_set(1,100), - CanonicalIntervalSet.get_interval_set(1,199) | - CanonicalIntervalSet.get_interval_set(201,65535))} - self.assertEqual(expected_res_cubes, tcp_properties_2._get_cubes_set()) def test_optimized_flow(self): default_namespace = K8sNamespace("default") @@ -127,7 +39,6 @@ def test_optimized_flow(self): "src_ports": src_ports, "dst_ports": dst_ports, "protocols": ProtocolSet.get_protocol_set_with_single_protocol("TCP")}) props_with_tcp = ConnectivityProperties.make_conn_props(conn_cube) - self.assertFalse(props_with_tcp.has_named_ports()) tcp_ports_for_pod_a = PortSet.make_port_set_with_range(200, 300) tcp_ports_for_pod_a.add_port_range(600, 600) tcp_ports_for_pod_b = PortSet.make_port_set_with_range(200, 300) @@ -156,7 +67,6 @@ def test_optimized_flow(self): "src_ports": src_ports, "dst_ports": dst_ports, "protocols": ProtocolSet.get_protocol_set_with_single_protocol("UDP")}) props_with_udp = ConnectivityProperties.make_conn_props(conn_cube) - self.assertFalse(props_with_udp.has_named_ports()) udp_ports_for_pod_a = PortSet.make_port_set_with_range(200, 300) udp_ports_for_pod_a.add_port_range(400, 400) udp_ports_for_pod_b = PortSet.make_port_set_with_range(200, 300) diff --git a/tests/expected_cmdline_output_files/basic_semantic_diff_csv_query_output.txt b/tests/expected_cmdline_output_files/basic_semantic_diff_csv_query_output.txt index 79804b5da..80f68a1a1 100644 --- a/tests/expected_cmdline_output_files/basic_semantic_diff_csv_query_output.txt +++ b/tests/expected_cmdline_output_files/basic_semantic_diff_csv_query_output.txt @@ -1,8 +1,8 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "Added connections between persistent peers","","","","","", -"","[default]","[*]","[kube-system]","[*]","All but TCP+UDP 53", +"","[default]","[*]","[kube-system]","[*]","All but {protocols:TCP, UDP,dst_ports:53}", "Removed connections between persistent peers","","","","","", -"","[kube-system,kube-system-dummy-to-ignore]","[*]","[kube-system]","[*]","TCP+UDP 53", "","[vendor-system]","[*]","[kube-system]","[*]","All connections", +"","[kube-system,kube-system-dummy-to-ignore]","[*]","[kube-system]","[*]","{protocols:TCP, UDP,dst_ports:53}", "Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[kube-system]","[*]","TCP+UDP 53", +"","","0.0.0.0/0","[kube-system]","[*]","{protocols:TCP, UDP,dst_ports:53}", diff --git a/tests/expected_cmdline_output_files/basic_semantic_diff_md_query_output.txt b/tests/expected_cmdline_output_files/basic_semantic_diff_md_query_output.txt index 16abfb3ba..68c2011f0 100644 --- a/tests/expected_cmdline_output_files/basic_semantic_diff_md_query_output.txt +++ b/tests/expected_cmdline_output_files/basic_semantic_diff_md_query_output.txt @@ -1,9 +1,9 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |Added connections between persistent peers|||||| -||[default]|[*]|[kube-system]|[*]|All but TCP+UDP 53| +||[default]|[*]|[kube-system]|[*]|All but {protocols:TCP, UDP,dst_ports:53}| |Removed connections between persistent peers|||||| -||[kube-system,kube-system-dummy-to-ignore]|[*]|[kube-system]|[*]|TCP+UDP 53| ||[vendor-system]|[*]|[kube-system]|[*]|All connections| +||[kube-system,kube-system-dummy-to-ignore]|[*]|[kube-system]|[*]|{protocols:TCP, UDP,dst_ports:53}| |Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[kube-system]|[*]|TCP+UDP 53| +|||0.0.0.0/0|[kube-system]|[*]|{protocols:TCP, UDP,dst_ports:53}| diff --git a/tests/expected_cmdline_output_files/basic_semantic_diff_query_output.txt b/tests/expected_cmdline_output_files/basic_semantic_diff_query_output.txt index 8d0d62349..3c705858b 100644 --- a/tests/expected_cmdline_output_files/basic_semantic_diff_query_output.txt +++ b/tests/expected_cmdline_output_files/basic_semantic_diff_query_output.txt @@ -1,11 +1,11 @@ testcase7-networkpolicy2.yaml and testcase7-networkpolicy1.yaml are not semantically equivalent. Added connections between persistent peers (based on topology from config: testcase7-networkpolicy1.yaml) : -src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but TCP+UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:TCP, UDP,dst_ports:53} Removed connections between persistent peers (based on topology from config: testcase7-networkpolicy2.yaml) : -src_ns: [kube-system,kube-system-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: TCP+UDP 53 +src_ns: [kube-system,kube-system-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} src_ns: [vendor-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: testcase7-networkpolicy2.yaml) : -src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: TCP+UDP 53 +src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} diff --git a/tests/expected_cmdline_output_files/basic_semantic_diff_yaml_query_output.txt b/tests/expected_cmdline_output_files/basic_semantic_diff_yaml_query_output.txt index b9bd18673..ca039aeda 100644 --- a/tests/expected_cmdline_output_files/basic_semantic_diff_yaml_query_output.txt +++ b/tests/expected_cmdline_output_files/basic_semantic_diff_yaml_query_output.txt @@ -18,17 +18,13 @@ - '*' connection: - All but: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: + - protocols: TCP, UDP + dst_ports: - 53 - description: Removed connections between persistent peers rules: - src_ns: - - kube-system - - kube-system-dummy-to-ignore + - vendor-system src_pods: - '*' dst_ns: @@ -36,14 +32,10 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: - - 53 + - All connections - src_ns: - - vendor-system + - kube-system + - kube-system-dummy-to-ignore src_pods: - '*' dst_ns: @@ -51,7 +43,9 @@ dst_pods: - '*' connection: - - All connections + - protocols: TCP, UDP + dst_ports: + - 53 - description: Removed connections between persistent peers and ipBlocks rules: - src_ip_block: @@ -61,9 +55,6 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: + - protocols: TCP, UDP + dst_ports: - 53 diff --git a/tests/expected_cmdline_output_files/helm_test_multi_chart.txt b/tests/expected_cmdline_output_files/helm_test_multi_chart.txt index bff16a3e8..22f847af4 100644 --- a/tests/expected_cmdline_output_files/helm_test_multi_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_multi_chart.txt @@ -1,11 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] conn: TCP 3000 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] conn: {protocols:TCP,dst_ports:3000} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: All connections -src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: UDP 53 +src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: TCP 3000 -src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: {protocols:TCP,dst_ports:3000} +src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or (has(app.kubernetes.io/name) and app.kubernetes.io/name!=redis)}] dst_ns: [default] dst_pods: [{!has(app.kubernetes.io/instance) or app.kubernetes.io/instance=nca-extract} and {!has(app.kubernetes.io/name) or app.kubernetes.io/name=kube-state-metrics}] conn: All connections diff --git a/tests/expected_cmdline_output_files/helm_test_one_chart.txt b/tests/expected_cmdline_output_files/helm_test_one_chart.txt index 6f3ef4cc0..b08f3794a 100644 --- a/tests/expected_cmdline_output_files/helm_test_one_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_one_chart.txt @@ -1,4 +1,4 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: TCP 6379,9121 -src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: TCP 6379 \ No newline at end of file +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:6379,9121} +src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:6379} diff --git a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_in_template_dir.txt b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_in_template_dir.txt index be9bb1efd..b376f8f07 100644 --- a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_in_template_dir.txt +++ b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_in_template_dir.txt @@ -1,11 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections diff --git a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_inside_chart.txt b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_inside_chart.txt index be9bb1efd..b376f8f07 100644 --- a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_inside_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_inside_chart.txt @@ -1,11 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections diff --git a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_chart.txt b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_chart.txt index 86608c4a4..1eeab0e90 100644 --- a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_chart.txt +++ b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_chart.txt @@ -1,11 +1,11 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections diff --git a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_multi_charts.txt b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_multi_charts.txt index b81b1d99a..d04f1182c 100644 --- a/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_multi_charts.txt +++ b/tests/expected_cmdline_output_files/helm_test_resolved_yaml_next_to_multi_charts.txt @@ -1,12 +1,12 @@ final fw rules for query: , config: **: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: TCP 3000 -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379,9121 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=grafana] conn: {protocols:TCP,dst_ports:3000} +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379,9121} src_ns: [default] src_pods: [Pod1] dst_ns: [ns2] dst_pods: [Pod3] conn: All connections src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: UDP 53 -src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: TCP 6379 +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] dst_ns: [default] dst_pods: [app.kubernetes.io/instance=nca-extract and app.kubernetes.io/name=redis] conn: {protocols:TCP,dst_ports:6379} src_ns: [ns1] src_pods: [Pod2] dst_ns: [default] dst_pods: [Pod1] conn: All connections src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections diff --git a/tests/expected_cmdline_output_files/livesim_test_all_dot.dot b/tests/expected_cmdline_output_files/livesim_test_all_dot.dot index 317388fd5..e5812eb26 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_dot.dot +++ b/tests/expected_cmdline_output_files/livesim_test_all_dot.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp5678 TCP {'dst_ports': '5678', 'pat...
tcp80 TCP {'dst_ports': '80', 'hosts...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp5678 {dst_ports:5678,paths:/foo(/*)?}
tcp80 {dst_ports:80,hosts:httpbin.ex...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" @@ -42,8 +42,8 @@ subgraph cluster_kube_system_namespace{ "0.0.0.0/0" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "0.0.0.0/0" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/deployment-B(Deployment)" -> "default/deployment-A(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "default/foo-app(Pod)"[label="tcp5678" labeltooltip="TCP {'dst_ports': '5678', 'paths': '/foo(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/httpbin(Deployment)"[label="tcp80" labeltooltip="TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "default/foo-app(Pod)"[label="tcp5678" labeltooltip="{dst_ports:5678,paths:/foo(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/httpbin(Deployment)"[label="tcp80" labeltooltip="{dst_ports:80,hosts:httpbin.example.com,paths:(/status(/*)?)|(/delay(/*)?)}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "kube-system/kube-dns-livesim(Pod)" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "default/httpbin(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] @@ -61,7 +61,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
udp53 UDP 53
> shape=box] + dict_box [label=<
Connectivity legend
All All
udp53 {protocols:UDP,dst_ports:53}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" @@ -95,10 +95,10 @@ subgraph cluster_kube_system_namespace{ } "0.0.0.0/0" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "0.0.0.0/0" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/deployment-A(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/deployment-A(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="{protocols:UDP,dst_ports:53}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/deployment-B(Deployment)" -> "default/deployment-A(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "default/deployment-B(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/foo-app(Pod)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/deployment-B(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="{protocols:UDP,dst_ports:53}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/foo-app(Pod)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="{protocols:UDP,dst_ports:53}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway-livesim(Pod)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway-livesim(Pod)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] diff --git a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt index f5fafd8a5..0e714c6eb 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt +++ b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt @@ -3,8 +3,8 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections -src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: TCP {'dst_ports': '5678', 'paths': '/foo(/*)?'} -src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'} +src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: {dst_ports:5678,paths:/foo(/*)?} +src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: {dst_ports:80,hosts:httpbin.example.com,paths:(/status(/*)?)|(/delay(/*)?)} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections @@ -12,7 +12,7 @@ src_ns: [kube-system] src_pods: [*] dst_ns: [ingress-controller-ns,istio-system, For connections of type non-TCP, final fw rules for query: , config: **: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections src_ns: [istio-system,kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/expected_cmdline_output_files/poc1_expl_output.txt b/tests/expected_cmdline_output_files/poc1_expl_output.txt index e02ea700f..32f32f887 100644 --- a/tests/expected_cmdline_output_files/poc1_expl_output.txt +++ b/tests/expected_cmdline_output_files/poc1_expl_output.txt @@ -1,20 +1,20 @@ final fw rules for query: , config: microservices-netpols.yaml: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/expected_cmdline_output_files/test4_expl_output.txt b/tests/expected_cmdline_output_files/test4_expl_output.txt index 74eaa83ef..59a3568f8 100644 --- a/tests/expected_cmdline_output_files/test4_expl_output.txt +++ b/tests/expected_cmdline_output_files/test4_expl_output.txt @@ -2,9 +2,9 @@ final fw rules for query: , config: test4-networkpolicy.yaml: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-90 -src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-88 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:80-90} +src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:80-88} Explainability results: diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt index c4cf9f37f..bd82bb51b 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt @@ -1,2 +1,2 @@ final fw rules for query: open-default-TCP-test, config: open-default-TCP: -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but UDPLite +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but {protocols:UDPLite} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml index fac6ca1de..1f4df3fb7 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml @@ -13,5 +13,4 @@ dst_pods: - '*' connection: - - All but: - - Protocol: UDPLite + - protocols: all but UDPLite diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt index 4b9d60721..d72899e33 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt @@ -1,2 +1,2 @@ final fw rules for query: match-icmp-also-within-default-test, config: match-icmp-also-within-default: -src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [app=keepalived-watcher] conn: ICMP {'icmp_type': '100', 'icmp_code': '230'} +src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [app=keepalived-watcher] conn: {protocols:ICMP,icmp_type:100,icmp_code:230} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.yaml index 261801ce3..a239ccd50 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.yaml @@ -13,9 +13,8 @@ dst_pods: - app=keepalived-watcher connection: - - Protocol: ICMP - properties: - - icmp_type: - - 100 - icmp_code: - - 230 \ No newline at end of file + - protocols: ICMP + icmp_type: + - 100 + icmp_code: + - 230 diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.txt index 97aaf90bb..1b2b261fb 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map_1, config: ports-rectangles/kube-syst src: 0.0.0.0/0 dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default,vendor-system] dst_pods: [*] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [has_named_port=dns-local] conn: UDP {'src_ports': '80-100', 'dst_ports': '1-10052,10054-65535'} +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [has_named_port=dns-local] conn: {protocols:UDP,src_ports:80-100,dst_ports:1-10052,10054-65535} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml index 3a4f21dca..16eff0c4e 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase15-scheme_output.yaml @@ -4,22 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - kube-system - src_pods: - - '*' - dst_ns: - - kube-system - dst_pods: - - has_named_port=dns-local - connection: - - Protocol: UDP - properties: - - src_ports: - - 80-100 - dst_ports: - - 1-10052 - - 10054-65535 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -50,3 +34,18 @@ - '*' connection: - All connections + - src_ns: + - kube-system + src_pods: + - '*' + dst_ns: + - kube-system + dst_pods: + - has_named_port=dns-local + connection: + - protocols: UDP + src_ports: + - 80-100 + dst_ports: + - 1-10052 + - 10054-65535 diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt index a23a77456..bf35aa9a3 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.txt @@ -1,10 +1,10 @@ final fw rules for query: Eran_gnps, config: Eran_gnps: -src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src: 0.0.0.0/0 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: {protocols:ICMP, VRRP},{protocols:TCP, UDP,dst_ports:52311} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections src: 5.10.116.0/24,5.10.118.0/23,50.22.118.0/23,50.22.255.0/24,50.23.116.0/24,50.23.118.0/23,50.23.167.0/24,66.228.118.0/23,67.228.118.0/23,75.126.61.0/24,119.81.136.0/24,119.81.138.0/23,130.198.118.0/23,158.85.116.0/24,158.85.118.0/23,159.8.116.0/24,159.8.118.0/23,159.8.196.0/24,159.8.198.0/23,159.122.116.0/24,159.122.118.0/23,159.122.136.0/24,159.122.138.0/23,159.253.156.0/24,159.253.158.0/23,161.202.116.0/24,161.202.118.0/23,168.1.16.0/24,168.1.18.0/23,168.1.116.0/24,168.1.118.0/23,169.38.116.0/24,169.38.118.0/23,169.45.118.0/23,169.46.118.0/23,169.47.118.0/23,169.48.118.0/24,169.51.118.0/24,169.54.116.0/24,169.54.118.0/23,169.55.118.0/23,169.56.116.0/24,169.56.118.0/24,169.57.116.0/24,169.57.118.0/23,169.57.136.0/24,169.57.138.0/23,169.60.118.0/23,169.61.118.0/23,173.192.118.0/23,173.193.116.0/24,173.193.118.0/23,174.133.116.0/24,174.133.118.0/23,184.172.118.0/23,192.255.18.0/24,192.255.38.0/24,198.23.118.0/23,208.43.118.0/23 dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: All connections src_ns: [None] src_pods: [vendor.role=worker_public] dst: 0.0.0.0/0 conn: All connections -src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: {protocols:ICMP, VRRP},{protocols:TCP, UDP,dst_ports:52311} src_ns: [None] src_pods: [vendor.role=worker_public] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: TCP+UDP 52311,ICMP,VRRP +src_ns: [kube-system] src_pods: [*] dst_ns: [None] dst_pods: [vendor.role=worker_public] conn: {protocols:ICMP, VRRP},{protocols:TCP, UDP,dst_ports:52311} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml index dc4306108..db9bd9533 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase20-Eran_gnps_query_output.yaml @@ -4,55 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ns: - - None - src_pods: - - vendor.role=worker_public - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - - src_ns: - - kube-system - src_pods: - - '*' - dst_ns: - - None - dst_pods: - - vendor.role=worker_public - connection: - - Protocol: ICMP - - Protocol: TCP - Ports: - - 52311 - - Protocol: UDP - Ports: - - 52311 - - Protocol: VRRP - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -163,3 +114,40 @@ - '*' connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - None + dst_pods: + - vendor.role=worker_public + connection: + - protocols: ICMP, VRRP + - protocols: TCP, UDP + dst_ports: + - 52311 + - src_ns: + - None + src_pods: + - vendor.role=worker_public + dst_ns: + - None + dst_pods: + - vendor.role=worker_public + connection: + - protocols: ICMP, VRRP + - protocols: TCP, UDP + dst_ports: + - 52311 + - src_ns: + - kube-system + src_pods: + - '*' + dst_ns: + - None + dst_pods: + - vendor.role=worker_public + connection: + - protocols: ICMP, VRRP + - protocols: TCP, UDP + dst_ports: + - 52311 diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt index 629b404b2..cf8158160 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt @@ -1,2 +1,2 @@ final fw rules for query: connectivity_map, config: np_FirstDenySubset: -src_ns: [kube-system] src_pods: [app in (helm,keepalived-watcher,vpn)] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP +src_ns: [kube-system] src_pods: [app in (helm,keepalived-watcher,vpn)] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml index 269b61c06..8543b2b0c 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml @@ -13,4 +13,4 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP + - protocols: TCP diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt index 9525c3363..c4f28df79 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt @@ -1,2 +1,2 @@ final fw rules for query: connectivity_map, config: np_firstAllowSuperSet: -src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP +src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml index cc9847d44..743a44686 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml @@ -13,4 +13,4 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP + - protocols: TCP diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt index d47671a1c..55f569261 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt @@ -1,2 +1,2 @@ final fw rules for query: connectivity_map, config: np_onlyAllow: -src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP +src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml index 307e217b7..1639a4bc1 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml @@ -13,4 +13,4 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP + - protocols: TCP diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt index 6adb05f8c..ec4191004 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt @@ -1,4 +1,4 @@ final fw rules for query: connectivity_map, config: np_denyFirst: src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [*] conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [*] conn: All but TCP +src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:TCP} diff --git a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml index 751307795..ed42008f1 100644 --- a/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.yaml @@ -7,29 +7,28 @@ - src_ns: - kube-system src_pods: - - tier=frontend + - (has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1)) dst_ns: - kube-system dst_pods: - '*' connection: - - All but: - - Protocol: TCP + - All connections - src_ns: - kube-system src_pods: - - (has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1)) - dst_ns: - - kube-system - dst_pods: - '*' + dst_ip_block: + - 0.0.0.0/0 connection: - All connections - src_ns: - kube-system src_pods: + - tier=frontend + dst_ns: + - kube-system + dst_pods: - '*' - dst_ip_block: - - 0.0.0.0/0 connection: - - All connections + - protocols: all but TCP diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt index 18daf40d8..5f9b270e7 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-basic-1, config: istio-test-methods-basic-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: TCP {'dst_ports': '80', 'methods': 'GET'} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {dst_ports:80,methods:GET} src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: All connections For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-basic-1, config: istio-test-methods-basic-1: diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml index 65925aac6..3d03b0ec3 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml @@ -4,20 +4,6 @@ numerical_result: 0 explanation: - TCP_rules: - - src_ns: - - default - src_pods: - - app=productpage - dst_ns: - - default - dst_pods: - - app=details - connection: - - Protocol: TCP - properties: - - dst_ports: - - 80 - methods: GET - src_ns: - default src_pods: @@ -36,6 +22,18 @@ - app=reviews connection: - All connections + - src_ns: + - default + src_pods: + - app=productpage + dst_ns: + - default + dst_pods: + - app=details + connection: + - dst_ports: + - 80 + methods: GET non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt index 6a21a4537..5fe9a2a5f 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-basic-2, config: istio-test-methods-basic-2: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: TCP {'methods': 'all but GET'} -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: TCP {'methods': 'PUT'} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {methods:all but GET} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=reviews] conn: {methods:PUT} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-basic-2, config: istio-test-methods-basic-2: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml index 6c81212e7..ff4bd6931 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml @@ -4,6 +4,14 @@ numerical_result: 0 explanation: - TCP_rules: + - src_ns: + - default + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections - src_ns: - default src_pods: @@ -13,9 +21,7 @@ dst_pods: - app=reviews connection: - - Protocol: TCP - properties: - - methods: PUT + - methods: PUT - src_ns: - default src_pods: @@ -25,17 +31,7 @@ dst_pods: - app=details connection: - - Protocol: TCP - properties: - - methods: all but GET - - src_ns: - - default - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections + - methods: all but GET non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt index c7f751f45..3cd82724a 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-methods-paths-1, config: istio-test-methods-paths-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: TCP {'dst_ports': '80', 'methods': 'GET', 'hosts': 'allowed-host.com', 'paths': 'all but /bad/path1, /bad/path3'},{'dst_ports': '80', 'methods': 'GET', 'hosts': 'all but allowed-host.com, disallowed-host.com', 'paths': '/good_path1, /good_path2, /some/path2'},{'dst_ports': '80', 'methods': 'PUT', 'hosts': 'all but disallowed-host.com', 'paths': '/good_path1, /good_path2, /some/path2'},{'dst_ports': '80', 'methods': 'all but GET, PUT', 'hosts': 'allowed-host.com', 'paths': 'all but /bad/path1, /bad/path3, /some/path2'},{'dst_ports': '90', 'methods': 'GET, PUT', 'hosts': 'all but disallowed-host.com', 'paths': '/good_path1, /good_path2, /some/path2'},{'dst_ports': '100', 'methods': 'all but PUT', 'hosts': 'allowed-host.com', 'paths': 'all but /bad/path1, /bad/path3, /some/path2'},{'dst_ports': '100', 'methods': 'all but PUT', 'hosts': 'all but allowed-host.com', 'paths': '/some/path3'},{'dst_ports': '100', 'methods': 'PUT', 'paths': '/some/path3'},{'dst_ports': '1-79,81-89,91-99,101-65535', 'methods': 'all but PUT', 'hosts': 'allowed-host.com', 'paths': 'all but /bad/path1, /bad/path3, /some/path2'} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {dst_ports:80,methods:GET,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3},{dst_ports:80,methods:GET,hosts:all but allowed-host.com, disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{dst_ports:80,methods:PUT,hosts:all but disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{dst_ports:80,methods:all but GET, PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2},{dst_ports:90,methods:GET, PUT,hosts:all but disallowed-host.com,paths:/good_path1, /good_path2, /some/path2},{dst_ports:100,methods:all but PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2},{dst_ports:100,methods:all but PUT,hosts:all but allowed-host.com,paths:/some/path3},{dst_ports:100,methods:PUT,paths:/some/path3},{dst_ports:1-79,81-89,91-99,101-65535,methods:all but PUT,hosts:allowed-host.com,paths:all but /bad/path1, /bad/path3, /some/path2} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-methods-paths-1, config: istio-test-methods-paths-1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml index 74479bbf6..cc2f13443 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml @@ -4,6 +4,14 @@ numerical_result: 0 explanation: - TCP_rules: + - src_ns: + - default + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections - src_ns: - default src_pods: @@ -13,63 +21,53 @@ dst_pods: - app=details connection: - - Protocol: TCP - properties: - - dst_ports: - - 80 - methods: GET - hosts: allowed-host.com - paths: all but /bad/path1, /bad/path3 - - dst_ports: - - 80 - methods: GET - hosts: all but allowed-host.com, disallowed-host.com - paths: /good_path1, /good_path2, /some/path2 - - dst_ports: - - 80 - methods: PUT - hosts: all but disallowed-host.com - paths: /good_path1, /good_path2, /some/path2 - - dst_ports: - - 80 - methods: all but GET, PUT - hosts: allowed-host.com - paths: all but /bad/path1, /bad/path3, /some/path2 - - dst_ports: - - 90 - methods: GET, PUT - hosts: all but disallowed-host.com - paths: /good_path1, /good_path2, /some/path2 - - dst_ports: - - 100 - methods: all but PUT - hosts: allowed-host.com - paths: all but /bad/path1, /bad/path3, /some/path2 - - dst_ports: - - 100 - methods: all but PUT - hosts: all but allowed-host.com - paths: /some/path3 - - dst_ports: - - 100 - methods: PUT - paths: /some/path3 - - dst_ports: - - 1-79 - - 81-89 - - 91-99 - - 101-65535 - methods: all but PUT - hosts: allowed-host.com - paths: all but /bad/path1, /bad/path3, /some/path2 - - src_ns: - - default - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections + - dst_ports: + - 80 + methods: GET + hosts: allowed-host.com + paths: all but /bad/path1, /bad/path3 + - dst_ports: + - 80 + methods: GET + hosts: all but allowed-host.com, disallowed-host.com + paths: /good_path1, /good_path2, /some/path2 + - dst_ports: + - 80 + methods: PUT + hosts: all but disallowed-host.com + paths: /good_path1, /good_path2, /some/path2 + - dst_ports: + - 80 + methods: all but GET, PUT + hosts: allowed-host.com + paths: all but /bad/path1, /bad/path3, /some/path2 + - dst_ports: + - 90 + methods: GET, PUT + hosts: all but disallowed-host.com + paths: /good_path1, /good_path2, /some/path2 + - dst_ports: + - 100 + methods: all but PUT + hosts: allowed-host.com + paths: all but /bad/path1, /bad/path3, /some/path2 + - dst_ports: + - 100 + methods: all but PUT + hosts: all but allowed-host.com + paths: /some/path3 + - dst_ports: + - 100 + methods: PUT + paths: /some/path3 + - dst_ports: + - 1-79 + - 81-89 + - 91-99 + - 101-65535 + methods: all but PUT + hosts: allowed-host.com + paths: all but /bad/path1, /bad/path3, /some/path2 non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt index 3a445d907..636c0bb6d 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt @@ -1,6 +1,6 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-operation-allow-1, config: istio-test-operation-allow-1: src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: TCP {'methods': 'GET', 'paths': '/info*'},{'methods': 'POST', 'paths': '/data'} +src_ns: [default] src_pods: [app=productpage] dst_ns: [default] dst_pods: [app=details] conn: {methods:GET,paths:/info*},{methods:POST,paths:/data} For connections of type non-TCP, final fw rules for query: connectivity-istio-test-operation-allow-1, config: istio-test-operation-allow-1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml index 479e3c0b6..c7b924a3d 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml @@ -4,6 +4,14 @@ numerical_result: 0 explanation: - TCP_rules: + - src_ns: + - default + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections - src_ns: - default src_pods: @@ -13,20 +21,10 @@ dst_pods: - app=details connection: - - Protocol: TCP - properties: - - methods: GET - paths: /info* - - methods: POST - paths: /data - - src_ns: - - default - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections + - methods: GET + paths: /info* + - methods: POST + paths: /data non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt index 46b738ffd..d79f5161a 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt @@ -1,8 +1,8 @@ For connections of type TCP, final fw rules for query: connectivity-istio-test-operation-deny-1, config: istio-test-operation-deny-1: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: TCP {'methods': 'all but GET'} +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: {methods:all but GET} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app!=details] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: TCP {'methods': 'all but GET'} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {methods:all but GET} src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app!=details] conn: All connections src_ns: [default] src_pods: [app=details] dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml index 9a4dc0956..f39692360 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml @@ -4,28 +4,6 @@ numerical_result: 0 explanation: - TCP_rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - default - dst_pods: - - '*' - connection: - - Protocol: TCP - properties: - - methods: all but GET - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - default - dst_pods: - - '*' - connection: - - Protocol: TCP - properties: - - methods: all but GET - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -62,6 +40,24 @@ - '*' connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - default + dst_pods: + - '*' + connection: + - methods: all but GET + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - default + dst_pods: + - '*' + connection: + - methods: all but GET non-TCP_rules: - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt index 9b3ca6bdf..53c48ff2f 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.txt @@ -1,11 +1,11 @@ For connections of type TCP, final fw rules for query: istio-policy1, config: istio-policy1: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections -src: 1.2.3.0/24 dst_ns: [default] dst_pods: [*] conn: TCP 26257 +src: 1.2.3.0/24 dst_ns: [default] dst_pods: [*] conn: {dst_ports:26257} src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [app=special_skydive] conn: All connections src_ns: [default,kube-system,vendor-system] src_pods: [*] dst_ns: [kube-system,vendor-system] dst_pods: [*] conn: All connections -src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: TCP 26257 +src_ns: [default,vendor-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {dst_ports:26257} For connections of type non-TCP, final fw rules for query: istio-policy1, config: istio-policy1: src: 0.0.0.0/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml index cc5165a1d..fb533b56f 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query1_output.yaml @@ -11,8 +11,7 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - dst_ports: - 26257 - src_ns: - default @@ -24,8 +23,7 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - dst_ports: - 26257 - src_ip_block: - 0.0.0.0/0 diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt index be20d1830..4330f880c 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.txt @@ -1,8 +1,8 @@ For connections of type TCP, final fw rules for query: istio-policy2, config: istio-policy2: -src: 1.2.3.0/24,2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 +src: 1.2.3.0/24,2.2.2.2/32 dst_ns: [default] dst_pods: [app=skydive] conn: {dst_ports:30,50} src_ns: [default,kube-system,vendor-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: TCP 30,50 -src_ns: [default] src_pods: [app=special_skydive] dst_ns: [default] dst_pods: [*] conn: TCP 30,50 +src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: {dst_ports:30,50} +src_ns: [default] src_pods: [app=special_skydive] dst_ns: [default] dst_pods: [*] conn: {dst_ports:30,50} For connections of type non-TCP, final fw rules for query: istio-policy2, config: istio-policy2: src: 0.0.0.0/0 dst_ns: [default,kube-system,vendor-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml index b07aea12c..28af32589 100644 --- a/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/istio-test1-scheme_query2_output.yaml @@ -12,8 +12,7 @@ dst_pods: - app=skydive connection: - - Protocol: TCP - Ports: + - dst_ports: - 30 - 50 - src_ns: @@ -26,8 +25,7 @@ dst_pods: - app=skydive connection: - - Protocol: TCP - Ports: + - dst_ports: - 30 - 50 - src_ns: @@ -39,8 +37,7 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - dst_ports: - 30 - 50 - src_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv index 2a79d8ad9..326972651 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.csv @@ -1,14 +1,14 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_csv, config: poc1","","","","","", -"","[default]","[app in (checkoutservice,frontend,recommendationservice)]","[default]","[productcatalogservice]","TCP 3550", -"","[default]","[checkoutservice]","[default]","[app in (paymentservice,shippingservice)]","TCP 50051", -"","[default]","[frontend]","[default]","[shippingservice]","TCP 50051", -"","[default]","[frontend]","[default]","[checkoutservice]","TCP 5050", -"","[default]","[cartservice]","[default]","[redis-cart]","TCP 6379", -"","[default]","[app in (checkoutservice,frontend)]","[default]","[currencyservice]","TCP 7000", -"","[default]","[app in (checkoutservice,frontend)]","[default]","[cartservice]","TCP 7070", -"","","0.0.0.0/0","[default]","[frontend]","TCP 8080", -"","[default]","[checkoutservice]","[default]","[emailservice]","TCP 8080", -"","[default]","[frontend]","[default]","[recommendationservice]","TCP 8080", -"","[default]","[loadgenerator]","[default]","[frontend]","TCP 8080", -"","[default]","[frontend]","[default]","[adservice]","TCP 9555", +"","[default]","[app in (checkoutservice,frontend,recommendationservice)]","[default]","[productcatalogservice]","{protocols:TCP,dst_ports:3550}", +"","[default]","[checkoutservice]","[default]","[app in (paymentservice,shippingservice)]","{protocols:TCP,dst_ports:50051}", +"","[default]","[frontend]","[default]","[shippingservice]","{protocols:TCP,dst_ports:50051}", +"","[default]","[frontend]","[default]","[checkoutservice]","{protocols:TCP,dst_ports:5050}", +"","[default]","[cartservice]","[default]","[redis-cart]","{protocols:TCP,dst_ports:6379}", +"","[default]","[app in (checkoutservice,frontend)]","[default]","[currencyservice]","{protocols:TCP,dst_ports:7000}", +"","[default]","[app in (checkoutservice,frontend)]","[default]","[cartservice]","{protocols:TCP,dst_ports:7070}", +"","","0.0.0.0/0","[default]","[frontend]","{protocols:TCP,dst_ports:8080}", +"","[default]","[checkoutservice]","[default]","[emailservice]","{protocols:TCP,dst_ports:8080}", +"","[default]","[frontend]","[default]","[recommendationservice]","{protocols:TCP,dst_ports:8080}", +"","[default]","[loadgenerator]","[default]","[frontend]","{protocols:TCP,dst_ports:8080}", +"","[default]","[frontend]","[default]","[adservice]","{protocols:TCP,dst_ports:9555}", diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot index 18504f73a..953a4c1bc 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
tcp3550 TCP 3550
tcp50051 TCP 50051
tcp5050 TCP 5050
tcp6379 TCP 6379
tcp7000 TCP 7000
tcp7070 TCP 7070
tcp8080 TCP 8080
tcp9555 TCP 9555
> shape=box] + dict_box [label=<
Connectivity legend
tcp3550 {protocols:TCP,dst_ports:3550}
tcp50051 {protocols:TCP,dst_ports:50051}
tcp5050 {protocols:TCP,dst_ports:5050}
tcp6379 {protocols:TCP,dst_ports:6379}
tcp7000 {protocols:TCP,dst_ports:7000}
tcp7070 {protocols:TCP,dst_ports:7070}
tcp8080 {protocols:TCP,dst_ports:8080}
tcp9555 {protocols:TCP,dst_ports:9555}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_default_namespace{ label="default" @@ -24,23 +24,23 @@ subgraph cluster_default_namespace{ "default/redis-cart(Deployment)" [label=<
redis-cart(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] "default/shippingservice(Deployment)" [label=<
shippingservice(Deployment)
> shape=box fontcolor=blue tooltip="Workload"] } - "0.0.0.0/0" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/cartservice(Deployment)" -> "default/redis-cart(Deployment)"[label="tcp6379" labeltooltip="TCP 6379" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="TCP 7070" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/currencyservice(Deployment)"[label="tcp7000" labeltooltip="TCP 7000" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/emailservice(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/paymentservice(Deployment)"[label="tcp50051" labeltooltip="TCP 50051" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="TCP 3550" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/checkoutservice(Deployment)" -> "default/shippingservice(Deployment)"[label="tcp50051" labeltooltip="TCP 50051" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/adservice(Deployment)"[label="tcp9555" labeltooltip="TCP 9555" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="TCP 7070" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/checkoutservice(Deployment)"[label="tcp5050" labeltooltip="TCP 5050" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/currencyservice(Deployment)"[label="tcp7000" labeltooltip="TCP 7000" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="TCP 3550" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/recommendationservice(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/frontend(Deployment)" -> "default/shippingservice(Deployment)"[label="tcp50051" labeltooltip="TCP 50051" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/loadgenerator(Deployment)" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="TCP 8080" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/recommendationservice(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="TCP 3550" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "0.0.0.0/0" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="{protocols:TCP,dst_ports:8080}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/cartservice(Deployment)" -> "default/redis-cart(Deployment)"[label="tcp6379" labeltooltip="{protocols:TCP,dst_ports:6379}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="{protocols:TCP,dst_ports:7070}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/currencyservice(Deployment)"[label="tcp7000" labeltooltip="{protocols:TCP,dst_ports:7000}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/emailservice(Deployment)"[label="tcp8080" labeltooltip="{protocols:TCP,dst_ports:8080}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/paymentservice(Deployment)"[label="tcp50051" labeltooltip="{protocols:TCP,dst_ports:50051}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="{protocols:TCP,dst_ports:3550}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/checkoutservice(Deployment)" -> "default/shippingservice(Deployment)"[label="tcp50051" labeltooltip="{protocols:TCP,dst_ports:50051}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/adservice(Deployment)"[label="tcp9555" labeltooltip="{protocols:TCP,dst_ports:9555}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/cartservice(Deployment)"[label="tcp7070" labeltooltip="{protocols:TCP,dst_ports:7070}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/checkoutservice(Deployment)"[label="tcp5050" labeltooltip="{protocols:TCP,dst_ports:5050}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/currencyservice(Deployment)"[label="tcp7000" labeltooltip="{protocols:TCP,dst_ports:7000}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="{protocols:TCP,dst_ports:3550}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/recommendationservice(Deployment)"[label="tcp8080" labeltooltip="{protocols:TCP,dst_ports:8080}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/frontend(Deployment)" -> "default/shippingservice(Deployment)"[label="tcp50051" labeltooltip="{protocols:TCP,dst_ports:50051}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/loadgenerator(Deployment)" -> "default/frontend(Deployment)"[label="tcp8080" labeltooltip="{protocols:TCP,dst_ports:8080}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/recommendationservice(Deployment)" -> "default/productcatalogservice(Deployment)"[label="tcp3550" labeltooltip="{protocols:TCP,dst_ports:3550}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md index c8df5ef6b..dbe4c5b89 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.md @@ -1,15 +1,15 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_md, config: poc1|||||| -||[default]|[app in (checkoutservice,frontend,recommendationservice)]|[default]|[productcatalogservice]|TCP 3550| -||[default]|[checkoutservice]|[default]|[app in (paymentservice,shippingservice)]|TCP 50051| -||[default]|[frontend]|[default]|[shippingservice]|TCP 50051| -||[default]|[frontend]|[default]|[checkoutservice]|TCP 5050| -||[default]|[cartservice]|[default]|[redis-cart]|TCP 6379| -||[default]|[app in (checkoutservice,frontend)]|[default]|[currencyservice]|TCP 7000| -||[default]|[app in (checkoutservice,frontend)]|[default]|[cartservice]|TCP 7070| -|||0.0.0.0/0|[default]|[frontend]|TCP 8080| -||[default]|[checkoutservice]|[default]|[emailservice]|TCP 8080| -||[default]|[frontend]|[default]|[recommendationservice]|TCP 8080| -||[default]|[loadgenerator]|[default]|[frontend]|TCP 8080| -||[default]|[frontend]|[default]|[adservice]|TCP 9555| +||[default]|[app in (checkoutservice,frontend,recommendationservice)]|[default]|[productcatalogservice]|{protocols:TCP,dst_ports:3550}| +||[default]|[checkoutservice]|[default]|[app in (paymentservice,shippingservice)]|{protocols:TCP,dst_ports:50051}| +||[default]|[frontend]|[default]|[shippingservice]|{protocols:TCP,dst_ports:50051}| +||[default]|[frontend]|[default]|[checkoutservice]|{protocols:TCP,dst_ports:5050}| +||[default]|[cartservice]|[default]|[redis-cart]|{protocols:TCP,dst_ports:6379}| +||[default]|[app in (checkoutservice,frontend)]|[default]|[currencyservice]|{protocols:TCP,dst_ports:7000}| +||[default]|[app in (checkoutservice,frontend)]|[default]|[cartservice]|{protocols:TCP,dst_ports:7070}| +|||0.0.0.0/0|[default]|[frontend]|{protocols:TCP,dst_ports:8080}| +||[default]|[checkoutservice]|[default]|[emailservice]|{protocols:TCP,dst_ports:8080}| +||[default]|[frontend]|[default]|[recommendationservice]|{protocols:TCP,dst_ports:8080}| +||[default]|[loadgenerator]|[default]|[frontend]|{protocols:TCP,dst_ports:8080}| +||[default]|[frontend]|[default]|[adservice]|{protocols:TCP,dst_ports:9555}| diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt index 39806a076..537d1cb01 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.txt @@ -1,13 +1,13 @@ final fw rules for query: connectivity_map, config: poc1: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml index 0c4af1724..ccb03e2b2 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc1-scheme_output.yaml @@ -13,8 +13,8 @@ dst_pods: - productcatalogservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 3550 - src_ns: - default @@ -25,8 +25,8 @@ dst_pods: - app in (paymentservice,shippingservice) connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 50051 - src_ns: - default @@ -37,8 +37,8 @@ dst_pods: - shippingservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 50051 - src_ns: - default @@ -49,8 +49,8 @@ dst_pods: - checkoutservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 5050 - src_ns: - default @@ -61,8 +61,8 @@ dst_pods: - redis-cart connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 6379 - src_ns: - default @@ -73,8 +73,8 @@ dst_pods: - currencyservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7000 - src_ns: - default @@ -85,8 +85,8 @@ dst_pods: - cartservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7070 - src_ip_block: - 0.0.0.0/0 @@ -95,8 +95,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -107,8 +107,8 @@ dst_pods: - emailservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -119,8 +119,8 @@ dst_pods: - recommendationservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -131,8 +131,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -143,6 +143,6 @@ dst_pods: - adservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 9555 diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt index 565a70e26..374f60857 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.txt @@ -1,18 +1,18 @@ final fw rules for query: connectivity_map, config: poc2: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml index 90c958705..9cb961e8f 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc2-scheme_output.yaml @@ -4,6 +4,32 @@ numerical_result: 0 explanation: - rules: + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - kube-system + dst_pods: + - '*' + connection: + - All connections + - src_ns: + - kube-system + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections + - src_ns: + - kube-system + src_pods: + - '*' + dst_ns: + - kube-system + dst_pods: + - '*' + connection: + - All connections - src_ns: - default src_pods: @@ -13,8 +39,8 @@ dst_pods: - productcatalogservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 3550 - src_ns: - default @@ -25,8 +51,8 @@ dst_pods: - app in (paymentservice,shippingservice) connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 50051 - src_ns: - default @@ -37,8 +63,8 @@ dst_pods: - shippingservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 50051 - src_ns: - default @@ -49,8 +75,8 @@ dst_pods: - checkoutservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 5050 - src_ns: - default @@ -61,8 +87,8 @@ dst_pods: - redis-cart connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 6379 - src_ns: - default @@ -73,8 +99,8 @@ dst_pods: - currencyservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7000 - src_ns: - default @@ -85,8 +111,8 @@ dst_pods: - cartservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7070 - src_ip_block: - 0.0.0.0/0 @@ -95,8 +121,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -107,8 +133,8 @@ dst_pods: - emailservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -119,8 +145,8 @@ dst_pods: - recommendationservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -131,8 +157,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - kube-system @@ -143,8 +169,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -155,8 +181,8 @@ dst_pods: - adservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 9555 - src_ns: - default @@ -167,32 +193,6 @@ dst_pods: - '*' connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - '*' - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt index fc3189565..5d5f15f7c 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.txt @@ -1,15 +1,15 @@ final fw rules for query: connectivity_map, config: poc3: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml index 99327d1ff..16eb1bf0c 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc3-scheme_output.yaml @@ -13,8 +13,8 @@ dst_pods: - productcatalogservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 3550 - src_ns: - default @@ -25,8 +25,8 @@ dst_pods: - app in (paymentservice,shippingservice) connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 50051 - src_ns: - default @@ -37,8 +37,8 @@ dst_pods: - shippingservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 50051 - src_ns: - default @@ -49,8 +49,8 @@ dst_pods: - checkoutservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 5050 - src_ns: - default @@ -61,8 +61,8 @@ dst_pods: - redis-cart connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 6379 - src_ns: - default @@ -73,8 +73,8 @@ dst_pods: - currencyservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7000 - src_ns: - default @@ -85,8 +85,8 @@ dst_pods: - cartservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7070 - src_ip_block: - 0.0.0.0/0 @@ -95,8 +95,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -107,8 +107,8 @@ dst_pods: - emailservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -119,8 +119,8 @@ dst_pods: - recommendationservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -131,8 +131,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - kube-system @@ -143,8 +143,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -155,8 +155,8 @@ dst_pods: - adservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 9555 - src_ns: - default @@ -167,6 +167,6 @@ dst_pods: - k8s-app=kube-dns connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt index c70ca8299..01ce54c0c 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.txt @@ -1,18 +1,18 @@ final fw rules for query: connectivity_map, config: poc4: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 23,8080 +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [k8s-app=kube-dns] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:23,8080} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml index 8f7438933..3d9830ae0 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_connectivity_map_query_output.yaml @@ -4,6 +4,32 @@ numerical_result: 0 explanation: - rules: + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - kube-system + dst_pods: + - '*' + connection: + - All connections + - src_ns: + - kube-system + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections + - src_ns: + - kube-system + src_pods: + - '*' + dst_ns: + - kube-system + dst_pods: + - '*' + connection: + - All connections - src_ns: - default src_pods: @@ -13,8 +39,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 23 - 8080 - src_ns: @@ -26,8 +52,8 @@ dst_pods: - productcatalogservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 3550 - src_ns: - default @@ -38,8 +64,8 @@ dst_pods: - app in (paymentservice,shippingservice) connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 50051 - src_ns: - default @@ -50,8 +76,8 @@ dst_pods: - shippingservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 50051 - src_ns: - default @@ -62,8 +88,8 @@ dst_pods: - checkoutservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 5050 - src_ns: - default @@ -74,8 +100,8 @@ dst_pods: - redis-cart connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 6379 - src_ns: - default @@ -86,8 +112,8 @@ dst_pods: - currencyservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7000 - src_ns: - default @@ -98,8 +124,8 @@ dst_pods: - cartservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 7070 - src_ip_block: - 0.0.0.0/0 @@ -108,8 +134,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -120,8 +146,8 @@ dst_pods: - emailservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -132,8 +158,8 @@ dst_pods: - recommendationservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - kube-system @@ -144,8 +170,8 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - src_ns: - default @@ -156,8 +182,8 @@ dst_pods: - adservice connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 9555 - src_ns: - default @@ -168,32 +194,6 @@ dst_pods: - k8s-app=kube-dns connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections - - src_ns: - - kube-system - src_pods: - - '*' - dst_ns: - - kube-system - dst_pods: - - '*' - connection: - - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt index 114ae4a89..49f968e95 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt @@ -1,4 +1,4 @@ poc3 and poc4 are not semantically equivalent. Added connections between persistent peers (based on topology from config: poc4) : -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 23 +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:23} diff --git a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml index c7fa67f1d..eac35b271 100644 --- a/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml @@ -16,6 +16,6 @@ dst_pods: - frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 23 diff --git a/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.txt index 4aeb2cf69..7e078ef74 100644 --- a/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map, config: np3: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default,kube-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 11-16,21-23,34,42,44,46,56,65-66,TCP 24-26,41,43,45,52-55,62-64,71,73,75,77,79,81-84,UDP 31-33,35-36,57-59,67-68,72,74,76,78,86-89 +src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:11-16,21-26,34,41-46,52-56,62-66,71,73,75,77,79,81-84},{protocols:UDP,dst_ports:11-16,21-23,31-36,42,44,46,56-59,65-68,72,74,76,78,86-89} diff --git a/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.yaml index cfbf29275..f3b87a1b3 100644 --- a/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/port_aggregation-scheme_output.yaml @@ -4,6 +4,34 @@ numerical_result: 0 explanation: - rules: + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - default + dst_pods: + - '*' + connection: + - All connections + - src_ns: + - default + - kube-system-new + src_pods: + - '*' + dst_ip_block: + - 0.0.0.0/0 + connection: + - All connections + - src_ns: + - default + - kube-system-new + src_pods: + - '*' + dst_ns: + - default + dst_pods: + - '*' + connection: + - All connections - src_ns: - default - kube-system-new @@ -14,8 +42,8 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 11-16 - 21-26 - 34 @@ -28,8 +56,8 @@ - 77 - 79 - 81-84 - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 11-16 - 21-23 - 31-36 @@ -43,31 +71,3 @@ - 76 - 78 - 86-89 - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - default - dst_pods: - - '*' - connection: - - All connections - - src_ns: - - default - - kube-system-new - src_pods: - - '*' - dst_ip_block: - - 0.0.0.0/0 - connection: - - All connections - - src_ns: - - default - - kube-system-new - src_pods: - - '*' - dst_ns: - - default - dst_pods: - - '*' - connection: - - All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv index 94aeeff6f..698ef4a66 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.csv @@ -15,8 +15,8 @@ "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Added connections between persistent peers and ipBlocks","","","","","", "","","0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255","[default]","[app=app-1]","All connections", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[default]","[app=app-2]","All but UDP 53", "","","0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255","[default]","[app=app-2]","All connections", +"","","0.0.0.0/0","[default]","[app=app-2]","All but {protocols:UDP,dst_ports:53}", "semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: New connections between persistent peers and added peers","","","","","", "","[default]","[app in (app-5,app-6)]","[default]","[app in (app-0,app-1)]","All connections", "","[default]","[app not in (app-5,app-6)]","[default]","[app in (app-5,app-6)]","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md index 79aed5d87..31c2f2aed 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.md @@ -16,8 +16,8 @@ |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Added connections between persistent peers and ipBlocks|||||| |||0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255|[default]|[app=app-1]|All connections| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[default]|[app=app-2]|All but UDP 53| |||0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255|[default]|[app=app-2]|All connections| +|||0.0.0.0/0|[default]|[app=app-2]|All but {protocols:UDP,dst_ports:53}| |semantic_diff, config1: config_a_with_ipBlock, config2: config_b_with_ipBlock, key: New connections between persistent peers and added peers|||||| ||[default]|[app in (app-5,app-6)]|[default]|[app in (app-0,app-1)]|All connections| ||[default]|[app not in (app-5,app-6)]|[default]|[app in (app-5,app-6)]|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt index 1176223ce..0baec2898 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.txt @@ -23,7 +23,7 @@ src: 0.0.0.0-9.255.255.255,10.10.0.0-10.10.255.255,11.0.0.0-255.255.255.255 dst_ Removed connections between persistent peers and ipBlocks (based on topology from config: config_a_with_ipBlock) : src: 0.0.0.0-9.255.255.255,10.11.0.0-10.11.255.255,11.0.0.0-255.255.255.255 dst_ns: [default] dst_pods: [app=app-2] conn: All connections -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=app-2] conn: All but UDP 53 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app=app-2] conn: All but {protocols:UDP,dst_ports:53} New connections between persistent peers and added peers (based on topology from config: config_b_with_ipBlock) : src_ns: [default] src_pods: [app in (app-5,app-6)] dst_ns: [default] dst_pods: [app in (app-0,app-1)] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml index 262c06561..80a1d1510 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_with_ipBlock_query_output.yaml @@ -112,17 +112,6 @@ - All connections - description: Removed connections between persistent peers and ipBlocks rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - default - dst_pods: - - app=app-2 - connection: - - All but: - - Protocol: UDP - Ports: - - 53 - src_ip_block: - 0.0.0.0/5 - 10.11.0.0/16 @@ -139,6 +128,17 @@ - app=app-2 connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - default + dst_pods: + - app=app-2 + connection: + - All but: + - protocols: UDP + dst_ports: + - 53 - description: New connections between persistent peers and added peers rules: - src_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv index 8ce3bc054..df6bff4ad 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.csv @@ -6,7 +6,7 @@ "","[kube-system]","[tier=frontend]","[default,kube-system-dummy-to-ignore,vendor-system]","[*]","All connections", "","[kube-system]","[tier=frontend]","[kube-system]","[!has(tier) or tier=not_frontend_for_demo]","All connections", "semantic_diff, config1: np1, config2: np4, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[kube-system]","[tier=frontend]","All but UDP 53", "","","10.0.0.0/8,172.21.0.0/16,172.30.0.0/16","[kube-system]","[tier=frontend]","All connections", +"","","0.0.0.0/0","[kube-system]","[tier=frontend]","All but {protocols:UDP,dst_ports:53}", "semantic_diff, config1: np1, config2: np4, key: Removed connections between persistent peers and ipBlocks","","","","","", "","[kube-system]","[tier=frontend]","","0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255","All connections", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md index 2931c20de..b252725f0 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.md @@ -7,7 +7,7 @@ ||[kube-system]|[tier=frontend]|[default,kube-system-dummy-to-ignore,vendor-system]|[*]|All connections| ||[kube-system]|[tier=frontend]|[kube-system]|[!has(tier) or tier=not_frontend_for_demo]|All connections| |semantic_diff, config1: np1, config2: np4, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[kube-system]|[tier=frontend]|All but UDP 53| |||10.0.0.0/8,172.21.0.0/16,172.30.0.0/16|[kube-system]|[tier=frontend]|All connections| +|||0.0.0.0/0|[kube-system]|[tier=frontend]|All but {protocols:UDP,dst_ports:53}| |semantic_diff, config1: np1, config2: np4, key: Removed connections between persistent peers and ipBlocks|||||| ||[kube-system]|[tier=frontend]||0.0.0.0-49.49.255.255,49.50.0.1,49.50.0.3,49.50.0.5,49.50.0.7,49.50.0.9,49.50.0.11,49.50.0.13,49.50.0.15,49.50.0.17-255.255.255.255|All connections| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt index efd603fbc..b8b3abef7 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.txt @@ -9,7 +9,7 @@ src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [default,kube-system-dum src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections Added connections between persistent peers and ipBlocks (based on topology from config: np4) : -src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but UDP 53 +src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All but {protocols:UDP,dst_ports:53} src: 10.0.0.0/8,172.21.0.0/16,172.30.0.0/16 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml index 9626fbdad..396756b02 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np1_np4_query_output.yaml @@ -56,26 +56,26 @@ - description: Added connections between persistent peers and ipBlocks rules: - src_ip_block: - - 0.0.0.0/0 + - 10.0.0.0/8 + - 172.21.0.0/16 + - 172.30.0.0/16 dst_ns: - kube-system dst_pods: - tier=frontend connection: - - All but: - - Protocol: UDP - Ports: - - 53 + - All connections - src_ip_block: - - 10.0.0.0/8 - - 172.21.0.0/16 - - 172.30.0.0/16 + - 0.0.0.0/0 dst_ns: - kube-system dst_pods: - tier=frontend connection: - - All connections + - All but: + - protocols: UDP + dst_ports: + - 53 - description: Removed connections between persistent peers and ipBlocks rules: - src_ns: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv index 84331132b..f993d9b85 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.csv @@ -1,11 +1,11 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:TCP,dst_ports:53}", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:UDP,dst_ports:53}", "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np3, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:TCP,dst_ports:53}", "semantic_diff, config1: np1, config2: np3, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:UDP,dst_ports:53}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md index 63545d5f7..66f2947a7 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.md @@ -1,13 +1,13 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:TCP,dst_ports:53}| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:UDP,dst_ports:53}| |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np3, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:TCP,dst_ports:53}| |semantic_diff, config1: np1, config2: np3, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:UDP,dst_ports:53}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt index 04a3da137..87a757e97 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.txt @@ -1,17 +1,17 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP,dst_ports:53} Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:UDP,dst_ports:53} np1 and np3 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np3) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP,dst_ports:53} Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:UDP,dst_ports:53} np2 and np3 have the same network topology and the same set of policies. diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml index 3b83e224d..d87e6ac45 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_equivalence_query_output.yaml @@ -37,8 +37,8 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 53 - description: Removed connections between persistent peers and ipBlocks rules: @@ -72,8 +72,8 @@ dst_pods: - tier=frontend connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 - query: semantic_diff_ipblocks_equivalence configs: @@ -114,8 +114,8 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 53 - description: Removed connections between persistent peers and ipBlocks rules: @@ -149,8 +149,8 @@ dst_pods: - tier=frontend connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 - query: semantic_diff_ipblocks_equivalence configs: diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv index 9f4722825..36754e3a6 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.csv @@ -1,5 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","TCP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:TCP,dst_ports:53}", "semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","UDP 53", +"","","0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255","[kube-system]","[tier=frontend]","{protocols:UDP,dst_ports:53}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md index c1815eaac..51ced91c1 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.md @@ -1,6 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1, config2: np2, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|TCP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:TCP,dst_ports:53}| |semantic_diff, config1: np1, config2: np2, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|UDP 53| +|||0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255|[kube-system]|[tier=frontend]|{protocols:UDP,dst_ports:53}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt index 30b4d61b6..133f7d49a 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.txt @@ -1,7 +1,7 @@ np1 and np2 are not semantically equivalent. Added connections between persistent peers and ipBlocks (based on topology from config: np2) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: TCP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP,dst_ports:53} Removed connections between persistent peers and ipBlocks (based on topology from config: np1) : -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:UDP,dst_ports:53} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml index 2b637846a..e6c4fee93 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks_np1_np2_query_output.yaml @@ -37,8 +37,8 @@ dst_pods: - tier=frontend connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 53 - description: Removed connections between persistent peers and ipBlocks rules: @@ -72,6 +72,6 @@ dst_pods: - tier=frontend connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt index 0c47b208d..ce510c6aa 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt @@ -1,7 +1,7 @@ np1_named_ports and np2_named_ports are not semantically equivalent. Added connections between persistent peers (based on topology from config: np2_named_ports) : -src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 +src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: {protocols:TCP,dst_ports:10054} Added connections between persistent peers and ipBlocks (based on topology from config: np2_named_ports) : -src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: TCP 10054 +src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db-9s486, kube-dns-amd64-d66bf76db-bbvts] conn: {protocols:TCP,dst_ports:10054} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.csv index b850aa9f0..0e2fb724f 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.csv @@ -1,5 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: np1_named_ports, config2: np2_named_ports, key: Added connections between persistent peers","","","","","", -"","[default,kube-system,kube-system-dummy-to-ignore,vendor-system]","[*]","[kube-system-dummy-to-ignore]","[kube-dns-amd64-d66bf76db]","TCP 10054", +"","[default,kube-system,kube-system-dummy-to-ignore,vendor-system]","[*]","[kube-system-dummy-to-ignore]","[kube-dns-amd64-d66bf76db]","{protocols:TCP,dst_ports:10054}", "semantic_diff, config1: np1_named_ports, config2: np2_named_ports, key: Added connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[kube-system-dummy-to-ignore]","[kube-dns-amd64-d66bf76db]","TCP 10054", +"","","0.0.0.0/0","[kube-system-dummy-to-ignore]","[kube-dns-amd64-d66bf76db]","{protocols:TCP,dst_ports:10054}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.md index 7a71b913a..2ff5fa127 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.md @@ -1,6 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: np1_named_ports, config2: np2_named_ports, key: Added connections between persistent peers|||||| -||[default,kube-system,kube-system-dummy-to-ignore,vendor-system]|[*]|[kube-system-dummy-to-ignore]|[kube-dns-amd64-d66bf76db]|TCP 10054| +||[default,kube-system,kube-system-dummy-to-ignore,vendor-system]|[*]|[kube-system-dummy-to-ignore]|[kube-dns-amd64-d66bf76db]|{protocols:TCP,dst_ports:10054}| |semantic_diff, config1: np1_named_ports, config2: np2_named_ports, key: Added connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[kube-system-dummy-to-ignore]|[kube-dns-amd64-d66bf76db]|TCP 10054| +|||0.0.0.0/0|[kube-system-dummy-to-ignore]|[kube-dns-amd64-d66bf76db]|{protocols:TCP,dst_ports:10054}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.txt index 4a597d7a8..ef246a63e 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.txt @@ -1,7 +1,7 @@ np1_named_ports and np2_named_ports are not semantically equivalent. Added connections between persistent peers (based on topology from config: np2_named_ports) : -src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 10054 +src_ns: [default,kube-system,kube-system-dummy-to-ignore,vendor-system] src_pods: [*] dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db] conn: {protocols:TCP,dst_ports:10054} Added connections between persistent peers and ipBlocks (based on topology from config: np2_named_ports) : -src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db] conn: TCP 10054 +src: 0.0.0.0/0 dst_ns: [kube-system-dummy-to-ignore] dst_pods: [kube-dns-amd64-d66bf76db] conn: {protocols:TCP,dst_ports:10054} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.yaml index 82d3155eb..3a1e6095d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.yaml @@ -19,8 +19,8 @@ dst_pods: - kube-dns-amd64-d66bf76db connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 10054 - description: Added connections between persistent peers and ipBlocks rules: @@ -31,6 +31,6 @@ dst_pods: - kube-dns-amd64-d66bf76db connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 10054 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.csv index 5c4e25733..826147a4c 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.csv @@ -1,5 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: new1, config2: old1, key: Added connections between persistent peers","","","","","", -"","[demo]","[bank-ui]","[demo]","[account-command]","All but TCP+UDP 8080,TCP 9090", +"","[demo]","[bank-ui]","[demo]","[account-command]","All but {protocols:TCP,dst_ports:8080,9090},{protocols:UDP,dst_ports:8080}", "semantic_diff, config1: new1, config2: old1, key: Removed connections between persistent peers","","","","","", -"","[demo]","[account-query]","[demo]","[bank-ui]","All but TCP 8080", +"","[demo]","[account-query]","[demo]","[bank-ui]","All but {protocols:TCP,dst_ports:8080}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.md index 8df750873..89db7f42a 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.md @@ -1,6 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: new1, config2: old1, key: Added connections between persistent peers|||||| -||[demo]|[bank-ui]|[demo]|[account-command]|All but TCP+UDP 8080,TCP 9090| +||[demo]|[bank-ui]|[demo]|[account-command]|All but {protocols:TCP,dst_ports:8080,9090},{protocols:UDP,dst_ports:8080}| |semantic_diff, config1: new1, config2: old1, key: Removed connections between persistent peers|||||| -||[demo]|[account-query]|[demo]|[bank-ui]|All but TCP 8080| +||[demo]|[account-query]|[demo]|[bank-ui]|All but {protocols:TCP,dst_ports:8080}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.txt index 5e13c79df..8f92295ef 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.txt @@ -1,7 +1,7 @@ new1 and old1 are not semantically equivalent. Added connections between persistent peers (based on topology from config: old1) : -src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: All but TCP+UDP 8080,TCP 9090 +src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: All but {protocols:TCP,dst_ports:8080,9090},{protocols:UDP,dst_ports:8080} Removed connections between persistent peers (based on topology from config: new1) : -src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: All but TCP 8080 +src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: All but {protocols:TCP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.yaml index 3a402964f..3d18044f1 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.yaml @@ -17,12 +17,12 @@ - account-command connection: - All but: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - 9090 - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 8080 - description: Removed connections between persistent peers rules: @@ -36,6 +36,6 @@ - bank-ui connection: - All but: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.csv index d36750f94..75bcc0993 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.csv @@ -1,6 +1,6 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: new1a, config2: old1, key: Added connections between persistent peers","","","","","", -"","[demo]","[account-query]","[demo]","[bank-ui]","TCP 8080", "","[demo]","[bank-ui]","[demo]","[account-command]","All connections", +"","[demo]","[account-query]","[demo]","[bank-ui]","{protocols:TCP,dst_ports:8080}", "semantic_diff, config1: new1a, config2: old1, key: Removed connections between persistent peers","","","","","", -"","[demo]","[account-query]","[demo]","[bank-ui]","UDP 8080", +"","[demo]","[account-query]","[demo]","[bank-ui]","{protocols:UDP,dst_ports:8080}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.md index 81678161f..48b7f802d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.md @@ -1,7 +1,7 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: new1a, config2: old1, key: Added connections between persistent peers|||||| -||[demo]|[account-query]|[demo]|[bank-ui]|TCP 8080| ||[demo]|[bank-ui]|[demo]|[account-command]|All connections| +||[demo]|[account-query]|[demo]|[bank-ui]|{protocols:TCP,dst_ports:8080}| |semantic_diff, config1: new1a, config2: old1, key: Removed connections between persistent peers|||||| -||[demo]|[account-query]|[demo]|[bank-ui]|UDP 8080| +||[demo]|[account-query]|[demo]|[bank-ui]|{protocols:UDP,dst_ports:8080}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.txt index 5fe1880c3..63b4bb478 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.txt @@ -1,8 +1,8 @@ new1a and old1 are not semantically equivalent. Added connections between persistent peers (based on topology from config: old1) : -src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: TCP 8080 +src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: {protocols:TCP,dst_ports:8080} src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: All connections Removed connections between persistent peers (based on topology from config: new1a) : -src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: UDP 8080 +src_ns: [demo] src_pods: [account-query] dst_ns: [demo] dst_pods: [bank-ui] conn: {protocols:UDP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.yaml index 40da9b200..1dee098ab 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_query_output.yaml @@ -10,25 +10,25 @@ - src_ns: - demo src_pods: - - account-query + - bank-ui dst_ns: - demo dst_pods: - - bank-ui + - account-command connection: - - Protocol: TCP - Ports: - - 8080 + - All connections - src_ns: - demo src_pods: - - bank-ui + - account-query dst_ns: - demo dst_pods: - - account-command + - bank-ui connection: - - All connections + - protocols: TCP + dst_ports: + - 8080 - description: Removed connections between persistent peers rules: - src_ns: @@ -40,6 +40,6 @@ dst_pods: - bank-ui connection: - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt index 4e62f3db8..8a37c621b 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt @@ -1,5 +1,5 @@ Added connections between persistent peers (based on topology from config: old1) : -demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : TCP 8080 -demo/bank-ui[DaemonSet] => demo/account-command[DaemonSet] : All Connections +demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : {protocols:TCP,dst_ports:8080} +demo/bank-ui[DaemonSet] => demo/account-command[DaemonSet] : All connections Removed connections between persistent peers (based on topology from config: new1a) : -demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : UDP 8080 \ No newline at end of file +demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : {protocols:UDP,dst_ports:8080} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.csv index 20ec1505d..f2eb3c453 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.csv @@ -1,5 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: new2, config2: old2, key: Added connections between persistent peers","","","","","", -"","[demo]","[bank-ui]","[demo]","[account-command]","TCP 8080,UDP 9090,SCTP 7070", +"","[demo]","[bank-ui]","[demo]","[account-command]","{protocols:TCP,dst_ports:8080},{protocols:UDP,dst_ports:9090},{protocols:SCTP,dst_ports:7070}", "semantic_diff, config1: new2, config2: old2, key: Removed connections between persistent peers","","","","","", -"","[demo]","[bank-ui]","[demo]","[account-command]","TCP 8082,UDP 9091", +"","[demo]","[bank-ui]","[demo]","[account-command]","{protocols:TCP,dst_ports:8082},{protocols:UDP,dst_ports:9091}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.json b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.json index 028878497..e5c9d0853 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.json +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.json @@ -26,20 +26,20 @@ ], "connection": [ { - "Protocol": "TCP", - "Ports": [ + "protocols": "TCP", + "dst_ports": [ 8080 ] }, { - "Protocol": "UDP", - "Ports": [ + "protocols": "UDP", + "dst_ports": [ 9090 ] }, { - "Protocol": "SCTP", - "Ports": [ + "protocols": "SCTP", + "dst_ports": [ 7070 ] } @@ -65,14 +65,14 @@ ], "connection": [ { - "Protocol": "TCP", - "Ports": [ + "protocols": "TCP", + "dst_ports": [ 8082 ] }, { - "Protocol": "UDP", - "Ports": [ + "protocols": "UDP", + "dst_ports": [ 9091 ] } diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.md index 3c152dceb..d6d0e871b 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.md @@ -1,6 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: new2, config2: old2, key: Added connections between persistent peers|||||| -||[demo]|[bank-ui]|[demo]|[account-command]|TCP 8080,UDP 9090,SCTP 7070| +||[demo]|[bank-ui]|[demo]|[account-command]|{protocols:TCP,dst_ports:8080},{protocols:UDP,dst_ports:9090},{protocols:SCTP,dst_ports:7070}| |semantic_diff, config1: new2, config2: old2, key: Removed connections between persistent peers|||||| -||[demo]|[bank-ui]|[demo]|[account-command]|TCP 8082,UDP 9091| +||[demo]|[bank-ui]|[demo]|[account-command]|{protocols:TCP,dst_ports:8082},{protocols:UDP,dst_ports:9091}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.txt index 996daece7..946ed50fb 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.txt @@ -1,7 +1,7 @@ new2 and old2 are not semantically equivalent. Added connections between persistent peers (based on topology from config: old2) : -src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: TCP 8080,UDP 9090,SCTP 7070 +src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: {protocols:TCP,dst_ports:8080},{protocols:UDP,dst_ports:9090},{protocols:SCTP,dst_ports:7070} Removed connections between persistent peers (based on topology from config: new2) : -src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: TCP 8082,UDP 9091 +src_ns: [demo] src_pods: [bank-ui] dst_ns: [demo] dst_pods: [account-command] conn: {protocols:TCP,dst_ports:8082},{protocols:UDP,dst_ports:9091} diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.yaml index b3f06500b..ec8db9818 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_old2_new2_query_output.yaml @@ -16,14 +16,14 @@ dst_pods: - account-command connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8080 - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 9090 - - Protocol: SCTP - Ports: + - protocols: SCTP + dst_ports: - 7070 - description: Removed connections between persistent peers rules: @@ -36,9 +36,9 @@ dst_pods: - account-command connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 8082 - - Protocol: UDP - Ports: + - protocols: UDP + dst_ports: - 9091 diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv index 0ba4d2d49..83e1d8988 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.csv @@ -1,17 +1,5 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers","","","","","", -"","[default]","[*]","[default]","[productcatalogservice]","All but TCP 3550", -"","[default]","[recommendationservice]","[default]","[*]","All but TCP 3550", -"","[default]","[*]","[default]","[app in (paymentservice,shippingservice)]","All but TCP 50051", -"","[default]","[*]","[default]","[checkoutservice]","All but TCP 5050", -"","[default]","[cartservice]","[default]","[*]","All but TCP 6379", -"","[default]","[*]","[default]","[currencyservice]","All but TCP 7000", -"","[default]","[*]","[default]","[cartservice]","All but TCP 7070", -"","[default]","[*]","[default]","[app in (emailservice,frontend,loadgenerator,recommendationservice)]","All but TCP 8080", -"","[default]","[loadgenerator]","[default]","[*]","All but TCP 8080", -"","[kube-system]","[*]","[default]","[*]","All but TCP 8080", -"","[default]","[*]","[default]","[adservice]","All but TCP 9555", -"","[default]","[*]","[kube-system]","[*]","All but UDP 53", "","[default,kube-system]","[*]","[default]","[loadgenerator]","All connections", "","[default]","[*]","[kube-system]","[etcd-operator]","All connections", "","[default]","[app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)]","[default,kube-system]","[*]","All connections", @@ -21,7 +9,19 @@ "","[default]","[loadgenerator]","[default]","[app not in (frontend,loadgenerator)]","All connections", "","[default]","[recommendationservice]","[default]","[app not in (loadgenerator,productcatalogservice,recommendationservice)]","All connections", "","[kube-system]","[*]","[default]","[app not in (frontend,loadgenerator)]","All connections", +"","[default]","[*]","[default]","[productcatalogservice]","All but {protocols:TCP,dst_ports:3550}", +"","[default]","[recommendationservice]","[default]","[*]","All but {protocols:TCP,dst_ports:3550}", +"","[default]","[*]","[default]","[app in (paymentservice,shippingservice)]","All but {protocols:TCP,dst_ports:50051}", +"","[default]","[*]","[default]","[checkoutservice]","All but {protocols:TCP,dst_ports:5050}", +"","[default]","[cartservice]","[default]","[*]","All but {protocols:TCP,dst_ports:6379}", +"","[default]","[*]","[default]","[currencyservice]","All but {protocols:TCP,dst_ports:7000}", +"","[default]","[*]","[default]","[cartservice]","All but {protocols:TCP,dst_ports:7070}", +"","[default]","[*]","[default]","[app in (emailservice,frontend,loadgenerator,recommendationservice)]","All but {protocols:TCP,dst_ports:8080}", +"","[default]","[loadgenerator]","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", +"","[kube-system]","[*]","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", +"","[default]","[*]","[default]","[adservice]","All but {protocols:TCP,dst_ports:9555}", +"","[default]","[*]","[kube-system]","[*]","All but {protocols:UDP,dst_ports:53}", "semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks","","","","","", -"","","0.0.0.0/0","[default]","[*]","All but TCP 8080", "","","0.0.0.0/0","[default]","[app!=frontend]","All connections", "","[default]","[*]","","0.0.0.0/0","All connections", +"","","0.0.0.0/0","[default]","[*]","All but {protocols:TCP,dst_ports:8080}", diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md index 68266e251..aba136f55 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.md @@ -1,18 +1,6 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers|||||| -||[default]|[*]|[default]|[productcatalogservice]|All but TCP 3550| -||[default]|[recommendationservice]|[default]|[*]|All but TCP 3550| -||[default]|[*]|[default]|[app in (paymentservice,shippingservice)]|All but TCP 50051| -||[default]|[*]|[default]|[checkoutservice]|All but TCP 5050| -||[default]|[cartservice]|[default]|[*]|All but TCP 6379| -||[default]|[*]|[default]|[currencyservice]|All but TCP 7000| -||[default]|[*]|[default]|[cartservice]|All but TCP 7070| -||[default]|[*]|[default]|[app in (emailservice,frontend,loadgenerator,recommendationservice)]|All but TCP 8080| -||[default]|[loadgenerator]|[default]|[*]|All but TCP 8080| -||[kube-system]|[*]|[default]|[*]|All but TCP 8080| -||[default]|[*]|[default]|[adservice]|All but TCP 9555| -||[default]|[*]|[kube-system]|[*]|All but UDP 53| ||[default,kube-system]|[*]|[default]|[loadgenerator]|All connections| ||[default]|[*]|[kube-system]|[etcd-operator]|All connections| ||[default]|[app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)]|[default,kube-system]|[*]|All connections| @@ -22,7 +10,19 @@ ||[default]|[loadgenerator]|[default]|[app not in (frontend,loadgenerator)]|All connections| ||[default]|[recommendationservice]|[default]|[app not in (loadgenerator,productcatalogservice,recommendationservice)]|All connections| ||[kube-system]|[*]|[default]|[app not in (frontend,loadgenerator)]|All connections| +||[default]|[*]|[default]|[productcatalogservice]|All but {protocols:TCP,dst_ports:3550}| +||[default]|[recommendationservice]|[default]|[*]|All but {protocols:TCP,dst_ports:3550}| +||[default]|[*]|[default]|[app in (paymentservice,shippingservice)]|All but {protocols:TCP,dst_ports:50051}| +||[default]|[*]|[default]|[checkoutservice]|All but {protocols:TCP,dst_ports:5050}| +||[default]|[cartservice]|[default]|[*]|All but {protocols:TCP,dst_ports:6379}| +||[default]|[*]|[default]|[currencyservice]|All but {protocols:TCP,dst_ports:7000}| +||[default]|[*]|[default]|[cartservice]|All but {protocols:TCP,dst_ports:7070}| +||[default]|[*]|[default]|[app in (emailservice,frontend,loadgenerator,recommendationservice)]|All but {protocols:TCP,dst_ports:8080}| +||[default]|[loadgenerator]|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| +||[kube-system]|[*]|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| +||[default]|[*]|[default]|[adservice]|All but {protocols:TCP,dst_ports:9555}| +||[default]|[*]|[kube-system]|[*]|All but {protocols:UDP,dst_ports:53}| |semantic_diff, config1: allow_all, config2: poc3, key: Removed connections between persistent peers and ipBlocks|||||| -|||0.0.0.0/0|[default]|[*]|All but TCP 8080| |||0.0.0.0/0|[default]|[app!=frontend]|All connections| ||[default]|[*]||0.0.0.0/0|All connections| +|||0.0.0.0/0|[default]|[*]|All but {protocols:TCP,dst_ports:8080}| diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt index 820c26aeb..549fcb0da 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.txt @@ -2,28 +2,28 @@ allow_all and poc3 are not semantically equivalent. Removed connections between persistent peers (based on topology from config: allow_all) : src_ns: [default,kube-system] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [adservice] conn: All but TCP 9555 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (emailservice,frontend,loadgenerator,recommendationservice)] conn: All but TCP 8080 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: All but TCP 50051 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [cartservice] conn: All but TCP 7070 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [checkoutservice] conn: All but TCP 5050 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [currencyservice] conn: All but TCP 7000 -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productcatalogservice] conn: All but TCP 3550 -src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [adservice] conn: All but {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (emailservice,frontend,loadgenerator,recommendationservice)] conn: All but {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: All but {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [cartservice] conn: All but {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [checkoutservice] conn: All but {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [currencyservice] conn: All but {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [productcatalogservice] conn: All but {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [etcd-operator] conn: All connections src_ns: [default] src_pods: [app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [default,kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [*] conn: All but TCP 6379 +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:6379} src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [app not in (cartservice,loadgenerator,redis-cart)] conn: All connections src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (adservice,frontend,recommendationservice,redis-cart)] conn: All connections src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [app in (emailservice,paymentservice,redis-cart)] conn: All connections -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:8080} src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [app not in (frontend,loadgenerator)] conn: All connections -src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [*] conn: All but TCP 3550 +src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:3550} src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [app not in (loadgenerator,productcatalogservice,recommendationservice)] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [app not in (frontend,loadgenerator)] conn: All connections Removed connections between persistent peers and ipBlocks (based on topology from config: allow_all) : -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All but TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All but {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [app!=frontend] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml index 2f74607e9..b39b4eb4d 100644 --- a/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/semantic_diff_poc-scheme_output.yaml @@ -9,56 +9,36 @@ rules: - src_ns: - default + - kube-system src_pods: - '*' dst_ns: - default dst_pods: - - productcatalogservice - connection: - - All but: - - Protocol: TCP - Ports: - - 3550 - - src_ns: - - default - src_pods: - - recommendationservice - dst_ns: - - default - dst_pods: - - '*' + - loadgenerator connection: - - All but: - - Protocol: TCP - Ports: - - 3550 + - All connections - src_ns: - default src_pods: - '*' dst_ns: - - default + - kube-system dst_pods: - - app in (paymentservice,shippingservice) + - etcd-operator connection: - - All but: - - Protocol: TCP - Ports: - - 50051 + - All connections - src_ns: - default src_pods: - - '*' + - app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) dst_ns: - default + - kube-system dst_pods: - - checkoutservice + - '*' connection: - - All but: - - Protocol: TCP - Ports: - - 5050 + - All connections - src_ns: - default src_pods: @@ -66,64 +46,49 @@ dst_ns: - default dst_pods: - - '*' + - app not in (cartservice,loadgenerator,redis-cart) connection: - - All but: - - Protocol: TCP - Ports: - - 6379 + - All connections - src_ns: - default src_pods: - - '*' + - checkoutservice dst_ns: - default dst_pods: - - currencyservice + - app in (adservice,frontend,recommendationservice,redis-cart) connection: - - All but: - - Protocol: TCP - Ports: - - 7000 + - All connections - src_ns: - default src_pods: - - '*' + - frontend dst_ns: - default dst_pods: - - cartservice + - app in (emailservice,paymentservice,redis-cart) connection: - - All but: - - Protocol: TCP - Ports: - - 7070 + - All connections - src_ns: - default src_pods: - - '*' + - loadgenerator dst_ns: - default dst_pods: - - app in (emailservice,frontend,loadgenerator,recommendationservice) + - app not in (frontend,loadgenerator) connection: - - All but: - - Protocol: TCP - Ports: - - 8080 + - All connections - src_ns: - default src_pods: - - loadgenerator + - recommendationservice dst_ns: - default dst_pods: - - '*' + - app not in (loadgenerator,productcatalogservice,recommendationservice) connection: - - All but: - - Protocol: TCP - Ports: - - 8080 + - All connections - src_ns: - kube-system src_pods: @@ -131,12 +96,9 @@ dst_ns: - default dst_pods: - - '*' + - app not in (frontend,loadgenerator) connection: - - All but: - - Protocol: TCP - Ports: - - 8080 + - All connections - src_ns: - default src_pods: @@ -144,87 +106,103 @@ dst_ns: - default dst_pods: - - adservice + - productcatalogservice connection: - All but: - - Protocol: TCP - Ports: - - 9555 + - protocols: TCP + dst_ports: + - 3550 - src_ns: - default src_pods: - - '*' + - recommendationservice dst_ns: - - kube-system + - default dst_pods: - '*' connection: - All but: - - Protocol: UDP - Ports: - - 53 + - protocols: TCP + dst_ports: + - 3550 - src_ns: - default - - kube-system src_pods: - '*' dst_ns: - default dst_pods: - - loadgenerator + - app in (paymentservice,shippingservice) connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 50051 - src_ns: - default src_pods: - '*' dst_ns: - - kube-system + - default dst_pods: - - etcd-operator + - checkoutservice connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 5050 - src_ns: - default src_pods: - - app not in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice) + - cartservice dst_ns: - default - - kube-system dst_pods: - '*' connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 6379 - src_ns: - default src_pods: - - cartservice + - '*' dst_ns: - default dst_pods: - - app not in (cartservice,loadgenerator,redis-cart) + - currencyservice connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 7000 - src_ns: - default src_pods: - - checkoutservice + - '*' dst_ns: - default dst_pods: - - app in (adservice,frontend,recommendationservice,redis-cart) + - cartservice connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 7070 - src_ns: - default src_pods: - - frontend + - '*' dst_ns: - default dst_pods: - - app in (emailservice,paymentservice,redis-cart) + - app in (emailservice,frontend,loadgenerator,recommendationservice) connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 8080 - src_ns: - default src_pods: @@ -232,42 +210,53 @@ dst_ns: - default dst_pods: - - app not in (frontend,loadgenerator) + - '*' connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 8080 - src_ns: - - default + - kube-system src_pods: - - recommendationservice + - '*' dst_ns: - default dst_pods: - - app not in (loadgenerator,productcatalogservice,recommendationservice) + - '*' connection: - - All connections + - All but: + - protocols: TCP + dst_ports: + - 8080 - src_ns: - - kube-system + - default src_pods: - '*' dst_ns: - default dst_pods: - - app not in (frontend,loadgenerator) + - adservice connection: - - All connections - - description: Removed connections between persistent peers and ipBlocks - rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: + - All but: + - protocols: TCP + dst_ports: + - 9555 + - src_ns: - default + src_pods: + - '*' + dst_ns: + - kube-system dst_pods: - '*' connection: - All but: - - Protocol: TCP - Ports: - - 8080 + - protocols: UDP + dst_ports: + - 53 + - description: Removed connections between persistent peers and ipBlocks + rules: - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -284,3 +273,14 @@ - 0.0.0.0/0 connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - default + dst_pods: + - '*' + connection: + - All but: + - protocols: TCP + dst_ports: + - 8080 diff --git a/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.txt index f6f280deb..491e59c1a 100644 --- a/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map, config: np12: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} diff --git a/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.yaml index b3e3e355d..94d64b314 100644 --- a/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test12-scheme_output.yaml @@ -4,21 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: - - 53 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -55,3 +40,15 @@ - '*' connection: - All connections + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP, UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt index 5e80c5363..9a5c90095 100644 --- a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.txt @@ -1,5 +1,5 @@ final fw rules for query: connectivity_map, config: np16: -src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system-new] dst_pods: [*] conn: UDP 53 +src: 0.0.0.0-9.255.255.255,11.0.0.0-172.20.255.255,172.22.0.0-172.29.255.255,172.31.0.0-255.255.255.255 dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [!has(tier) or tier=not_frontend_for_demo] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml index a519885ce..5401b5cc5 100644 --- a/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test16-scheme_output.yaml @@ -4,39 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ip_block: - - 0.0.0.0/5 - - 11.0.0.0/8 - - 12.0.0.0/6 - - 128.0.0.0/3 - - 16.0.0.0/4 - - 160.0.0.0/5 - - 168.0.0.0/6 - - 172.0.0.0/12 - - 172.128.0.0/9 - - 172.16.0.0/14 - - 172.20.0.0/16 - - 172.22.0.0/15 - - 172.24.0.0/14 - - 172.28.0.0/15 - - 172.31.0.0/16 - - 172.32.0.0/11 - - 172.64.0.0/10 - - 173.0.0.0/8 - - 174.0.0.0/7 - - 176.0.0.0/4 - - 192.0.0.0/2 - - 32.0.0.0/3 - - 64.0.0.0/2 - - 8.0.0.0/7 - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: UDP - Ports: - - 53 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -94,3 +61,36 @@ - '!has(tier) or tier=not_frontend_for_demo' connection: - All connections + - src_ip_block: + - 0.0.0.0/5 + - 11.0.0.0/8 + - 12.0.0.0/6 + - 128.0.0.0/3 + - 16.0.0.0/4 + - 160.0.0.0/5 + - 168.0.0.0/6 + - 172.0.0.0/12 + - 172.128.0.0/9 + - 172.16.0.0/14 + - 172.20.0.0/16 + - 172.22.0.0/15 + - 172.24.0.0/14 + - 172.28.0.0/15 + - 172.31.0.0/16 + - 172.32.0.0/11 + - 172.64.0.0/10 + - 173.0.0.0/8 + - 174.0.0.0/7 + - 176.0.0.0/4 + - 192.0.0.0/2 + - 32.0.0.0/3 + - 64.0.0.0/2 + - 8.0.0.0/7 + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt index cf494a6c4..53bfc1c3f 100644 --- a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.txt @@ -1,7 +1,7 @@ final fw rules for query: connectivity_map, config: np2: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 +src: 0.0.0.0/0 dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP+UDP 53 +src_ns: [default,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP, UDP,dst_ports:53} src_ns: [ibm-system-new] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml index 74f3eef95..9e3323587 100644 --- a/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test2-scheme_output.yaml @@ -4,36 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ip_block: - - 0.0.0.0/0 - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: - - 53 - - src_ns: - - default - - kube-system-new - - kube-system-new-dummy-to-ignore - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 53 - - Protocol: UDP - Ports: - - 53 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -82,3 +52,27 @@ - '*' connection: - All connections + - src_ip_block: + - 0.0.0.0/0 + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP, UDP + dst_ports: + - 53 + - src_ns: + - default + - kube-system-new + - kube-system-new-dummy-to-ignore + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP, UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt index 5ed6252f4..5f54d90d7 100644 --- a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt @@ -1,3 +1,3 @@ final fw rules for query: connectivity_map, config: np23: -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: UDP 53 +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [test=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml index 7fea23134..663efabc2 100644 --- a/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test23-scheme_output.yaml @@ -7,22 +7,22 @@ - src_ns: - default src_pods: - - '*' + - test=C dst_ns: - default dst_pods: - app=skydive connection: - - Protocol: UDP - Ports: - - 53 + - All connections - src_ns: - default src_pods: - - test=C + - '*' dst_ns: - default dst_pods: - app=skydive connection: - - All connections + - protocols: UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt index 557aa0788..da956bad1 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt @@ -1,3 +1,3 @@ final fw rules for query: connectivity_map, config: np24: -src_ns: [default] src_pods: [test in (A,B)] dst_ns: [default] dst_pods: [app=skydive] conn: UDP 53 +src_ns: [default] src_pods: [test in (A,B)] dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:UDP,dst_ports:53} src_ns: [default] src_pods: [test=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections diff --git a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml index e56cae2fb..eb4720bd4 100644 --- a/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test24-scheme_output.yaml @@ -7,22 +7,22 @@ - src_ns: - default src_pods: - - test in (A,B) + - test=C dst_ns: - default dst_pods: - app=skydive connection: - - Protocol: UDP - Ports: - - 53 + - All connections - src_ns: - default src_pods: - - test=C + - test in (A,B) dst_ns: - default dst_pods: - app=skydive connection: - - All connections + - protocols: UDP + dst_ports: + - 53 diff --git a/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt b/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt index f06721941..94b65030c 100644 --- a/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map, config: np3: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections src_ns: [default,kube-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} diff --git a/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.yaml b/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.yaml index 8852bea2f..6b72ec093 100644 --- a/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test3-scheme_output.yaml @@ -4,18 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 85-90 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -44,3 +32,15 @@ - '*' connection: - All connections + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 85-90 diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.csv b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.csv index 2d2197061..d9facb4fd 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.csv @@ -1,6 +1,6 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_3, config: np3","","","","","", -"","[default]","[*]","[kube-system-new]","[*]","TCP 85-90", "","","0.0.0.0/0","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","","0.0.0.0/0","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", +"","[default]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:85-90}", diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.dot b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.dot index ffe0f39d5..2fe23797f 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.dot +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp85-90 TCP 85-90
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp85-90 {protocols:TCP,dst_ports:85-90}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "clique_All0" [shape=egg fontcolor=indigo color=indigo width=0.2 height=0.2 label=clq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed between any two workloads connected to the CLIQUE: All"] @@ -38,7 +38,7 @@ subgraph cluster_kube_system_new_dummy_to_ignore_namespace{ } "0.0.0.0/0" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "default/cognetive-agents(DaemonSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] - "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="TCP 85-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="{protocols:TCP,dst_ports:85-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.md b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.md index 55c600313..194c925f0 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.md +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.md @@ -1,7 +1,7 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_3, config: np3|||||| -||[default]|[*]|[kube-system-new]|[*]|TCP 85-90| |||0.0.0.0/0|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]||0.0.0.0/0|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| +||[default]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:85-90}| diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.txt b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.txt index 20091311e..1ef5ca7c4 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity_map_3, config: np3: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.yaml b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.yaml index 0fe62f0dc..31311a5df 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_3_output.yaml @@ -4,18 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 85-90 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -52,3 +40,15 @@ - '*' connection: - All connections + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 85-90 diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv index 690e0e133..713eb0336 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.csv @@ -1,15 +1,15 @@ "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_4, config: np4","","","","","", -"","[kube-system-new-dummy-to-ignore]","[*]","[kube-system-new]","[*]","TCP 80-88", -"","[ibm-system-new]","[*]","[kube-system-new]","[*]","TCP 80-90", -"","[default]","[*]","[kube-system-new]","[*]","TCP 85-90", "","","0.0.0.0/0","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","","0.0.0.0/0","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", +"","[kube-system-new-dummy-to-ignore]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:80-88}", +"","[ibm-system-new]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:80-90}", +"","[default]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:85-90}", "query","src_ns","src_pods","dst_ns","dst_pods","connection", "connectivity_map_4, config: np3","","","","","", -"","[default]","[*]","[kube-system-new]","[*]","TCP 85-90", "","","0.0.0.0/0","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","","0.0.0.0/0","All connections", "","[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]","[*]","[default,ibm-system-new,kube-system-new-dummy-to-ignore]","[*]","All connections", +"","[default]","[*]","[kube-system-new]","[*]","{protocols:TCP,dst_ports:85-90}", diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.dot b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.dot index d58a08268..32ffbc584 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.dot +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp80-88 TCP 80-88
tcp80-90 TCP 80-90
tcp85-90 TCP 85-90
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp80-88 {protocols:TCP,dst_ports:80-88}
tcp80-90 {protocols:TCP,dst_ports:80-90}
tcp85-90 {protocols:TCP,dst_ports:85-90}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "clique_All1" [shape=egg fontcolor=indigo color=indigo width=0.2 height=0.2 label=clq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed between any two workloads connected to the CLIQUE: All"] @@ -44,11 +44,11 @@ subgraph cluster_kube_system_new_dummy_to_ignore_namespace{ "clique_0" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "clique_0" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-14(Deployment-StatefulSet)"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "default/cognetive-agents(DaemonSet)" -> "clique_All1"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] - "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="TCP 85-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-90" labeltooltip="TCP 80-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ibm-system-new/ibm-cloud-provider-ip-169-60-164-14(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-90" labeltooltip="TCP 80-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="{protocols:TCP,dst_ports:85-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-90" labeltooltip="{protocols:TCP,dst_ports:80-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ibm-system-new/ibm-cloud-provider-ip-169-60-164-14(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-90" labeltooltip="{protocols:TCP,dst_ports:80-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "clique_All1"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] - "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-88" labeltooltip="TCP 80-88" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp80-88" labeltooltip="{protocols:TCP,dst_ports:80-88}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system-new/calico-node(DaemonSet)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system-new/calico-node(DaemonSet)" -> "default/cognetive-agents(DaemonSet)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system-new/calico-node(DaemonSet)" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] @@ -67,7 +67,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp85-90 TCP 85-90
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp85-90 {protocols:TCP,dst_ports:85-90}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "clique_All0" [shape=egg fontcolor=indigo color=indigo width=0.2 height=0.2 label=clq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed between any two workloads connected to the CLIQUE: All"] @@ -101,7 +101,7 @@ subgraph cluster_kube_system_new_dummy_to_ignore_namespace{ } "0.0.0.0/0" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "default/cognetive-agents(DaemonSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] - "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="TCP 85-90" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/cognetive-agents(DaemonSet)" -> "kube-system-new/calico-node(DaemonSet)"[label="tcp85-90" labeltooltip="{protocols:TCP,dst_ports:85-90}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)" -> "ibm-system-new/ibm-cloud-provider-ip-169-60-164-10(Deployment-StatefulSet)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "kube-system-new-dummy-to-ignore/calico-kube-controllers(Deployment-StatefulSet)" -> "clique_All0"[ color=indigo fontcolor=darkgreen dir=both arrowhead=none arrowtail=none] diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md index 04e17967d..86bb521ce 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.md @@ -1,17 +1,17 @@ |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_4, config: np4|||||| -||[kube-system-new-dummy-to-ignore]|[*]|[kube-system-new]|[*]|TCP 80-88| -||[ibm-system-new]|[*]|[kube-system-new]|[*]|TCP 80-90| -||[default]|[*]|[kube-system-new]|[*]|TCP 85-90| |||0.0.0.0/0|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]||0.0.0.0/0|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| +||[kube-system-new-dummy-to-ignore]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:80-88}| +||[ibm-system-new]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:80-90}| +||[default]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:85-90}| |query|src_ns|src_pods|dst_ns|dst_pods|connection| |---|---|---|---|---|---| |connectivity_map_4, config: np3|||||| -||[default]|[*]|[kube-system-new]|[*]|TCP 85-90| |||0.0.0.0/0|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]||0.0.0.0/0|All connections| ||[default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore]|[*]|[default,ibm-system-new,kube-system-new-dummy-to-ignore]|[*]|All connections| +||[default]|[*]|[kube-system-new]|[*]|{protocols:TCP,dst_ports:85-90}| diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.txt b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.txt index b5dc62387..cc2522861 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.txt +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.txt @@ -2,12 +2,12 @@ final fw rules for query: connectivity_map_4, config: np4: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 -src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-90 -src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 80-88 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} +src_ns: [ibm-system-new] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:80-90} +src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:80-88} final fw rules for query: connectivity_map_4, config: np3: src: 0.0.0.0/0 dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,ibm-system-new,kube-system-new,kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [default,ibm-system-new,kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: TCP 85-90 +src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} diff --git a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml index e2c8f52b4..7e774d8ae 100644 --- a/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml +++ b/tests/fw_rules_tests/policies/expected_output/test4-scheme_query_connectivity_map_4_output.yaml @@ -4,42 +4,6 @@ numerical_result: 0 explanation: - rules: - - src_ns: - - kube-system-new-dummy-to-ignore - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 80-88 - - src_ns: - - ibm-system-new - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 80-90 - - src_ns: - - default - src_pods: - - '*' - dst_ns: - - kube-system-new - dst_pods: - - '*' - connection: - - Protocol: TCP - Ports: - - 85-90 - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -76,12 +40,30 @@ - '*' connection: - All connections -- query: connectivity_map_4 - configs: - - np3 - numerical_result: 0 - explanation: - - rules: + - src_ns: + - kube-system-new-dummy-to-ignore + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 80-88 + - src_ns: + - ibm-system-new + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 80-90 - src_ns: - default src_pods: @@ -91,9 +73,15 @@ dst_pods: - '*' connection: - - Protocol: TCP - Ports: + - protocols: TCP + dst_ports: - 85-90 +- query: connectivity_map_4 + configs: + - np3 + numerical_result: 0 + explanation: + - rules: - src_ip_block: - 0.0.0.0/0 dst_ns: @@ -130,3 +118,15 @@ - '*' connection: - All connections + - src_ns: + - default + src_pods: + - '*' + dst_ns: + - kube-system-new + dst_pods: + - '*' + connection: + - protocols: TCP + dst_ports: + - 85-90 diff --git a/tests/fw_rules_tests/policies/semantic_diff_namedPorts-scheme.yaml b/tests/fw_rules_tests/policies/semantic_diff_namedPorts-scheme.yaml index df7ab8b85..99428a3b6 100644 --- a/tests/fw_rules_tests/policies/semantic_diff_namedPorts-scheme.yaml +++ b/tests/fw_rules_tests/policies/semantic_diff_namedPorts-scheme.yaml @@ -20,7 +20,7 @@ networkConfigList: - name: np5_named_ports networkPolicyList: - namedPorts-policy5.yaml - expectedWarnings: 5 + expectedWarnings: 0 queries: - name: semantic_diff_named_ports_np1_and_np2_by_deployments semanticDiff: diff --git a/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-test-sidecar-connectivity-scheme.yaml b/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-test-sidecar-connectivity-scheme.yaml index dd9571875..96a3c2cc5 100644 --- a/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-test-sidecar-connectivity-scheme.yaml +++ b/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-test-sidecar-connectivity-scheme.yaml @@ -1,3 +1,5 @@ +resourceList: + - bookinfo-topology networkConfigList: - name: mixed-sidecar diff --git a/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml b/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml index bd6639cb1..a4215322c 100644 --- a/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml +++ b/tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml @@ -1,3 +1,5 @@ +resourceList: + - bookinfo-topology networkConfigList: - name: mixed-sidecar diff --git a/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml b/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml index ad6aa3842..dae0fc255 100644 --- a/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml +++ b/tests/istio_testcases/example_policies/online_boutique/connectivity-scheme.yaml @@ -24,23 +24,23 @@ networkConfigList: expectedWarnings: 0 queries: -# - name: new_online_boutique_connectivity_map -# connectivityMap: -# - new_online_boutique -# expected: 0 -# #outputConfiguration: -# # outputFormat: dot -# # outputPath: online_boutique_new_istio_policies.dot -# expectedOutput: ../../expected_output/new_online_boutique_connectivity_map.txt -# -# - name: new_online_boutique_synth_res_connectivity_map -# connectivityMap: -# - new_online_boutique_synthesis_res -# expected: 0 -# #outputConfiguration: -# # outputFormat: dot -# # outputPath: online_boutique_new_istio_policies_synthesis_res.dot -# expectedOutput: ../../expected_output/new_online_boutique_synth_res_connectivity_map.txt + - name: new_online_boutique_connectivity_map + connectivityMap: + - new_online_boutique + expected: 0 + #outputConfiguration: + # outputFormat: dot + # outputPath: online_boutique_new_istio_policies.dot + expectedOutput: ../../expected_output/new_online_boutique_connectivity_map.txt + + - name: new_online_boutique_synth_res_connectivity_map + connectivityMap: + - new_online_boutique_synthesis_res + expected: 0 + #outputConfiguration: + # outputFormat: dot + # outputPath: online_boutique_new_istio_policies_synthesis_res.dot + expectedOutput: ../../expected_output/new_online_boutique_synth_res_connectivity_map.txt - name: new_online_boutique_synth_res_connectivity_map_wo_fw_rules connectivityMap: diff --git a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt index 81cff8378..fb3c870fd 100644 --- a/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt +++ b/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt @@ -3,26 +3,26 @@ src: 0.0.0.0/0 dst_ns: [default,kube-system,local-path-storage,projectcontour] d src: 0.0.0.0/0 dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst: connected-with-mesh.example.com conn: All connections -src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '8443', 'hosts': 'httpbin.example.com'} +src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:8443,hosts:httpbin.example.com} src_ns: [default,kube-system,local-path-storage,onlineboutique,projectcontour] src_pods: [*] dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections src_ns: [default,kube-system,local-path-storage,projectcontour] src_pods: [*] dst_ns: [default,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [istio-egressgateway] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [istio-ingressgateway] dst_ns: [onlineboutique] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST', 'hosts': 'ob.alwaysupalwayson.com'} +src_ns: [istio-system] src_pods: [istio-egressgateway] dst: httpbin.example.com conn: {dst_ports:80,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [istio-ingressgateway] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST,hosts:ob.alwaysupalwayson.com} src_ns: [istio-system] src_pods: [istiod] dst: 0.0.0.0/0 conn: All connections src_ns: [istio-system] src_pods: [istiod] dst: connected-with-mesh.example.com conn: All connections src_ns: [istio-system] src_pods: [istiod] dst_ns: [default,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '8443', 'hosts': 'httpbin.example.com'} +src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:8443,hosts:httpbin.example.com} src_ns: [istio-system] src_pods: [istiod] dst_ns: [istio-system] dst_pods: [app!=istio-egressgateway] conn: All connections -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': '/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.EmailService/SendOrderConfirmation'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.PaymentService/Charge'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': '/hipstershop.AdService/GetAds'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': '/hipstershop.CheckoutService/PlaceOrder'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.RecommendationService/ListRecommendations'} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src: 0.0.0.0/0 dst_ns: [default,istio-system,kube-system,local-path-storage,projectcontour] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot index 45e5db22a..f58ddb8fa 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {dst_ports:3000,hosts:aaaa.y.z}
tcp3000b {dst_ports:3000,hosts:iiii.y.z}
tcp3000c {dst_ports:3000,hosts:ooo.y.z,...
tcp3000d {dst_ports:3000,hosts:ooo.y.z,...
tcp3200a {dst_ports:3200,hosts:dddd.y.z}
tcp3200b {dst_ports:3200,hosts:ooo.y.z,...
tcp3456a {dst_ports:3456,hosts:bbbb.y.z}
tcp3456b {dst_ports:3456,hosts:ooo.y.z,...
tcp3500a {dst_ports:3500,hosts:ffff.y.z}
tcp3500b {dst_ports:3500,hosts:ooo.y.z,...
tcp4000a {dst_ports:4000,hosts:gggg.y.z}
tcp4000b {dst_ports:4000,hosts:ooo.y.z,...
tcp9950a {dst_ports:9950,hosts:cccc.y.z}
tcp9950b {dst_ports:9950,hosts:hhhh.y.z}
tcp9950c {dst_ports:9950,hosts:jjjj.y.z}
tcp9950d {dst_ports:9950,hosts:ooo.y.z,...
tcp9950e {dst_ports:9950,hosts:ooo.y.z,...
tcp9950f {dst_ports:9950,hosts:ooo.y.z,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -64,40 +64,40 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot index 77250fbd0..85f1fad9a 100644 --- a/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-and-k8s-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {dst_ports:3000,hosts:aaaa.y.z}
tcp3000b {dst_ports:3000,hosts:iiii.y.z}
tcp3000c {dst_ports:3000,hosts:ooo.y.z,...
tcp3000d {dst_ports:3000,hosts:ooo.y.z,...
tcp3200a {dst_ports:3200,hosts:dddd.y.z}
tcp3200b {dst_ports:3200,hosts:ooo.y.z,...
tcp3456a {dst_ports:3456,hosts:bbbb.y.z}
tcp3456b {dst_ports:3456,hosts:ooo.y.z,...
tcp3500a {dst_ports:3500,hosts:ffff.y.z}
tcp3500b {dst_ports:3500,hosts:ooo.y.z,...
tcp4000a {dst_ports:4000,hosts:gggg.y.z}
tcp4000b {dst_ports:4000,hosts:ooo.y.z,...
tcp9950a {dst_ports:9950,hosts:cccc.y.z}
tcp9950b {dst_ports:9950,hosts:hhhh.y.z}
tcp9950c {dst_ports:9950,hosts:jjjj.y.z}
tcp9950d {dst_ports:9950,hosts:ooo.y.z,...
tcp9950e {dst_ports:9950,hosts:ooo.y.z,...
tcp9950f {dst_ports:9950,hosts:ooo.y.z,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -51,41 +51,41 @@ All"] "example/deploy-gggg(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-hhhh(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot index b31b60983..7780b7cf6 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {dst_ports:3000,hosts:aaaa.y.z}
tcp3000b {dst_ports:3000,hosts:iiii.y.z}
tcp3000c {dst_ports:3000,hosts:ooo.y.z,...
tcp3000d {dst_ports:3000,hosts:ooo.y.z,...
tcp3200a {dst_ports:3200,hosts:dddd.y.z}
tcp3200b {dst_ports:3200,hosts:ooo.y.z,...
tcp3456a {dst_ports:3456,hosts:bbbb.y.z}
tcp3456b {dst_ports:3456,hosts:ooo.y.z,...
tcp3500a {dst_ports:3500,hosts:ffff.y.z}
tcp3500b {dst_ports:3500,hosts:ooo.y.z,...
tcp4000a {dst_ports:4000,hosts:gggg.y.z}
tcp4000b {dst_ports:4000,hosts:ooo.y.z,...
tcp9950a {dst_ports:9950,hosts:cccc.y.z}
tcp9950b {dst_ports:9950,hosts:hhhh.y.z}
tcp9950c {dst_ports:9950,hosts:jjjj.y.z}
tcp9950d {dst_ports:9950,hosts:ooo.y.z,...
tcp9950e {dst_ports:9950,hosts:ooo.y.z,...
tcp9950f {dst_ports:9950,hosts:ooo.y.z,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -53,24 +53,24 @@ subgraph cluster_istio_system_namespace{ "example/deploy-hhhh(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot index ccc2023b5..f31bcfab0 100644 --- a/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-istio-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
tcp9950e TCP {'dst_ports': '9950', 'hos...
tcp9950f TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {dst_ports:3000,hosts:aaaa.y.z}
tcp3000b {dst_ports:3000,hosts:iiii.y.z}
tcp3000c {dst_ports:3000,hosts:ooo.y.z,...
tcp3000d {dst_ports:3000,hosts:ooo.y.z,...
tcp3200a {dst_ports:3200,hosts:dddd.y.z}
tcp3200b {dst_ports:3200,hosts:ooo.y.z,...
tcp3456a {dst_ports:3456,hosts:bbbb.y.z}
tcp3456b {dst_ports:3456,hosts:ooo.y.z,...
tcp3500a {dst_ports:3500,hosts:ffff.y.z}
tcp3500b {dst_ports:3500,hosts:ooo.y.z,...
tcp4000a {dst_ports:4000,hosts:gggg.y.z}
tcp4000b {dst_ports:4000,hosts:ooo.y.z,...
tcp9950a {dst_ports:9950,hosts:cccc.y.z}
tcp9950b {dst_ports:9950,hosts:hhhh.y.z}
tcp9950c {dst_ports:9950,hosts:jjjj.y.z}
tcp9950d {dst_ports:9950,hosts:ooo.y.z,...
tcp9950e {dst_ports:9950,hosts:ooo.y.z,...
tcp9950f {dst_ports:9950,hosts:ooo.y.z,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -48,24 +48,24 @@ All"] "example/deploy-hhhh(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/istio-ingressgateway(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'hhhh.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/hhhh(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950d" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950b" labeltooltip="{dst_ports:9950,hosts:hhhh.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-hhhh(Deployment)"[label="tcp9950e" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/hhhh(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950c" labeltooltip="{dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/istio-ingressgateway(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950f" labeltooltip="{dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot index 6655f83f7..990a96d41 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -51,22 +51,22 @@ subgraph cluster_ingress_controller_ns_namespace{ "example/deploy-gggg(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot index 1008b214a..c482b124a 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-all-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3000c TCP {'dst_ports': '3000', 'hos...
tcp3000d TCP {'dst_ports': '3000', 'hos...
tcp3200a TCP {'dst_ports': '3200', 'hos...
tcp3200b TCP {'dst_ports': '3200', 'hos...
tcp3456a TCP {'dst_ports': '3456', 'hos...
tcp3456b TCP {'dst_ports': '3456', 'hos...
tcp3500a TCP {'dst_ports': '3500', 'hos...
tcp3500b TCP {'dst_ports': '3500', 'hos...
tcp4000a TCP {'dst_ports': '4000', 'hos...
tcp4000b TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
tcp9950c TCP {'dst_ports': '9950', 'hos...
tcp9950d TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3000c {protocols:TCP,dst_ports:3000,...
tcp3000d {protocols:TCP,dst_ports:3000,...
tcp3200a {protocols:TCP,dst_ports:3200,...
tcp3200b {protocols:TCP,dst_ports:3200,...
tcp3456a {protocols:TCP,dst_ports:3456,...
tcp3456b {protocols:TCP,dst_ports:3456,...
tcp3500a {protocols:TCP,dst_ports:3500,...
tcp3500b {protocols:TCP,dst_ports:3500,...
tcp4000a {protocols:TCP,dst_ports:4000,...
tcp4000b {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
tcp9950c {protocols:TCP,dst_ports:9950,...
tcp9950d {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -44,22 +44,22 @@ All"] "example/deploy-ffff(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-gggg(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000c" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456a" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456b" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950c" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200a" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200b" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500a" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500b" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000a" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000b" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000d" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950d" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot index 860cc180d..e1f5705b7 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3200 {protocols:TCP,dst_ports:3200,...
tcp3456 {protocols:TCP,dst_ports:3456,...
tcp3500 {protocols:TCP,dst_ports:3500,...
tcp4000 {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -51,14 +51,14 @@ subgraph cluster_ingress_controller_ns_namespace{ "example/deploy-gggg(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map.dot index 905ff38f3..597692826 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-cluster-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3200 {protocols:TCP,dst_ports:3200,...
tcp3456 {protocols:TCP,dst_ports:3456,...
tcp3500 {protocols:TCP,dst_ports:3500,...
tcp4000 {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -44,14 +44,14 @@ All"] "example/deploy-ffff(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-gggg(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/aaaa(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'ooo.y.z', 'paths': '/bbbb(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/cccc(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'ooo.y.z', 'paths': '/dddd(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ooo.y.z', 'paths': '/ffff(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'ooo.y.z', 'paths': '/gggg(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'ooo.y.z', 'paths': '/iiii(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'ooo.y.z', 'paths': '/jjjj(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/aaaa(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:ooo.y.z,paths:/bbbb(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/cccc(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:ooo.y.z,paths:/dddd(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ooo.y.z,paths:/ffff(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:ooo.y.z,paths:/gggg(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:ooo.y.z,paths:/iiii(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:ooo.y.z,paths:/jjjj(/*)?}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot index 7d590b81b..d0063e90d 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3200 {protocols:TCP,dst_ports:3200,...
tcp3456 {protocols:TCP,dst_ports:3456,...
tcp3500 {protocols:TCP,dst_ports:3500,...
tcp4000 {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -51,14 +51,14 @@ subgraph cluster_ingress_controller_ns_namespace{ "example/deploy-gggg(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map.dot b/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map.dot index bb3b4e5c8..16cb4013c 100644 --- a/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map.dot +++ b/tests/istio_testcases/expected_output/complex-k8s-ingress-test-connectivity-map.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
tcp3000a TCP {'dst_ports': '3000', 'hos...
tcp3000b TCP {'dst_ports': '3000', 'hos...
tcp3200 TCP {'dst_ports': '3200', 'hos...
tcp3456 TCP {'dst_ports': '3456', 'hos...
tcp3500 TCP {'dst_ports': '3500', 'hos...
tcp4000 TCP {'dst_ports': '4000', 'hos...
tcp9950a TCP {'dst_ports': '9950', 'hos...
tcp9950b TCP {'dst_ports': '9950', 'hos...
> shape=box] + dict_box [label=<
Connectivity legend
All All
tcp3000a {protocols:TCP,dst_ports:3000,...
tcp3000b {protocols:TCP,dst_ports:3000,...
tcp3200 {protocols:TCP,dst_ports:3200,...
tcp3456 {protocols:TCP,dst_ports:3456,...
tcp3500 {protocols:TCP,dst_ports:3500,...
tcp4000 {protocols:TCP,dst_ports:4000,...
tcp9950a {protocols:TCP,dst_ports:9950,...
tcp9950b {protocols:TCP,dst_ports:9950,...
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] subgraph cluster_example_namespace{ label="example" @@ -44,14 +44,14 @@ All"] "example/deploy-ffff(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-gggg(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-iiii(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'aaaa.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="TCP {'dst_ports': '3456', 'hosts': 'bbbb.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'cccc.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="TCP {'dst_ports': '3200', 'hosts': 'dddd.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="TCP {'dst_ports': '3500', 'hosts': 'ffff.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="TCP {'dst_ports': '4000', 'hosts': 'gggg.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="TCP {'dst_ports': '3000', 'hosts': 'iiii.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="TCP {'dst_ports': '9950', 'hosts': 'jjjj.y.z'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-aaaa(Deployment)"[label="tcp3000a" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:aaaa.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-bbbb(Deployment)"[label="tcp3456" labeltooltip="{protocols:TCP,dst_ports:3456,hosts:bbbb.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-cccc(Deployment)"[label="tcp9950a" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:cccc.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-dddd(Deployment)"[label="tcp3200" labeltooltip="{protocols:TCP,dst_ports:3200,hosts:dddd.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-ffff(Deployment)"[label="tcp3500" labeltooltip="{protocols:TCP,dst_ports:3500,hosts:ffff.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-gggg(Deployment)"[label="tcp4000" labeltooltip="{protocols:TCP,dst_ports:4000,hosts:gggg.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-iiii(Deployment)"[label="tcp3000b" labeltooltip="{protocols:TCP,dst_ports:3000,hosts:iiii.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "example/deploy-ingress-nginx(Deployment)" -> "example/deploy-jjjj(Deployment)"[label="tcp9950b" labeltooltip="{protocols:TCP,dst_ports:9950,hosts:jjjj.y.z}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "example/deploy-jjjj(Deployment)" -> "example/deploy-ingress-nginx(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" diff --git a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot index ad1caaf8a..c707cc09f 100644 --- a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot +++ b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-deployments.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
TCP TCP {'methods': 'GET'}
> shape=box] + dict_box [label=<
Connectivity legend
All All
TCP {methods:GET}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -29,13 +29,13 @@ subgraph cluster_istio_system_namespace{ "biclique_All0" -> "istio-system/istio-ingressgateway(Deployment-StatefulSet)"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/details-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/productpage-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1(Deployment-StatefulSet)" -> "default/details-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1(Deployment-StatefulSet)" -> "default/reviews-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1(Deployment-StatefulSet)" -> "default/details-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1(Deployment-StatefulSet)" -> "default/reviews-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/ratings-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/reviews-v1(Deployment-StatefulSet)" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/reviews-v1(Deployment-StatefulSet)" -> "default/ratings-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/reviews-v1(Deployment-StatefulSet)" -> "default/ratings-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "default/productpage-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway(Deployment-StatefulSet)" -> "default/productpage-v1(Deployment-StatefulSet)"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot index 9c5005787..420b40f25 100644 --- a/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot +++ b/tests/istio_testcases/expected_output/connectivity-bookinfo-demo-by-pods.dot @@ -4,7 +4,7 @@ digraph { fontsize=30 fontcolor=maroon subgraph cluster_map_explanation { - dict_box [label=<
Connectivity legend
All All
TCP TCP {'methods': 'GET'}
> shape=box] + dict_box [label=<
Connectivity legend
All All
TCP {methods:GET}
> shape=box] "0.0.0.0/0" [label=<
0.0.0.0/0
> shape=box fontcolor=red2 tooltip="IP Block"] "biclique_All0" [shape=box fontcolor=red color=red width=0.3 height=0.1 label=biclq fontsize=10 margin=0 xlabel="All" tooltip="Traffic allowed from any source workload of the BICLIQUE to any of its destination workloads: All"] @@ -29,13 +29,13 @@ subgraph cluster_istio_system_namespace{ "biclique_All0" -> "istio-system/istio-ingressgateway-55d9fb9f-f4mzz"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/details-v1-79f774bdb9-tw7sj" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/productpage-v1-6b746f74dc-kkzzk" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1-6b746f74dc-kkzzk" -> "default/details-v1-79f774bdb9-tw7sj"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/productpage-v1-6b746f74dc-kkzzk" -> "default/reviews-v1-545db77b95-2ps7q"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1-6b746f74dc-kkzzk" -> "default/details-v1-79f774bdb9-tw7sj"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/productpage-v1-6b746f74dc-kkzzk" -> "default/reviews-v1-545db77b95-2ps7q"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/ratings-v1-b6994bb9-gl27w" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/reviews-v1-545db77b95-2ps7q" -> "biclique_All0"[ color=red fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "default/reviews-v1-545db77b95-2ps7q" -> "default/ratings-v1-b6994bb9-gl27w"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "default/reviews-v1-545db77b95-2ps7q" -> "default/ratings-v1-b6994bb9-gl27w"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] - "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "default/productpage-v1-6b746f74dc-kkzzk"[label="TCP" labeltooltip="TCP {'methods': 'GET'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-55d9fb9f-f4mzz" -> "default/productpage-v1-6b746f74dc-kkzzk"[label="TCP" labeltooltip="{methods:GET}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white labelloc = "b" fontsize=15 diff --git a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt index 3862f41ad..448d9387d 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources.txt @@ -1,15 +1,15 @@ For connections of type TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': '/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.EmailService/SendOrderConfirmation'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.PaymentService/Charge'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': '/hipstershop.AdService/GetAds'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': '/hipstershop.CheckoutService/PlaceOrder'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.RecommendationService/ListRecommendations'} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique, config: onlineboutique-resources: src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections diff --git a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt index eeab7d57a..14d6ec1c6 100644 --- a/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt +++ b/tests/istio_testcases/expected_output/connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt @@ -1,18 +1,18 @@ For connections of type TCP, final fw rules for query: connectivity-map-of-onlineboutique-with-istio-gateways, config: onlineboutique-resources-with-istio-gateways: -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {dst_ports:80,hosts:httpbin.example.com} src_ns: [onlineboutique] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [onlineboutique] src_pods: [*] dst: connected-with-mesh.example.com conn: All connections -src_ns: [onlineboutique] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} -src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': '/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.EmailService/SendOrderConfirmation'} -src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.PaymentService/Charge'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': '/hipstershop.AdService/GetAds'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': '/hipstershop.CheckoutService/PlaceOrder'} -src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.RecommendationService/ListRecommendations'} -src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} +src_ns: [onlineboutique] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:443,hosts:httpbin.example.com} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [cartservice] conn: {dst_ports:7070,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [currencyservice] conn: {dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend)] dst_ns: [onlineboutique] dst_pods: [shippingservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [onlineboutique] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [onlineboutique] dst_pods: [productcatalogservice] conn: {dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [emailservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [onlineboutique] src_pods: [checkoutservice] dst_ns: [onlineboutique] dst_pods: [paymentservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [adservice] conn: {dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [checkoutservice] conn: {dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [onlineboutique] src_pods: [frontend] dst_ns: [onlineboutique] dst_pods: [recommendationservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [onlineboutique] src_pods: [loadgenerator] dst_ns: [onlineboutique] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: connectivity-map-of-onlineboutique-with-istio-gateways, config: onlineboutique-resources-with-istio-gateways: src: 0.0.0.0/0 dst_ns: [istio-system] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt b/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt index 2460f5ac4..37a464951 100644 --- a/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt +++ b/tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt @@ -1,3 +1,3 @@ sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts are not semantically equivalent. Connections allowed in sidecar-with-local-hosts-only which are different in sidecar-with-local-and-dns-hosts: -src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication on [protocols=TCP] while sidecar-with-local-hosts-only does not diff --git a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt index 8ad32ce46..ef2a666df 100644 --- a/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/fly_istio_ingress_test_connectivity_map.txt @@ -1,7 +1,7 @@ For connections of type TCP, final fw rules for query: connectivity, config: fly-istio-ingress-test: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api, istio-ingressgateway] conn: TCP {'dst_ports': '8761', 'paths': '/flights(/*)?'} -src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api, istio-ingressgateway] conn: TCP {'dst_ports': '8762', 'paths': '/horas(/*)?'} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [fly-api, istio-ingressgateway] conn: {dst_ports:8761,paths:/flights(/*)?} +src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [hora-api, istio-ingressgateway] conn: {dst_ports:8762,paths:/horas(/*)?} src_ns: [default] src_pods: [fly-api, hora-api] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [fly-api, hora-api] dst_ns: [default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt index 37146a98f..d4bb65970 100644 --- a/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt @@ -1,3 +1,3 @@ sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: -src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication on [protocols=TCP] while sidecar-with-local-hosts-only does not diff --git a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt index 2dd1584c9..7ea97a315 100644 --- a/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_egress_test_connectivity_map.txt @@ -3,8 +3,8 @@ src: 0.0.0.0/0 dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: connected_with_mesh.example.com conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,prod,qa] dst_pods: [*] conn: All connections -src_ns: [default,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} +src_ns: [default,prod,qa] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:443,hosts:httpbin.example.com} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {dst_ports:80,hosts:httpbin.example.com} For connections of type non-TCP, final fw rules for query: connectivity, config: istio-egress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt index b4b269ee0..981d47e7e 100644 --- a/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/istio_ingress_test_connectivity_map.txt @@ -2,9 +2,9 @@ For connections of type TCP, final fw rules for query: connectivity, config: ist src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,prod,qa] src_pods: [*] dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections -src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [details-v1-5f449bdbb9] conn: TCP {'dst_ports': '5555', 'hosts': 'mongosvr.prod.svc.cluster.local'} -src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [ratings-v1-857bb87c57] conn: TCP {'dst_ports': '9080', 'hosts': 'eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local', 'paths': '/reviews(/*)?'} -src_ns: [istio-system] src_pods: [*] dst_ns: [qa] dst_pods: [*] conn: TCP {'dst_ports': '7777', 'hosts': 'eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local'} +src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [details-v1-5f449bdbb9] conn: {dst_ports:5555,hosts:mongosvr.prod.svc.cluster.local} +src_ns: [istio-system] src_pods: [*] dst_ns: [prod] dst_pods: [ratings-v1-857bb87c57] conn: {dst_ports:9080,hosts:eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local,paths:/reviews(/*)?} +src_ns: [istio-system] src_pods: [*] dst_ns: [qa] dst_pods: [*] conn: {dst_ports:7777,hosts:eu.bookinfo.com, uk.bookinfo.com, productpage.default.svc.cluster.local} For connections of type non-TCP, final fw rules for query: connectivity, config: istio-ingress: src: 0.0.0.0/0 dst_ns: [default,istio-system,prod,qa] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt b/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt index 668db7aef..f7a042e15 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_connectivity_map.txt @@ -1,20 +1,20 @@ For connections of type TCP, final fw rules for query: new_online_boutique_connectivity_map, config: new_online_boutique: -src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: {dst_ports:8080} src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections -src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 8080 +src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: {dst_ports:8080} src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections -src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP {'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': '/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': '/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.EmailService/SendOrderConfirmation'} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': '/hipstershop.PaymentService/Charge'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': '/hipstershop.AdService/GetAds'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': '/hipstershop.CheckoutService/PlaceOrder'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': '/hipstershop.RecommendationService/ListRecommendations'} -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} +src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {dst_ports:7000,methods:POST,paths:/hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {dst_ports:3550,methods:POST,paths:/hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.EmailService/SendOrderConfirmation} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: {dst_ports:50051,methods:POST,paths:/hipstershop.PaymentService/Charge} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {dst_ports:9555,methods:POST,paths:/hipstershop.AdService/GetAds} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {dst_ports:5050,methods:POST,paths:/hipstershop.CheckoutService/PlaceOrder} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {dst_ports:8080,methods:POST,paths:/hipstershop.RecommendationService/ListRecommendations} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {dst_ports:8080,methods:GET, POST} For connections of type non-TCP, final fw rules for query: new_online_boutique_connectivity_map, config: new_online_boutique: src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt index 69807048e..32a4b46fa 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map.txt @@ -2,16 +2,16 @@ For connections of type TCP, final fw rules for query: new_online_boutique_synth src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {dst_ports:8080} For connections of type non-TCP, final fw rules for query: new_online_boutique_synth_res_connectivity_map, config: new_online_boutique_synthesis_res: src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt index c34b01d7f..ab2ad8a90 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt @@ -2,15 +2,15 @@ For connections of type TCP, final fw rules for query: new_online_boutique_synth src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: {dst_ports:50051} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {dst_ports:8080} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {dst_ports:8080} For connections of type non-TCP, final fw rules for query: new_online_boutique_synth_res_connectivity_map_with_baseline_rule, config: new_online_boutique_synthesis_res_with_baseline_restrict_access_to_payment_service: src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt index d7d14ccad..47e6a5be9 100644 --- a/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt +++ b/tests/istio_testcases/expected_output/new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt @@ -1,198 +1,198 @@ TCP Connections: -0.0.0.0-255.255.255.255 => asm-ingress/asm-ingressgateway[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/adservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/adservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/checkoutservice[Deployment] => default/cartservice[Deployment] : TCP 7070 -default/checkoutservice[Deployment] => default/currencyservice[Deployment] : TCP 7000 -default/checkoutservice[Deployment] => default/emailservice[Deployment] : TCP 8080 -default/checkoutservice[Deployment] => default/paymentservice[Deployment] : TCP 50051 -default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/checkoutservice[Deployment] => default/shippingservice[Deployment] : TCP 50051 -default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/frontend[Deployment] => default/adservice[Deployment] : TCP 9555 -default/frontend[Deployment] => default/cartservice[Deployment] : TCP 7070 -default/frontend[Deployment] => default/checkoutservice[Deployment] : TCP 5050 -default/frontend[Deployment] => default/currencyservice[Deployment] : TCP 7000 -default/frontend[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/frontend[Deployment] => default/recommendationservice[Deployment] : TCP 8080 -default/frontend[Deployment] => default/shippingservice[Deployment] : TCP 50051 -default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080 -default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections +0.0.0.0-255.255.255.255 => asm-ingress/asm-ingressgateway[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/adservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/adservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/checkoutservice[Deployment] => default/cartservice[Deployment] : {dst_ports:7070} +default/checkoutservice[Deployment] => default/currencyservice[Deployment] : {dst_ports:7000} +default/checkoutservice[Deployment] => default/emailservice[Deployment] : {dst_ports:8080} +default/checkoutservice[Deployment] => default/paymentservice[Deployment] : {dst_ports:50051} +default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : {dst_ports:3550} +default/checkoutservice[Deployment] => default/shippingservice[Deployment] : {dst_ports:50051} +default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/frontend[Deployment] => default/adservice[Deployment] : {dst_ports:9555} +default/frontend[Deployment] => default/cartservice[Deployment] : {dst_ports:7070} +default/frontend[Deployment] => default/checkoutservice[Deployment] : {dst_ports:5050} +default/frontend[Deployment] => default/currencyservice[Deployment] : {dst_ports:7000} +default/frontend[Deployment] => default/productcatalogservice[Deployment] : {dst_ports:3550} +default/frontend[Deployment] => default/recommendationservice[Deployment] : {dst_ports:8080} +default/frontend[Deployment] => default/shippingservice[Deployment] : {dst_ports:50051} +default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/loadgenerator[Deployment] => default/frontend[Deployment] : {dst_ports:8080} +default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : {dst_ports:3550} +default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections non-TCP Connections: -0.0.0.0-255.255.255.255 => asm-ingress/asm-ingressgateway[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/adservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/cartservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/checkoutservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/currencyservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/emailservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/frontend[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/loadgenerator[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/paymentservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/productcatalogservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/recommendationservice[Deployment] : All Connections -0.0.0.0-255.255.255.255 => default/shippingservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/adservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/cartservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/checkoutservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/currencyservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/emailservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/frontend[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/loadgenerator[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/paymentservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/productcatalogservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/recommendationservice[Deployment] : All Connections -asm-ingress/asm-ingressgateway[Deployment] => default/shippingservice[Deployment] : All Connections -default/adservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/adservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/adservice[Deployment] => default/cartservice[Deployment] : All Connections -default/adservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/adservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/adservice[Deployment] => default/emailservice[Deployment] : All Connections -default/adservice[Deployment] => default/frontend[Deployment] : All Connections -default/adservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/adservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/adservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/adservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/adservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/cartservice[Deployment] => default/adservice[Deployment] : All Connections -default/cartservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/cartservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/cartservice[Deployment] => default/emailservice[Deployment] : All Connections -default/cartservice[Deployment] => default/frontend[Deployment] : All Connections -default/cartservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/cartservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/cartservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/cartservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/cartservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/checkoutservice[Deployment] => default/adservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/cartservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/emailservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/frontend[Deployment] : All Connections -default/checkoutservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/checkoutservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/checkoutservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/currencyservice[Deployment] => default/adservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/cartservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/emailservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/frontend[Deployment] : All Connections -default/currencyservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/currencyservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/currencyservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/emailservice[Deployment] => default/adservice[Deployment] : All Connections -default/emailservice[Deployment] => default/cartservice[Deployment] : All Connections -default/emailservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/emailservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/emailservice[Deployment] => default/frontend[Deployment] : All Connections -default/emailservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/emailservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/emailservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/emailservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/emailservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/frontend[Deployment] => default/adservice[Deployment] : All Connections -default/frontend[Deployment] => default/cartservice[Deployment] : All Connections -default/frontend[Deployment] => default/checkoutservice[Deployment] : All Connections -default/frontend[Deployment] => default/currencyservice[Deployment] : All Connections -default/frontend[Deployment] => default/emailservice[Deployment] : All Connections -default/frontend[Deployment] => default/loadgenerator[Deployment] : All Connections -default/frontend[Deployment] => default/paymentservice[Deployment] : All Connections -default/frontend[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/frontend[Deployment] => default/recommendationservice[Deployment] : All Connections -default/frontend[Deployment] => default/shippingservice[Deployment] : All Connections -default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/loadgenerator[Deployment] => default/adservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/cartservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/checkoutservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/currencyservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/emailservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/frontend[Deployment] : All Connections -default/loadgenerator[Deployment] => default/paymentservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/recommendationservice[Deployment] : All Connections -default/loadgenerator[Deployment] => default/shippingservice[Deployment] : All Connections -default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/paymentservice[Deployment] => default/adservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/cartservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/emailservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/frontend[Deployment] : All Connections -default/paymentservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/paymentservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/paymentservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/adservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/cartservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/emailservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/frontend[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/recommendationservice[Deployment] : All Connections -default/productcatalogservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/recommendationservice[Deployment] => default/adservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/cartservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/emailservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/frontend[Deployment] : All Connections -default/recommendationservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/recommendationservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/recommendationservice[Deployment] => default/shippingservice[Deployment] : All Connections -default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All Connections -default/shippingservice[Deployment] => default/adservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/cartservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/checkoutservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/currencyservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/emailservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/frontend[Deployment] : All Connections -default/shippingservice[Deployment] => default/loadgenerator[Deployment] : All Connections -default/shippingservice[Deployment] => default/paymentservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/productcatalogservice[Deployment] : All Connections -default/shippingservice[Deployment] => default/recommendationservice[Deployment] : All Connections \ No newline at end of file +0.0.0.0-255.255.255.255 => asm-ingress/asm-ingressgateway[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/adservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/cartservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/checkoutservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/currencyservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/emailservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/frontend[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/loadgenerator[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/paymentservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/productcatalogservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/recommendationservice[Deployment] : All connections +0.0.0.0-255.255.255.255 => default/shippingservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => 0.0.0.0-255.255.255.255 : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/adservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/cartservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/checkoutservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/currencyservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/emailservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/frontend[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/loadgenerator[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/paymentservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/productcatalogservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/recommendationservice[Deployment] : All connections +asm-ingress/asm-ingressgateway[Deployment] => default/shippingservice[Deployment] : All connections +default/adservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/adservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/adservice[Deployment] => default/cartservice[Deployment] : All connections +default/adservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/adservice[Deployment] => default/currencyservice[Deployment] : All connections +default/adservice[Deployment] => default/emailservice[Deployment] : All connections +default/adservice[Deployment] => default/frontend[Deployment] : All connections +default/adservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/adservice[Deployment] => default/paymentservice[Deployment] : All connections +default/adservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/adservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/adservice[Deployment] => default/shippingservice[Deployment] : All connections +default/cartservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/cartservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/cartservice[Deployment] => default/adservice[Deployment] : All connections +default/cartservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/cartservice[Deployment] => default/currencyservice[Deployment] : All connections +default/cartservice[Deployment] => default/emailservice[Deployment] : All connections +default/cartservice[Deployment] => default/frontend[Deployment] : All connections +default/cartservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/cartservice[Deployment] => default/paymentservice[Deployment] : All connections +default/cartservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/cartservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/cartservice[Deployment] => default/shippingservice[Deployment] : All connections +default/checkoutservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/checkoutservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/checkoutservice[Deployment] => default/adservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/cartservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/currencyservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/emailservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/frontend[Deployment] : All connections +default/checkoutservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/checkoutservice[Deployment] => default/paymentservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/checkoutservice[Deployment] => default/shippingservice[Deployment] : All connections +default/currencyservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/currencyservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/currencyservice[Deployment] => default/adservice[Deployment] : All connections +default/currencyservice[Deployment] => default/cartservice[Deployment] : All connections +default/currencyservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/currencyservice[Deployment] => default/emailservice[Deployment] : All connections +default/currencyservice[Deployment] => default/frontend[Deployment] : All connections +default/currencyservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/currencyservice[Deployment] => default/paymentservice[Deployment] : All connections +default/currencyservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/currencyservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/currencyservice[Deployment] => default/shippingservice[Deployment] : All connections +default/emailservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/emailservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/emailservice[Deployment] => default/adservice[Deployment] : All connections +default/emailservice[Deployment] => default/cartservice[Deployment] : All connections +default/emailservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/emailservice[Deployment] => default/currencyservice[Deployment] : All connections +default/emailservice[Deployment] => default/frontend[Deployment] : All connections +default/emailservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/emailservice[Deployment] => default/paymentservice[Deployment] : All connections +default/emailservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/emailservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/emailservice[Deployment] => default/shippingservice[Deployment] : All connections +default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/frontend[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/frontend[Deployment] => default/adservice[Deployment] : All connections +default/frontend[Deployment] => default/cartservice[Deployment] : All connections +default/frontend[Deployment] => default/checkoutservice[Deployment] : All connections +default/frontend[Deployment] => default/currencyservice[Deployment] : All connections +default/frontend[Deployment] => default/emailservice[Deployment] : All connections +default/frontend[Deployment] => default/loadgenerator[Deployment] : All connections +default/frontend[Deployment] => default/paymentservice[Deployment] : All connections +default/frontend[Deployment] => default/productcatalogservice[Deployment] : All connections +default/frontend[Deployment] => default/recommendationservice[Deployment] : All connections +default/frontend[Deployment] => default/shippingservice[Deployment] : All connections +default/loadgenerator[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/loadgenerator[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/loadgenerator[Deployment] => default/adservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/cartservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/checkoutservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/currencyservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/emailservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/frontend[Deployment] : All connections +default/loadgenerator[Deployment] => default/paymentservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/productcatalogservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/recommendationservice[Deployment] : All connections +default/loadgenerator[Deployment] => default/shippingservice[Deployment] : All connections +default/paymentservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/paymentservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/paymentservice[Deployment] => default/adservice[Deployment] : All connections +default/paymentservice[Deployment] => default/cartservice[Deployment] : All connections +default/paymentservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/paymentservice[Deployment] => default/currencyservice[Deployment] : All connections +default/paymentservice[Deployment] => default/emailservice[Deployment] : All connections +default/paymentservice[Deployment] => default/frontend[Deployment] : All connections +default/paymentservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/paymentservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/paymentservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/paymentservice[Deployment] => default/shippingservice[Deployment] : All connections +default/productcatalogservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/productcatalogservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/productcatalogservice[Deployment] => default/adservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/cartservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/currencyservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/emailservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/frontend[Deployment] : All connections +default/productcatalogservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/productcatalogservice[Deployment] => default/paymentservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/recommendationservice[Deployment] : All connections +default/productcatalogservice[Deployment] => default/shippingservice[Deployment] : All connections +default/recommendationservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/recommendationservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/recommendationservice[Deployment] => default/adservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/cartservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/currencyservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/emailservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/frontend[Deployment] : All connections +default/recommendationservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/recommendationservice[Deployment] => default/paymentservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/recommendationservice[Deployment] => default/shippingservice[Deployment] : All connections +default/shippingservice[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/shippingservice[Deployment] => asm-ingress/asm-ingressgateway[Deployment] : All connections +default/shippingservice[Deployment] => default/adservice[Deployment] : All connections +default/shippingservice[Deployment] => default/cartservice[Deployment] : All connections +default/shippingservice[Deployment] => default/checkoutservice[Deployment] : All connections +default/shippingservice[Deployment] => default/currencyservice[Deployment] : All connections +default/shippingservice[Deployment] => default/emailservice[Deployment] : All connections +default/shippingservice[Deployment] => default/frontend[Deployment] : All connections +default/shippingservice[Deployment] => default/loadgenerator[Deployment] : All connections +default/shippingservice[Deployment] => default/paymentservice[Deployment] : All connections +default/shippingservice[Deployment] => default/productcatalogservice[Deployment] : All connections +default/shippingservice[Deployment] => default/recommendationservice[Deployment] : All connections diff --git a/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt index b8949af59..fe99152bf 100644 --- a/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt @@ -1,5 +1,5 @@ sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: -src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication using protocol TCP while sidecar-with-local-hosts-only does not. +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication on [protocols=TCP] while sidecar-with-local-hosts-only does not sidecar-with-local-hosts-only does not interfere with sidecar-with-local-and-dns-hosts diff --git a/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_input_vs_synth_res.txt b/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_input_vs_synth_res.txt index fc240ed03..93b55a24c 100644 --- a/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_input_vs_synth_res.txt +++ b/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_input_vs_synth_res.txt @@ -1,25 +1,25 @@ new_online_boutique and new_online_boutique_synthesis_res are not semantically equivalent. Added connections between persistent peers (based on topology from config: new_online_boutique_synthesis_res) : -src_ns: [default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 1-8079,8081-65535 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP {'dst_ports': '7070', 'methods': 'POST', 'paths': 'all but /hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'},{'dst_ports': '7070', 'methods': 'all but POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP {'dst_ports': '7000', 'methods': 'POST', 'paths': 'all but /hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies'},{'dst_ports': '7000', 'methods': 'all but POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': 'all but /hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder'},{'dst_ports': '50051', 'methods': 'all but POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP {'dst_ports': '3550', 'methods': 'POST', 'paths': 'all but /hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts'},{'dst_ports': '3550', 'methods': 'all but POST'} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': 'all but /hipstershop.EmailService/SendOrderConfirmation'},{'dst_ports': '8080', 'methods': 'all but POST'} -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP {'dst_ports': '50051', 'methods': 'POST', 'paths': 'all but /hipstershop.PaymentService/Charge'},{'dst_ports': '50051', 'methods': 'all but POST'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP {'dst_ports': '9555', 'methods': 'POST', 'paths': 'all but /hipstershop.AdService/GetAds'},{'dst_ports': '9555', 'methods': 'all but POST'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP {'dst_ports': '5050', 'methods': 'POST', 'paths': 'all but /hipstershop.CheckoutService/PlaceOrder'},{'dst_ports': '5050', 'methods': 'all but POST'} -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP {'dst_ports': '8080', 'methods': 'POST', 'paths': 'all but /hipstershop.RecommendationService/ListRecommendations'},{'dst_ports': '8080', 'methods': 'all but POST'} -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'all but GET, POST'} +src_ns: [default] src_pods: [*] dst_ns: [asm-ingress] dst_pods: [*] conn: {protocols:TCP,dst_ports:1-8079,8081-65535} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070,methods:POST,paths:all but /hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart},{protocols:TCP,dst_ports:7070,methods:all but POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000,methods:POST,paths:all but /hipstershop.CurrencyService/Convert, /hipstershop.CurrencyService/GetSupportedCurrencies},{protocols:TCP,dst_ports:7000,methods:all but POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:all but /hipstershop.ShippingService/GetQuote, /hipstershop.ShippingService/ShipOrder},{protocols:TCP,dst_ports:50051,methods:all but POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550,methods:POST,paths:all but /hipstershop.ProductCatalogService/GetProduct, /hipstershop.ProductCatalogService/ListProducts},{protocols:TCP,dst_ports:3550,methods:all but POST} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:all but /hipstershop.EmailService/SendOrderConfirmation},{protocols:TCP,dst_ports:8080,methods:all but POST} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051,methods:POST,paths:all but /hipstershop.PaymentService/Charge},{protocols:TCP,dst_ports:50051,methods:all but POST} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555,methods:POST,paths:all but /hipstershop.AdService/GetAds},{protocols:TCP,dst_ports:9555,methods:all but POST} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050,methods:POST,paths:all but /hipstershop.CheckoutService/PlaceOrder},{protocols:TCP,dst_ports:5050,methods:all but POST} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080,methods:POST,paths:all but /hipstershop.RecommendationService/ListRecommendations},{protocols:TCP,dst_ports:8080,methods:all but POST} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:all but GET, POST} Removed connections between persistent peers (based on topology from config: new_online_boutique) : -src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: TCP -src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP {'dst_ports': '8080', 'methods': 'GET, POST'} -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP {'dst_ports': '1-7069,7071-65535', 'methods': 'POST', 'paths': '/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart'} +src_ns: [asm-ingress,default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: {protocols:TCP} +src_ns: [asm-ingress] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080,methods:GET, POST} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:1-7069,7071-65535,methods:POST,paths:/hipstershop.CartService/AddItem, /hipstershop.CartService/GetCart, /hipstershop.CartService/EmptyCart} Added connections between persistent peers and ipBlocks (based on topology from config: new_online_boutique_synthesis_res) : -src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: TCP 1-8079,8081-65535 +src: 0.0.0.0/0 dst_ns: [asm-ingress] dst_pods: [*] conn: {protocols:TCP,dst_ports:1-8079,8081-65535} Removed connections between persistent peers and ipBlocks (based on topology from config: new_online_boutique) : -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: TCP +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: {protocols:TCP} diff --git a/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt b/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt index af64ef425..9c7322927 100644 --- a/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt +++ b/tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt @@ -1,4 +1,4 @@ new_online_boutique_synthesis_res and new_online_boutique_synthesis_res_with_baseline_restrict_access_to_payment_service are not semantically equivalent. Removed connections between persistent peers (based on topology from config: new_online_boutique_synthesis_res) : -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: TCP 50051 +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051} diff --git a/tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt b/tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt index c10b88b8a..c0b3cf360 100644 --- a/tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt +++ b/tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt @@ -1,5 +1,5 @@ sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts are not semantically equivalent. New connections between persistent peers and added peers (based on topology from config: sidecar-with-local-and-dns-hosts) : -src_ns: [default] src_pods: [*] dst: www.slack.com conn: TCP -src_ns: [default] src_pods: [app!=ratings] dst: www.google.com conn: TCP +src_ns: [default] src_pods: [*] dst: www.slack.com conn: {protocols:TCP} +src_ns: [default] src_pods: [app!=ratings] dst: www.google.com conn: {protocols:TCP} diff --git a/tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt b/tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt index eb8cc3fc7..2bc2b1bd8 100644 --- a/tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt +++ b/tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt @@ -1,4 +1,4 @@ sidecar-with-selector-allows-any and sidecar-with-selector-registery-only are not semantically equivalent. Removed connections between persistent peers and ipBlocks (based on topology from config: sidecar-with-selector-allows-any) : -src_ns: [default] src_pods: [ratings-v1] dst: 0.0.0.0/0 conn: TCP +src_ns: [default] src_pods: [ratings-v1] dst: 0.0.0.0/0 conn: {protocols:TCP} diff --git a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt index ca07f5d08..d774569b0 100644 --- a/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt +++ b/tests/istio_testcases/expected_output/sidecars-and-gateways-test-connectivity-map.txt @@ -3,14 +3,14 @@ src: 0.0.0.0/0 dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections src_ns: [asm-ingress,default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [asm-ingress] src_pods: [*] dst: connected_with_mesh.example.com conn: All connections src_ns: [asm-ingress] src_pods: [*] dst_ns: [asm-ingress,default] dst_pods: [*] conn: All connections -src_ns: [asm-ingress] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} +src_ns: [asm-ingress] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:443,hosts:httpbin.example.com} src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst: connected_with_mesh.example.com conn: All connections -src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst_ns: [istio-system] dst_pods: [*] conn: TCP {'dst_ports': '443', 'hosts': 'httpbin.example.com'} +src_ns: [default] src_pods: [app not in (checkoutservice,frontend)] dst_ns: [istio-system] dst_pods: [*] conn: {dst_ports:443,hosts:httpbin.example.com} src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app not in (adservice,checkoutservice,frontend,loadgenerator,recommendationservice)] conn: All connections src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [app not in (emailservice,frontend,loadgenerator,paymentservice)] conn: All connections src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: All connections src_ns: [default] src_pods: [recommendationservice] dst_ns: [default] dst_pods: [productcatalogservice] conn: All connections -src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com'} +src_ns: [istio-system] src_pods: [*] dst: httpbin.example.com conn: {dst_ports:80,hosts:httpbin.example.com} For connections of type non-TCP, final fw rules for query: onlineboutique-sidecars-connectivity, config: onlineboutique-sidecars-and-gateways: src: 0.0.0.0/0 dst_ns: [asm-ingress,default,istio-system] dst_pods: [*] conn: All connections diff --git a/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt b/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt index c1a3f3b8b..7b92a40d5 100644 --- a/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt +++ b/tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt @@ -1,3 +1,3 @@ Network configuration sidecar-with-local-hosts-only is a proper subset of sidecar-with-local-and-dns-hosts but sidecar-with-local-and-dns-hosts is not contained in sidecar-with-local-hosts-only Connections allowed in sidecar-with-local-and-dns-hosts which are not a subset of those in sidecar-with-local-hosts-only: -src: ['default/ratings-v1-1'], dst: ['www.slack.com'], conn: Protocol: TCP +src: ['default/ratings-v1-1'], dst: ['www.slack.com'], conn: {'protocols': 'TCP'} diff --git a/tests/k8s_cmdline_tests.yaml b/tests/k8s_cmdline_tests.yaml index b00423bcc..b74d0f2c5 100644 --- a/tests/k8s_cmdline_tests.yaml +++ b/tests/k8s_cmdline_tests.yaml @@ -429,7 +429,6 @@ --ns_list fw_rules_tests/podlist/test_subset_topology.yaml --pod_list fw_rules_tests/podlist/test_subset_topology.yaml --explain default/Pod1[Pod],ns2/deployment-D[Deployment] - -opt=true -d --expected_output expected_cmdline_output_files/basic_connectivity_specific_nodes_expl_output.txt expected: 0 @@ -440,7 +439,6 @@ --ns_list fw_rules_tests/podlist/test_subset_topology.yaml --pod_list fw_rules_tests/podlist/test_subset_topology.yaml --explain ALL - -opt=true -d --expected_output expected_cmdline_output_files/basic_connectivity_expl_output.txt expected: 0 @@ -451,7 +449,6 @@ --ns_list fw_rules_tests/podlist/poc_ns_list.json --pod_list fw_rules_tests/podlist/kubernetes-manifests.yaml --explain ALL - -opt=true -d --expected_output expected_cmdline_output_files/poc1_expl_output.txt expected: 0 @@ -463,7 +460,6 @@ --pod_list fw_rules_tests/podlist/test_subset_topology.yaml --deployment_subset deployment-A,deployment-D --explain ALL - -opt=true -d --expected_output expected_cmdline_output_files/subset_deployment_expl_output.txt expected: 0 @@ -474,7 +470,6 @@ --ns_list fw_rules_tests/podlist/test_fw_rules_pod_list.yaml --pod_list fw_rules_tests/podlist/test_fw_rules_pod_list.yaml --explain ALL - -opt=true -d --expected_output expected_cmdline_output_files/test25_expl_output.txt expected: 0 @@ -485,7 +480,6 @@ --ns_list fw_rules_tests/podlist/ns_list.json --pod_list fw_rules_tests/podlist/pods_list_4.json --explain kube-system-new/calico-node(DaemonSet),0.0.0.0/0 - -opt=true -d --expected_output expected_cmdline_output_files/test4_expl_output.txt expected: 0 @@ -496,7 +490,6 @@ --ns_list istio_testcases/example_policies/istio-ingress-test --pod_list istio_testcases/example_policies/istio-ingress-test --explain ALL - -opt=true -d # temporarily commenting out expected results, until new Ingress/Egress implementation is completed. # --expected_output expected_cmdline_output_files/istio-ingress_expl_output.txt diff --git a/tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml b/tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml index 847120a01..327955cda 100644 --- a/tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml +++ b/tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml @@ -1,7 +1,8 @@ +namespaceList: ../../example_podlist/ns_list.json +podList: ../../example_podlist/pods_list.json + networkConfigList: - name: sanity_np2 - namespaceList: ../../example_podlist/ns_list.json - podList: ../../example_podlist/pods_list.json networkPolicyList: - sanity2-networkpolicy.yaml expectedWarnings: 0 diff --git a/tests/k8s_testcases/example_policies/ipblockstest/test-scheme.yaml b/tests/k8s_testcases/example_policies/ipblockstest/test-scheme.yaml index fab804305..530e80790 100644 --- a/tests/k8s_testcases/example_policies/ipblockstest/test-scheme.yaml +++ b/tests/k8s_testcases/example_policies/ipblockstest/test-scheme.yaml @@ -1,8 +1,9 @@ +namespaceList: ./ns.yaml +podList: ./pods.yaml + networkConfigList: - name: ipblockstest-config - resourceList: - - ./ns.yaml - - ./pods.yaml + networkPolicyList: - ./netpols.yaml expectedWarnings: 0 diff --git a/tests/k8s_testcases/example_policies/namedPorts/namedPorts-scheme.yaml b/tests/k8s_testcases/example_policies/namedPorts/namedPorts-scheme.yaml index 237e34bce..49d48f819 100644 --- a/tests/k8s_testcases/example_policies/namedPorts/namedPorts-scheme.yaml +++ b/tests/k8s_testcases/example_policies/namedPorts/namedPorts-scheme.yaml @@ -25,7 +25,7 @@ networkConfigList: - name: np5 # just for warnings networkPolicyList: - namedPorts-policy5.yaml - expectedWarnings: 5 + expectedWarnings: 0 queries: - name: compare_np1_and_np2 diff --git a/tests/k8s_testcases/example_policies/onlineboutique-test-connectivity-wo-fw-rules/test-no-fw-rules-scheme.yaml b/tests/k8s_testcases/example_policies/onlineboutique-test-connectivity-wo-fw-rules/test-no-fw-rules-scheme.yaml index 669ff4522..5ac5be2c5 100644 --- a/tests/k8s_testcases/example_policies/onlineboutique-test-connectivity-wo-fw-rules/test-no-fw-rules-scheme.yaml +++ b/tests/k8s_testcases/example_policies/onlineboutique-test-connectivity-wo-fw-rules/test-no-fw-rules-scheme.yaml @@ -1,7 +1,8 @@ +namespaceList: ./ns.yaml + networkConfigList: - name: onlineboutique-config resourceList: - - ./ns.yaml - ./kubernetes-manifests.yaml - ./netpols.yaml expectedWarnings: 0 diff --git a/tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-scheme.yaml b/tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-scheme.yaml index df3f2ee77..0f1b77ba8 100644 --- a/tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-scheme.yaml +++ b/tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-scheme.yaml @@ -25,7 +25,7 @@ networkConfigList: - name: np5 # just for warnings networkPolicyList: - namedPorts-policy5.yaml - expectedWarnings: 5 + expectedWarnings: 0 queries: - name: semantic_diff_named_ports_np1_and_np2 diff --git a/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt b/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt index 4d86cece0..b2cfa8750 100644 --- a/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt +++ b/tests/k8s_testcases/expected_output/ipblocktest-conn-graph-no-fw-rules.txt @@ -1,470 +1,470 @@ -0.0.0.0-9.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => default/cognetive-agents[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/calico-node-tier[DaemonSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/calico-node[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -0.0.0.0-9.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 -0.0.0.0-9.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -10.0.0.0-10.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => default/cognetive-agents[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system/calico-node[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -10.0.0.0-10.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => default/cognetive-agents[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/calico-node-tier[DaemonSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/calico-node[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -11.0.0.0-172.20.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 -11.0.0.0-172.20.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -172.21.0.0-172.21.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => default/cognetive-agents[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system/calico-node[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -172.21.0.0-172.21.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => default/cognetive-agents[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/calico-node-tier[DaemonSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/calico-node[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -172.22.0.0-172.29.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 -172.22.0.0-172.29.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -172.30.0.0-172.30.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => default/cognetive-agents[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system/calico-node[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -172.30.0.0-172.30.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => default/cognetive-agents[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/calico-node-tier[DaemonSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/calico-node[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : UDP 53 -172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : UDP 53 -default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cognetive-agents[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -default/cognetive-agents[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/calico-node[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/calico-node[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/calico-node[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All Connections -kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All Connections +0.0.0.0-9.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => default/cognetive-agents[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/calico-node-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/calico-node[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +0.0.0.0-9.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : {protocols:UDP,dst_ports:53} +0.0.0.0-9.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : {protocols:UDP,dst_ports:53} +10.0.0.0-10.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => default/cognetive-agents[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system/calico-node[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +10.0.0.0-10.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +10.0.0.0-10.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => default/cognetive-agents[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/calico-node-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/calico-node[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +11.0.0.0-172.20.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : {protocols:UDP,dst_ports:53} +11.0.0.0-172.20.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.21.0.0-172.21.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => default/cognetive-agents[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system/calico-node[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +172.21.0.0-172.21.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +172.21.0.0-172.21.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => default/cognetive-agents[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/calico-node-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/calico-node[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +172.22.0.0-172.29.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.22.0.0-172.29.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.30.0.0-172.30.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => default/cognetive-agents[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system/calico-node[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +172.30.0.0-172.30.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +172.30.0.0-172.30.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => default/cognetive-agents-agent[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => default/cognetive-agents[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/calico-node-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/calico-node[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet] : {protocols:UDP,dst_ports:53} +172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet] : {protocols:UDP,dst_ports:53} +default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +default/cognetive-agents-agent[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +default/cognetive-agents[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +default/cognetive-agents[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/calico-node[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/calico-node[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/calico-node[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] : All connections +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] : All connections diff --git a/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt b/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt index ac683a3d7..6b76fd7f6 100644 --- a/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/k8s_ingress_test_connectivity_map.txt @@ -2,4 +2,4 @@ final fw rules for query: connectivity, config: test-ingress: src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections src_ns: [default,istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,istio-system] src_pods: [*] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: TCP {'dst_ports': '9080', 'hosts': 'demo.localdev.me', 'paths': '/details(/*)?'} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [details-v1-79f774bdb9] conn: {protocols:TCP,dst_ports:9080,hosts:demo.localdev.me,paths:/details(/*)?} diff --git a/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt b/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt index 04d20d5e0..03b969c2f 100644 --- a/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/new_online_boutique_connectivity_map.txt @@ -2,13 +2,13 @@ final fw rules for query: new_online_boutique_connectivity_map, config: new_onli src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [loadgenerator] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} diff --git a/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt b/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt index a7094a55a..02a3b83ca 100644 --- a/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/new_online_boutique_synthesis_res_connectivity_map.txt @@ -1,15 +1,15 @@ final fw rules for query: new_online_boutique_synthesis_res_connectivity_map, config: new_online_synthesis_res: src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/onlineboutique-conn-graph-no-fw-rules.txt b/tests/k8s_testcases/expected_output/onlineboutique-conn-graph-no-fw-rules.txt index 987af4d70..e5289479b 100644 --- a/tests/k8s_testcases/expected_output/onlineboutique-conn-graph-no-fw-rules.txt +++ b/tests/k8s_testcases/expected_output/onlineboutique-conn-graph-no-fw-rules.txt @@ -1,25 +1,25 @@ -0.0.0.0-255.255.255.255 => default/redis-cart[Deployment] : All Connections -0.0.0.0-255.255.255.255 => kube-system/kube-dns-livesim[Pod] : All Connections -default/checkoutservice[Deployment] => default/cartservice[Deployment] : TCP 7070 -default/checkoutservice[Deployment] => default/currencyservice[Deployment] : TCP 7000 -default/checkoutservice[Deployment] => default/emailservice[Deployment] : TCP 8080 -default/checkoutservice[Deployment] => default/paymentservice[Deployment] : TCP 50051 -default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/checkoutservice[Deployment] => default/shippingservice[Deployment] : TCP 50051 -default/checkoutservice[Deployment] => kube-system/kube-dns-livesim[Pod] : UDP 53 -default/frontend[Deployment] => default/adservice[Deployment] : TCP 9555 -default/frontend[Deployment] => default/cartservice[Deployment] : TCP 7070 -default/frontend[Deployment] => default/checkoutservice[Deployment] : TCP 5050 -default/frontend[Deployment] => default/currencyservice[Deployment] : TCP 7000 -default/frontend[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/frontend[Deployment] => default/recommendationservice[Deployment] : TCP 8080 -default/frontend[Deployment] => default/shippingservice[Deployment] : TCP 50051 -default/frontend[Deployment] => kube-system/kube-dns-livesim[Pod] : UDP 53 -default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080 -default/loadgenerator[Deployment] => kube-system/kube-dns-livesim[Pod] : UDP 53 -default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 -default/recommendationservice[Deployment] => kube-system/kube-dns-livesim[Pod] : UDP 53 -default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections -default/redis-cart[Deployment] => kube-system/kube-dns-livesim[Pod] : All Connections -kube-system/kube-dns-livesim[Pod] => 0.0.0.0-255.255.255.255 : All Connections -kube-system/kube-dns-livesim[Pod] => default/redis-cart[Deployment] : All Connections \ No newline at end of file +0.0.0.0-255.255.255.255 => default/redis-cart[Deployment] : All connections +0.0.0.0-255.255.255.255 => kube-system/kube-dns-livesim[Pod] : All connections +default/checkoutservice[Deployment] => default/cartservice[Deployment] : {protocols:TCP,dst_ports:7070} +default/checkoutservice[Deployment] => default/currencyservice[Deployment] : {protocols:TCP,dst_ports:7000} +default/checkoutservice[Deployment] => default/emailservice[Deployment] : {protocols:TCP,dst_ports:8080} +default/checkoutservice[Deployment] => default/paymentservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/checkoutservice[Deployment] => default/shippingservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/checkoutservice[Deployment] => kube-system/kube-dns-livesim[Pod] : {protocols:UDP,dst_ports:53} +default/frontend[Deployment] => default/adservice[Deployment] : {protocols:TCP,dst_ports:9555} +default/frontend[Deployment] => default/cartservice[Deployment] : {protocols:TCP,dst_ports:7070} +default/frontend[Deployment] => default/checkoutservice[Deployment] : {protocols:TCP,dst_ports:5050} +default/frontend[Deployment] => default/currencyservice[Deployment] : {protocols:TCP,dst_ports:7000} +default/frontend[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/frontend[Deployment] => default/recommendationservice[Deployment] : {protocols:TCP,dst_ports:8080} +default/frontend[Deployment] => default/shippingservice[Deployment] : {protocols:TCP,dst_ports:50051} +default/frontend[Deployment] => kube-system/kube-dns-livesim[Pod] : {protocols:UDP,dst_ports:53} +default/loadgenerator[Deployment] => default/frontend[Deployment] : {protocols:TCP,dst_ports:8080} +default/loadgenerator[Deployment] => kube-system/kube-dns-livesim[Pod] : {protocols:UDP,dst_ports:53} +default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : {protocols:TCP,dst_ports:3550} +default/recommendationservice[Deployment] => kube-system/kube-dns-livesim[Pod] : {protocols:UDP,dst_ports:53} +default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All connections +default/redis-cart[Deployment] => kube-system/kube-dns-livesim[Pod] : All connections +kube-system/kube-dns-livesim[Pod] => 0.0.0.0-255.255.255.255 : All connections +kube-system/kube-dns-livesim[Pod] => default/redis-cart[Deployment] : All connections \ No newline at end of file diff --git a/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt b/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt index 36bffcc45..a806b89f6 100644 --- a/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/orig_online_boutique_synthesis_res_connectivity_map.txt @@ -1,21 +1,21 @@ final fw rules for query: orig_online_boutique_synthesis_res_connectivity_map, config: orig_online_boutique_synthesis_res: -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections -src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: TCP 7070 -src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: TCP 7000 -src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: TCP 3550 -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: TCP 50051 -src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: TCP 9555 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: TCP 5050 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: TCP 8080 -src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: TCP 50051 -src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [app in (cartservice,checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [cartservice] conn: {protocols:TCP,dst_ports:7070} +src_ns: [default] src_pods: [app in (checkoutservice,frontend)] dst_ns: [default] dst_pods: [currencyservice] conn: {protocols:TCP,dst_ports:7000} +src_ns: [default] src_pods: [app in (checkoutservice,frontend,recommendationservice)] dst_ns: [default] dst_pods: [productcatalogservice] conn: {protocols:TCP,dst_ports:3550} +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [app in (paymentservice,shippingservice)] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [emailservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [adservice] conn: {protocols:TCP,dst_ports:9555} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [checkoutservice] conn: {protocols:TCP,dst_ports:5050} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [recommendationservice] conn: {protocols:TCP,dst_ports:8080} +src_ns: [default] src_pods: [frontend] dst_ns: [default] dst_pods: [shippingservice] conn: {protocols:TCP,dst_ports:50051} +src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst: *.googleapis.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst: accounts.google.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: metadata.google.internal conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/semantic_diff_a_to_b_different_topologies.txt b/tests/k8s_testcases/expected_output/semantic_diff_a_to_b_different_topologies.txt index 361adb211..3bbdbec23 100644 --- a/tests/k8s_testcases/expected_output/semantic_diff_a_to_b_different_topologies.txt +++ b/tests/k8s_testcases/expected_output/semantic_diff_a_to_b_different_topologies.txt @@ -1,27 +1,27 @@ Lost connections between removed peers (based on topology from config: config_a) : -default/cog-agents[DaemonSet] => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => default/cog-agents[DaemonSet] : All connections Lost connections between removed peers and ipBlocks (based on topology from config: config_a) : -0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All Connections -0.0.0.0-255.255.255.255 => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cog-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections -default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All Connections +0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All connections +0.0.0.0-255.255.255.255 => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cog-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections +default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 : All connections Lost connections between removed peers and persistent peers (based on topology from config: config_a) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections -default/cog-agents[DaemonSet] => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All Connections -default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections +default/cog-agents[DaemonSet] => default/cog-local-analyzer-7d77fb55cc[ReplicaSet] : All connections +default/cog-local-analyzer-7d77fb55cc[ReplicaSet] => default/cog-agents[DaemonSet] : All connections Added connections between persistent peers (based on topology from config: config_b) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections Removed connections between persistent peers (based on topology from config: config_a) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections Added connections between persistent peers and ipBlocks (based on topology from config: config_b) : -0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All Connections +0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All connections Removed connections between persistent peers and ipBlocks (based on topology from config: config_a) : -0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All Connections +0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All connections New connections between persistent peers and added peers (based on topology from config: config_b) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections New connections between added peers (based on topology from config: config_b) : -default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All Connections +default/cog-agents[DaemonSet] => default/cog-agents[DaemonSet] : All connections New connections between added peers and ipBlocks (based on topology from config: config_b) : -0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All Connections -default/cog-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All Connections \ No newline at end of file +0.0.0.0-255.255.255.255 => default/cog-agents[DaemonSet] : All connections +default/cog-agents[DaemonSet] => 0.0.0.0-255.255.255.255 : All connections diff --git a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt index 13e23ba37..a39e84f83 100644 --- a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt +++ b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt @@ -1,14 +1,14 @@ orig_online_boutique_synthesis_res and new_online_synthesis_res are not semantically equivalent. Lost connections between removed peers and persistent peers (based on topology from config: orig_online_boutique_synthesis_res) : -src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: TCP 6379 +src_ns: [default] src_pods: [cartservice] dst_ns: [default] dst_pods: [redis-cart] conn: {protocols:TCP,dst_ports:6379} src_ns: [kube-system] src_pods: [*] dst: *.googleapis.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: accounts.google.com conn: All connections src_ns: [kube-system] src_pods: [*] dst: metadata.google.internal conn: All connections Removed connections between persistent peers (based on topology from config: orig_online_boutique_synthesis_res) : -src_ns: [default] src_pods: [cartservice] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 -src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src_ns: [default] src_pods: [cartservice] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} +src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} Removed connections between persistent peers and ipBlocks (based on topology from config: orig_online_boutique_synthesis_res) : -src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: TCP 8080 +src: 0.0.0.0/0 dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:8080} diff --git a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt index ed9f13cf3..848171682 100644 --- a/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt +++ b/tests/k8s_testcases/expected_output/semantic_diff_online_boutique_new_vs_synthesized_new.txt @@ -8,7 +8,7 @@ src: 0.0.0.0/0 dst_ns: [default] dst_pods: [loadgenerator] conn: All connections src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: All connections New connections between persistent peers and added peers (based on topology from config: new_online_synthesis_res) : -src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 +src_ns: [default] src_pods: [app in (checkoutservice,frontend,loadgenerator,recommendationservice)] dst_ns: [kube-system] dst_pods: [*] conn: {protocols:UDP,dst_ports:53} New connections between added peers and ipBlocks (based on topology from config: new_online_synthesis_res) : src: 0.0.0.0/0 dst_ns: [kube-system] dst_pods: [*] conn: All connections diff --git a/tests/k8s_testcases/expected_output/services1_connectivity_map.txt b/tests/k8s_testcases/expected_output/services1_connectivity_map.txt index 87b77d9fc..7f461ce0a 100644 --- a/tests/k8s_testcases/expected_output/services1_connectivity_map.txt +++ b/tests/k8s_testcases/expected_output/services1_connectivity_map.txt @@ -2,13 +2,13 @@ final fw rules for query: connectivity_map, config: ip: src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,kube-system] dst_pods: [*] conn: All connections src_ns: [default,kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system] src_pods: [*] dst_ns: [default,ingress-nginx,kube-system] dst_pods: [*] conn: All connections -src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: TCP {'dst_ports': '80', 'hosts': 'demo.localdev.me'} +src_ns: [ingress-nginx] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:80,hosts:demo.localdev.me} final fw rules for query: connectivity_map, config: np0: src: 0.0.0.0/0 dst_ns: [default,kube-system] dst_pods: [*] conn: All connections src_ns: [default,kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [default,kube-system] src_pods: [*] dst_ns: [default,kube-system] dst_pods: [*] conn: All connections -src_ns: [ingress-nginx] src_pods: [ingress-nginx-controller-6d5f55986b] dst_ns: [default] dst_pods: [*] conn: TCP {'dst_ports': '80', 'hosts': 'demo.localdev.me'} +src_ns: [ingress-nginx] src_pods: [ingress-nginx-controller-6d5f55986b] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:80,hosts:demo.localdev.me} final fw rules for query: connectivity_map, config: np1: src: 0.0.0.0/0 dst_ns: [default,kube-system] dst_pods: [*] conn: All connections diff --git a/tests/run_all_tests.py b/tests/run_all_tests.py index 1cf34efca..f1127846b 100644 --- a/tests/run_all_tests.py +++ b/tests/run_all_tests.py @@ -32,6 +32,7 @@ HELM cli tests should start with "helm_" so they can be skipped when HELM is not installed. """ +BENCHMARKING = False # set True for running benchmarks class TestArgs: def __init__(self, args, base_dir=None): @@ -48,7 +49,6 @@ def _fix_path_args_with_base_dir(self, base_dir): full_path = os.path.join(base_dir, arg) self.args[idx] = full_path - def get_arg_value(self, arg_str_list): for index, arg in enumerate(self.args): if arg in arg_str_list: @@ -58,17 +58,25 @@ def get_arg_value(self, arg_str_list): class CliQuery: - def __init__(self, test_dict, cli_tests_base_dir, test_name, hc_opt): + def __init__(self, test_dict, cli_tests_base_dir, test_name): self.test_dict = test_dict self.query_name = self.test_dict['name'] self.test_name = test_name - self.args_obj = TestArgs(['-opt='+hc_opt] + test_dict['args'].split(), cli_tests_base_dir) + if BENCHMARKING: + self.args_obj = TestArgs(test_dict['args'].split(), cli_tests_base_dir) + else: + self.args_obj = TestArgs(['-d'] + test_dict['args'].split(), cli_tests_base_dir) + class SchemeFile: - def __init__(self, scheme_filename, hc_opt): + def __init__(self, scheme_filename): self.test_name = scheme_filename - test_args = ['--scheme', self.test_name, '-opt='+hc_opt] + if BENCHMARKING: + test_args = ['--scheme', self.test_name] + else: + test_args = ['--scheme', self.test_name, '-d'] + self.args_obj = TestArgs(test_args) def update_arg_at_scheme_file_output_config(self, arg_name, arg_value): @@ -88,7 +96,8 @@ def update_arg_at_scheme_file_output_config(self, arg_name, arg_value): # most of the test flow is common to other tests types class GeneralTest: - def __init__(self, test_name, test_queries_obj, expected_result, check_run_time, required_output_config_flag, test_category=None): + def __init__(self, test_name, test_queries_obj, expected_result, check_run_time, required_output_config_flag, + test_category=None): self.test_name = test_name # str self.test_queries_obj = test_queries_obj # SchemeFile or CliQuery self.result = None # tuple of (numerical result, test runtime, performance issue indicator) @@ -109,20 +118,21 @@ def initialize_test(self): def run_all_test_flow(self, all_results): # should be overriden by inheriting classes - tmp_opt = [i for i in self.test_queries_obj.args_obj.args if '-opt=' in i] - opt = tmp_opt[0].split('=')[1] if tmp_opt else 'false' - if isinstance(self.test_queries_obj, CliQuery) and (opt == 'debug' or opt == 'true'): - implemented_opt_queries = {'--connectivity', '--equiv', '--permits', '--interferes', '--forbids', - '--sanity', '--semantic_diff'} - # TODO - update/remove the optimization below when all queries are supported in optimized implementation - if not implemented_opt_queries.intersection(set(self.test_queries_obj.args_obj.args)): - print(f'Skipping {self.test_queries_obj.test_name} since it does not have optimized implementation yet') - return 0, 0 - self.initialize_test() self.run_test() self.evaluate_test_results() - self.finalize_test() + run_time = self.finalize_test() + if BENCHMARKING: + write_header = False + benchmark_file = './benchmarks.csv' + if not os.path.isfile(benchmark_file): + write_header = True + with open(benchmark_file, 'a', newline='') as csv_file: + csv_writer = csv.writer(csv_file) + if write_header: + csv_writer.writerow(['test_name', 'run time (seconds)']) + csv_writer.writerow([self.test_name, f'{run_time:.2f}']) + csv_file.close() all_results[self.test_name] = self.result return self.numerical_result, self.new_tests_error @@ -182,6 +192,7 @@ def finalize_test(self): performance_error = self._execute_run_time_compare(actual_run_time) self.result = (self.numerical_result, actual_run_time, performance_error) self._update_required_scheme_file_config_args(False) + return actual_run_time def _update_required_scheme_file_config_args(self, before_test_run): if self.required_output_config_flag is not None: @@ -222,7 +233,7 @@ def __getattr__(self, name): class TestsRunner: - def __init__(self, spec_file, tests_type, check_run_time, category, hc_opt): + def __init__(self, spec_file, tests_type, check_run_time, category): self.spec_file = spec_file self.all_results = {} self.global_res = 0 @@ -231,7 +242,6 @@ def __init__(self, spec_file, tests_type, check_run_time, category, hc_opt): self.test_files_spec = None self.check_run_time = check_run_time self.category = category - self.hc_opt = hc_opt self.helm_path = shutil.which('helm') @staticmethod @@ -388,9 +398,10 @@ def _test_file_matches_category_general_tests(test_file, category): # given a scheme file or a cmdline file, run all relevant tests def run_test_per_file(self, test_file): if self.test_files_spec.type == 'scheme': - if self.tests_type == 'general' and not TestsRunner._test_file_matches_category_general_tests(test_file, self.category): + if self.tests_type == 'general' and \ + not TestsRunner._test_file_matches_category_general_tests(test_file, self.category): return # test file does not match the running category - self.create_and_run_test_obj(SchemeFile(test_file, self.hc_opt), 0) + self.create_and_run_test_obj(SchemeFile(test_file), 0) elif self.test_files_spec.type == 'cmdline': with open(test_file) as doc: code = yaml.load_all(doc, Loader=yaml.CSafeLoader) @@ -401,7 +412,7 @@ def run_test_per_file(self, test_file): print(f'Skipping {query_name} - HELM is not installed') continue cli_test_name = f'{os.path.basename(test_file)}, query name: {query_name}' - cli_query = CliQuery(test, self.test_files_spec.root, cli_test_name, self.hc_opt) + cli_query = CliQuery(test, self.test_files_spec.root, cli_test_name) if self.category == '' or cli_test_name.startswith(self.category): self.create_and_run_test_obj(cli_query, test.get('expected', 0)) @@ -414,9 +425,6 @@ def main(argv=None): parser.add_argument('--type', choices=['general', 'k8s_live_general', 'fw_rules_assertions'], help='Choose test types to run', default='general') - parser.add_argument('--hc_opt', choices=['false', 'true', 'debug'], - help='Choose non-optimized/optimized/comparison run', - default='true') parser.add_argument('--category', choices=['k8s', 'calico', 'istio'], help='Choose category of tests', default='') parser.add_argument('--create_expected_output_files', action='store_true', help='Add missing expected output files') @@ -428,7 +436,6 @@ def main(argv=None): args = parser.parse_args(argv) test_type = args.type category = args.category - hc_opt = args.hc_opt check_run_time = args.check_run_time OutputFilesFlags().create_expected_files = args.create_expected_output_files OutputFilesFlags().update_expected_files = args.override_expected_output_files @@ -437,15 +444,9 @@ def main(argv=None): if check_run_time and test_type != 'general': print(f'check_run_time flag is not supported with test type: {test_type}') sys.exit(1) - if hc_opt == 'false': - print('Running original (non-optimized) implementation') - elif hc_opt == 'true': - print('Running optimized implementation') - elif hc_opt == 'debug': - print('Comparing original and optimized implementations') spec_file = 'all_tests_spec.yaml' - tests_runner = TestsRunner(spec_file, test_type, check_run_time, category, hc_opt) + tests_runner = TestsRunner(spec_file, test_type, check_run_time, category) tests_runner.run_tests() return tests_runner.global_res or tests_runner.new_tests_error