Differentiating between Ingress policy and IstioGatewayPolicy.

Fixing lint errors.

Signed-off-by: Tanya <[email protected]>

nca/NetworkConfig/NetworkConfigQuery.py

@@ -1277,8 +1277,8 @@ def clone_without_ingress(config):
         :return: resulting config without ingress policies
         :rtype: NetworkConfig
         """
-        if NetworkLayerName.IngressEgressGateway not in config.policies_container.layers or not config.policies_container.layers[
-                NetworkLayerName.IngressEgressGateway].policies_list:
+        if NetworkLayerName.IngressEgressGateway not in config.policies_container.layers or \
+                not config.policies_container.layers[NetworkLayerName.IngressEgressGateway].policies_list:
             return config  # no ingress policies in this config
         config_without_ingress = config.clone_without_policies(config.name)
         for policy in config.policies_container.policies.values():
@@ -2362,7 +2362,8 @@ def exec(self):
         self.output_config.fullExplanation = True  # assign true for this query - it is always ok to compare its results
         # get_all_peers_group() does not require getting dnsEntry peers, since they are not ClusterEP (pods)
         existing_pods = self.config.peer_container.get_all_peers_group()
-        if not self.config or self.config.policies_container.layers.does_contain_single_layer(NetworkLayerName.IngressEgressGateway):
+        if not self.config or \
+                self.config.policies_container.layers.does_contain_single_layer(NetworkLayerName.IngressEgressGateway):
             return QueryAnswer(bool_result=False,
                                output_result=f'There are no network policies in {self.config.name}. '
                                              f'All workload resources are non captured',

nca/NetworkConfig/NetworkLayer.py

@@ -40,7 +40,7 @@ def policy_type_to_layer(policy_type):
             return NetworkLayerName.K8s_Calico
         elif policy_type in {NetworkPolicy.PolicyType.IstioAuthorizationPolicy, NetworkPolicy.PolicyType.IstioSidecar}:
             return NetworkLayerName.Istio
-        elif policy_type == NetworkPolicy.PolicyType.IngressEgressGateway:
+        elif policy_type in {NetworkPolicy.PolicyType.Ingress, NetworkPolicy.PolicyType.IstioGatewayPolicy}:
             return NetworkLayerName.IngressEgressGateway
         return None
 

nca/NetworkConfig/PoliciesFinder.py

@@ -91,7 +91,7 @@ def parse_policies_in_parse_queue(self):  # noqa: C901
                 else:
                     istio_sidecar_parser.reset(policy, self.peer_container, file_name)
                 parsed_policy = istio_sidecar_parser.parse_policy()
-            elif policy_type == NetworkPolicy.PolicyType.IngressEgressGateway:
+            elif policy_type == NetworkPolicy.PolicyType.Ingress:
                 parsed_element = IngressPolicyYamlParser(policy, self.peer_container, file_name)
                 parsed_policy = parsed_element.parse_policy()
                 self._add_policy(parsed_policy)
@@ -122,7 +122,7 @@ def parse_policies_in_parse_queue(self):  # noqa: C901
                                        policy.line_number,
                                        policy_name
                                        )
-        if istio_traffic_parser and not istio_traffic_parser.missing_istio_gw_pods_with_labels:
+        if istio_traffic_parser:
             istio_traffic_policies = istio_traffic_parser.create_istio_traffic_policies()
             for istio_traffic_policy in istio_traffic_policies:
                 self._add_policy(istio_traffic_policy)

nca/Parsers/IngressPolicyYamlParser.py

@@ -255,7 +255,7 @@ def parse_policy(self):
 
         self.namespace = self.peer_container.get_namespace(policy_ns)
         res_policy = IstioGatewayPolicy(policy_name + '/allow', self.namespace, IstioGatewayPolicy.ActionType.Allow)
-        res_policy.policy_kind = NetworkPolicy.PolicyType.IngressEgressGateway
+        res_policy.policy_kind = NetworkPolicy.PolicyType.Ingress
         res_policy.affects_egress = True
         policy_spec = self.policy['spec']
         allowed_spec_keys = {'defaultBackend': [0, dict], 'ingressClassName': [0, str],

nca/Parsers/IstioTrafficResourcesYamlParser.py

@@ -576,7 +576,7 @@ def init_mesh_to_egress_policy(vs, selected_peers):
         """
         mesh_to_egress_policy = IstioGatewayPolicy(vs.name + '/mesh/egress/allow', vs.namespace,
                                                    IstioGatewayPolicy.ActionType.Allow)
-        mesh_to_egress_policy.policy_kind = NetworkPolicy.PolicyType.IngressEgressGateway
+        mesh_to_egress_policy.policy_kind = NetworkPolicy.PolicyType.IstioGatewayPolicy
         # We model egress flow relatively to egress gateways pods (i.e. they are the selected_peers);
         # since the flow is into those selected peers, the policy will affect ingress.
         mesh_to_egress_policy.affects_ingress = True
@@ -597,7 +597,7 @@ def create_deny_mesh_to_ext_policy(self):
             return None
         deny_mesh_to_ext_policy = IstioGatewayPolicy('mesh/external/deny', self.namespace,
                                                      IstioGatewayPolicy.ActionType.Deny)
-        deny_mesh_to_ext_policy.policy_kind = NetworkPolicy.PolicyType.IngressEgressGateway
+        deny_mesh_to_ext_policy.policy_kind = NetworkPolicy.PolicyType.IstioGatewayPolicy
         # External (DNS) pods are the selected_peers
         # Note: This is a Deny policy. selected_peers will not be captured!
         deny_mesh_to_ext_policy.affects_ingress = True
@@ -648,7 +648,7 @@ def create_gtw_to_mesh_policies(self, vs, route, route_cnt, gtw_to_hosts, used_g
                                             vs.namespace, IstioGatewayPolicy.ActionType.Allow)
             # We model ingress/egress flow relatively to the gateways pods (which are the selected_peers);
             # since in this case the gateway pods are the source pods, the policy will affect egress.
-            res_policy.policy_kind = NetworkPolicy.PolicyType.IngressEgressGateway
+            res_policy.policy_kind = NetworkPolicy.PolicyType.IstioGatewayPolicy
             res_policy.affects_egress = True
             res_policy.selected_peers = gtw.peers
             for dest in route.destinations:

nca/Resources/NetworkPolicy.py

@@ -26,9 +26,10 @@ class PolicyType(Enum):
         CalicoProfile = 4
         IstioAuthorizationPolicy = 10
         IstioSidecar = 11
-        IngressEgressGateway = 20
+        Ingress = 20
         Gateway = 30
         VirtualService = 31
+        IstioGatewayPolicy = 32
         List = 500
 
         @staticmethod
@@ -44,7 +45,7 @@ def input_kind_name_str_to_policy_type(kind):
             elif kind == "IstioSidecar":
                 return NetworkPolicy.PolicyType.IstioSidecar
             elif kind == "K8sIngress":
-                return NetworkPolicy.PolicyType.IngressEgressGateway
+                return NetworkPolicy.PolicyType.Ingress
             return None
 
     def __init__(self, name, namespace):
@@ -258,7 +259,7 @@ def get_policy_type_from_dict(policy):  # noqa: C901
         elif kind == 'NetworkPolicy':
             policy_type = NetworkPolicy.PolicyType.K8sNetworkPolicy
         elif kind == 'Ingress':
-            policy_type = NetworkPolicy.PolicyType.IngressEgressGateway
+            policy_type = NetworkPolicy.PolicyType.Ingress
 
         return policy_type
 
@@ -357,8 +358,12 @@ def allowed_connections(self, from_peer, to_peer, is_ingress):
         return NotImplemented
 
     def policy_type_str(self):
-        return "Istio Gateway/VirtualService/Ingress resource" if self.policy_kind == NetworkPolicy.PolicyType.IngressEgressGateway \
-            else "NetworkPolicy"
+        if self.policy_kind == NetworkPolicy.PolicyType.Ingress:
+            return "Ingress resource"
+        elif self.policy_kind == NetworkPolicy.PolicyType.IstioGatewayPolicy:
+            return "Istio Gateway/VirtualService resource"
+        else:
+            return "NetworkPolicy"
 
 
 @dataclass