Admin Network Policy: eval command support (#423)

* adding ANP to parser.k8sobj

* fixing gocritic rangeValCopy by indexing

* w.i.p. anp support - first commit

* more examples (2 ANPs/ ANP+NP)

* fixing references

* new_test that ensures rule ordering in ANP is respected

* update the conn representation as complement in case it is shorter (all but: udp 5353 instead of SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535)

* test with swapped rules from another test + diff test

* more-tests

* fixing conns computations and a test with multiple ANPs

* extending output formats of existing tests

* tiny fix

* fixing a tinu bug in ruleConnections func

* tiny doc updte

* tiny doc update

* a @todo tbd while review

* return error if ANPs are without name or not unique names

* remove redundant lines

* reverting the changes adding complement string representation (all but) for connectionSet

* Merge github.com:np-guard/netpol-analyzer into support_admin_netpolicy

* minor updates to netpol_errors

* currently disabling exposure-analysis when there are admin-network-policies in the input resources

* some organizations (mainly comments updates)

* updating some todo messages

* updating some todo messages/questions

* todo question

* removing a todo that had an answer for, will add some tests on that case

* fixing single anp conns compute when ingress and egress are intersected (not fully matched)

* Update pkg/internal/netpolerrors/netpol_errors.go

Co-authored-by: Tanya <tatyana@il.ibm.com>

* Update pkg/netpol/eval/internal/k8s/adminnetpol.go

Co-authored-by: Tanya <tatyana@il.ibm.com>

* update todo msg

* some fixes to anp so it matches latest apis

* fixing port-set union func

* Update pkg/netpol/connlist/connlist.go

Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* Update pkg/netpol/eval/internal/k8s/adminnetpol.go

Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* Update pkg/netpol/internal/common/connectionset.go

Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* Update pkg/netpol/eval/internal/k8s/adminnetpol.go

Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* Update pkg/netpol/eval/internal/k8s/adminnetpol.go

Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* go.mod + lint fix

* adding todo comment

* fixes in subtract

* one line func eliminated

* uniqueness names are required for netpols and admin-netpols

* hasNetpols considers ANPs too

* Tests for AdminNetworkPolicy (#388)

* Added some ANP tests from policy-assistant.
Fixed a small bug in handling named ports in ANP

* fixing lint errors

* Fixing lint error

* Reorganized testing infrastructure from for tests fro parsed resources - creating pod and namespace resources per test; reading expected results from file.
Added more tests from policy assistant.

* fixing lint errors

* return error if ANPs are without name or not unique names

* Revert "return error if ANPs are without name or not unique names"

This reverts commit 1805549.

* Added ANP/BANP names in tests.
Added more tests, including BANP tests, currently commented out.

* Fixed lint errors.

* Fixed lint errors

* Added eval parsed resources tests (along with connlist tests).
Moved all parsed resources tests to a separate file.

* fixing lint errors

* fixing lint errors

* Added testing of CheckIfAllowed and CheckIfAllowedNew

* fixing lint errors

* making linter happy

* Reorganized eval ANP tests, to not depend on connlist.

* Small fixes.

* small fixes

* Changed expected results to not use "all but" expressions.

* making linter happy

* making linter happy

* making lint happy

* making linter happy

* make linter happy

* Creating k8sObjects during a test run, rather then in a test creation.

* making lint happy

* make lint happy

* linter

* shutting up linter

* Moved to parsed_resources_tests some functions used only there.

* Added fake pod status IP fields

* Avoiding unnecessary exports;
Fixing lint errors.

* Making linter happy

* Update pkg/internal/testutils/parsed_resources_tests.go

Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* Update pkg/internal/testutils/parsed_resources_tests.go

Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* Fixed typos;
removed unneeded change.

---------

Co-authored-by: shireenf-ibm <shireenf@il.ibm.com>
Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* updating some todo comment which were updated in BANP PR

* sort anps only once before allowed-conns computes (#402)

* sort anps only once before allowed-conns computes

* support_banp (#403)

* support_banp+tests

* removing lint note

* fix merge errors

* why failed to use generics for duplicated code in egressRuleSelectsPeer and ingressRuleSelectsPeer

* banp tests with swapped rules

* integrating Tanya's tests with BANP + adding results; results were compared to policy-assistant, all good

* pass action is not defined for BANP

* more code enhancement, + could not use generics

* adding banp to policy kinds

* adding comment on priority range

* Update pkg/internal/netpolerrors/netpol_errors.go

Co-authored-by: Tanya <tatyana@il.ibm.com>

* Update pkg/netpol/eval/internal/k8s/adminnetpol.go

Co-authored-by: Tanya <tatyana@il.ibm.com>

* Update pkg/netpol/eval/internal/k8s/adminnetpol.go

Co-authored-by: Tanya <tatyana@il.ibm.com>

* Update pkg/netpol/eval/resources.go

Co-authored-by: Tanya <tatyana@il.ibm.com>

* Update pkg/netpol/eval/internal/k8s/policy_connections.go

Co-authored-by: Tanya <tatyana@il.ibm.com>

* some fixes + a new test

* tiny doc update

* demo test

* tiny change to getPoliciesSelectingPod func and deleting the "deprecated" if statements in "getAllAllowedXgressConnsFromNetpols"

* removing redundant if statements

* new parsed tests with expected outputs and a fix to the func computing "intersection" between ANP's  egress-ingress

* fixing implementing approach + some more parsed tests

* tiny doc update

* eval command support + unit tests

* renaming func

* comment changed

* command line tests with anps + updating support for workloads resources

* removing comment

* changing const names

* fixing if else

* code optimizations and re-org

* moving parsed_resources_tests file + some re-orgs

* adding one more test so all god paths are covered

* optimizing collect from banp + fixing one test output

* optimize + fix + tests confirming results - tested  with policy-assistant

* deny examples parallel to the allow examples added previously

* switch

* policy conns

* collect from banp

* updating outputs with empty line at eof

* Update pkg/netpol/eval/internal/k8s/netpol.go

Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>

* add anp_banp_blog_demo example

Signed-off-by: adisos <adisos@il.ibm.com>

* update example

Signed-off-by: adisos <adisos@il.ibm.com>

* tiny fix

* update example - add another workload and ns

Signed-off-by: adisos <adisos@il.ibm.com>

* first fixes

* common code

* revert accepting workloads as input for evaluate cmd-line

* update example

Signed-off-by: adisos <adisos@il.ibm.com>

* adding tests from dir to command and eval tests; command-line needs generating pod files

* generating the tmp dir in the project path, since permissions are denied on github to the "general" tmp dir

* fixes to fit github permissions

* min-max priority consts

* comments + changing mode

* renaming struct field

* updating mode fields

* rename func

* moving consts

* tmp dir

* renaming attributes

* modifying func

* renaming some tests + adding blog_test to the connlist_test

* test updates

* updating test

* adding references

* updating test anp_test_6_swapping_rules

* test update

* test update

* add test details

Signed-off-by: adisos <adisos@il.ibm.com>

* fix test fail because of a new md file in the test dir - copying only yaml files

---------

Signed-off-by: adisos <adisos@il.ibm.com>
Co-authored-by: Tanya <tatyana@il.ibm.com>
Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>
Co-authored-by: adisos <adisos@il.ibm.com>

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/openshift/api v0.0.0-20230502160752-c71432710382
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.10.0
+	gopkg.in/yaml.v2 v2.4.0
 	k8s.io/api v0.29.2
 	k8s.io/apimachinery v0.29.2
 	k8s.io/cli-runtime v0.29.2
@@ -56,7 +57,6 @@ require (
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.33.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/klog/v2 v2.110.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect

pkg/cli/command_test.go

@@ -348,11 +348,16 @@ func TestDiffCommandOutput(t *testing.T) {
 // TestEvalCommandOutput tests the output of legal eval command
 func TestEvalCommandOutput(t *testing.T) {
 	cases := []struct {
-		dir        string
-		sourcePod  string
-		destPod    string
-		port       string
-		evalResult bool
+		dir                  string
+		sourcePod            string
+		sourceNs             string
+		destNs               string
+		destPod              string
+		protocol             string
+		port                 string
+		evalResult           bool
+		generatePodManifests bool // indicates if the test dir does not contain pods - to be generated
+		// this field will be used till the eval command supports workload inputs too (not just pods)
 	}{
 		{
 			dir:        "onlineboutique",
@@ -368,13 +373,99 @@ func TestEvalCommandOutput(t *testing.T) {
 			port:       "80",
 			evalResult: false,
 		},
+		{
+			dir:                  "anp_demo",
+			sourceNs:             "gryffindor",
+			sourcePod:            "harry-potter",
+			destPod:              "luna-lovegood",
+			destNs:               "ravenclaw",
+			protocol:             "udp",
+			port:                 "52",
+			evalResult:           true,
+			generatePodManifests: true,
+		},
+		{
+			dir:                  "anp_test_6",
+			sourceNs:             "network-policy-conformance-slytherin",
+			sourcePod:            "draco-malfoy",
+			destPod:              "cedric-diggory",
+			destNs:               "network-policy-conformance-hufflepuff",
+			protocol:             "udp",
+			port:                 "5353",
+			evalResult:           false,
+			generatePodManifests: true,
+		},
+		{
+			dir:                  "anp_test_multiple_anps",
+			sourceNs:             "network-policy-conformance-ravenclaw",
+			sourcePod:            "luna-lovegood",
+			destPod:              "draco-malfoy",
+			destNs:               "network-policy-conformance-slytherin",
+			protocol:             "sctp",
+			port:                 "9003",
+			evalResult:           false,
+			generatePodManifests: true,
+		},
+		{
+			dir:                  "anp_with_np_and_banp_pass_test",
+			sourceNs:             "ns2",
+			sourcePod:            "pod1",
+			destPod:              "pod1",
+			destNs:               "ns1",
+			port:                 "80",
+			evalResult:           true,
+			generatePodManifests: true,
+		},
+		{
+			dir:                  "anp_with_np_pass_test",
+			sourceNs:             "ns2",
+			sourcePod:            "pod1",
+			destPod:              "pod1",
+			destNs:               "ns1",
+			port:                 "8080",
+			evalResult:           false,
+			generatePodManifests: true,
+		},
+		{
+			dir:                  "anp_banp_core_test",
+			sourceNs:             "network-policy-conformance-gryffindor",
+			sourcePod:            "harry-potter",
+			destPod:              "cedric-diggory",
+			destNs:               "network-policy-conformance-hufflepuff",
+			port:                 "8080",
+			evalResult:           true,
+			generatePodManifests: true,
+		},
 	}
 	for _, tt := range cases {
 		tt := tt
 		testName := "eval_" + tt.dir + "_from_" + tt.sourcePod + "_to_" + tt.destPod
 		t.Run(testName, func(t *testing.T) {
-			args := []string{"eval", "--dirpath", testutils.GetTestDirPath(tt.dir),
-				"-s", tt.sourcePod, "-d", tt.destPod, "-p", tt.port}
+			if tt.protocol == "" {
+				tt.protocol = defaultProtocol
+			}
+			if tt.sourceNs == "" {
+				tt.sourceNs = defaultNs
+			}
+			if tt.destNs == "" {
+				tt.destNs = defaultNs
+			}
+			dirPath := testutils.GetTestDirPath(tt.dir)
+			var err error
+			// TODO: following "if" will be deprecated when eval supports input workloads, not just pods
+			if tt.generatePodManifests {
+				// getting here means the test dir contains workloads in the manifests (not pods)
+				// but since eval command only supports pods, we will generate a copy of the dirs with
+				// pods yaml files from the matching workload resource of the tt's source and dst.
+				// so the command may be executed with the given args
+				err = testutils.GenerateTempDirWithPods(dirPath, tt.sourcePod, tt.sourceNs, tt.destPod, tt.destNs)
+				require.Nil(t, err, "test: %q", testName)
+				dirPath = testutils.TmpDir
+				defer os.RemoveAll(testutils.TmpDir) // clean up after finishing the test
+			}
+			args := []string{"eval", "--dirpath", dirPath,
+				"-s", tt.sourcePod, "-d", tt.destPod, "-p", tt.port, "--protocol", tt.protocol,
+				"-n", tt.sourceNs, "--destination-namespace", tt.destNs}
 			actualOut, err := buildAndExecuteCommand(args)
 			require.Nil(t, err, "test: %q", testName)
 			require.Contains(t, actualOut, fmt.Sprintf("%v", tt.evalResult),

pkg/cli/evaluate.go

@@ -10,9 +10,11 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	"github.com/spf13/cobra"
+	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
@@ -29,14 +31,19 @@ import (
 // 		Currently adds many options flags, so wait until cobra supports something
 // 		like NamedFlagSet's.
 
+const (
+	defaultNs = metav1.NamespaceDefault
+)
+
 var (
 	// evaluated connection information
-	protocol       = "tcp"
-	sourcePod      = types.NamespacedName{Namespace: "default"}
-	destinationPod = types.NamespacedName{Namespace: "default"}
-	srcExternalIP  string
-	dstExternalIP  string
-	port           string
+	defaultProtocol = strings.ToLower(string(v1.ProtocolTCP))
+	protocol        = defaultProtocol
+	sourcePod       = types.NamespacedName{Namespace: defaultNs}
+	destinationPod  = types.NamespacedName{Namespace: defaultNs}
+	srcExternalIP   string
+	dstExternalIP   string
+	port            string
 )
 
 func validateEvalFlags() error {
@@ -63,6 +70,7 @@ func validateEvalFlags() error {
 	return nil
 }
 
+//gocyclo:ignore
 func updatePolicyEngineObjectsFromDirPath(pe *eval.PolicyEngine, podNames []types.NamespacedName) error {
 	// get relevant resources from dir path
 	eLogger := logger.NewDefaultLoggerWithVerbosity(determineLogVerbosity())
@@ -96,8 +104,13 @@ func updatePolicyEngineObjectsFromDirPath(pe *eval.PolicyEngine, podNames []type
 			err = pe.InsertObject(obj.Pod)
 		case parser.Namespace:
 			err = pe.InsertObject(obj.Namespace)
+			// netpols kinds
 		case parser.NetworkPolicy:
 			err = pe.InsertObject(obj.NetworkPolicy)
+		case parser.AdminNetworkPolicy:
+			err = pe.InsertObject(obj.AdminNetworkPolicy)
+		case parser.BaselineAdminNetworkPolicy:
+			err = pe.InsertObject(obj.BaselineAdminNetworkPolicy)
 		default:
 			continue
 		}