W.I.P Exposure analysis with anp #486
Conversation
…rt_admin_netpolicy
…ll but: udp 5353 instead of SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535)
…t) for connectionSet
…licies in the input resources
…cluding some peers (no peer resolution)
…onnection. In case of representative-peer adding this "no conns" to the output to see the exception
pkg/netpol/connlist/connlist.go
Outdated
| // skip empty connections unless one of the peers is representative | ||
| if allowedConnections.IsEmpty() && !(pe.IsRepresentativePeer(srcPeer) || pe.IsRepresentativePeer(dstPeer)) { |
There was a problem hiding this comment.
i added it so i can handle the following case:
assume we have an ANP that denies all conns from a -> b ("b" is a representative peer)
and another (with lower priority) rule that allows all conns from a to entire-cluster
i.e "a" is exposed to entire-cluster on all conns except to b (conns are empty to b)
this was added so I can add the entry a->b in the exposure map (with "no conns" ) and display it in the output
see example: "tests/exposure_test_with_anp_9"
There was a problem hiding this comment.
ok, please add comment in code explaining this
| // check if the connection is contained in an entire cluster connection; if yes skip; if not store the connection data | ||
| contained, err := connectionContainedInEntireClusterConn(pe, peer, allowedConnSet, isIngress) | ||
| // check if the peer is exposed to entire-cluster and if connection equals the entire cluster connection; | ||
| equals, isExposed, err := connectionEqualsEntireClusterConn(pe, peer, allowedConnSet, isIngress) |
There was a problem hiding this comment.
contained-in instead of equals?
There was a problem hiding this comment.
opposite, equals instead of contained-in (it was containedIn, where actually if it was not larger it was equals)
if there is a rule that allows any connection to entire-cluster when we compute allowed conns between peers, the result contains this connection ( so if it is same as entire-cluster connection, there is no need to add it as "separate" exposure).
if the connection is larger (i.e same conn to entire-cluster + other conn - it will be added as another exposure (was and yet))
the new case - with ANP we have deny rules that may be prior to the "allow to entire-cluster" :
so if a real-peer is exposed to entire-cluster on all-TCP
but there is a rule "deny to new-ns on TCP90" --- the exposure to "new-ns" is all TCP but TCP 90 which is different than the exposure to entire-cluster even it is containedIn it.
There was a problem hiding this comment.
please add example/explanation in code
| // 2. if the connection is empty (no conns) and the peer is exposed to entire-cluster - add this empty connection to the exposure map | ||
| // to tell that this representative peer is excluded from `entire-cluster` connection |
There was a problem hiding this comment.
how is it going to be marked as excluded in the output?
There was a problem hiding this comment.
see example tests/exposure_test_with_anp_9 and its document in connlist_test.go
There was a problem hiding this comment.
there is also an example with real-pod tests/exposure_test_with_anp_10_with_real_pod (when a real is exposed to entire-cluster, but the connection to another real-pod is blocked);
with real pods connlist-output gives as the indication
(related also to this comment
pkg/netpol/eval/exposure.go
Outdated
| // - if the rule's namespaceSelector is not nil, no representative namespace will be generated (representative pod has empty namespace name) | ||
| // anyway, the representative pod will store the namespace data. | ||
| func (pe *PolicyEngine) generateRepresentativePeers(selectors []k8s.SingleRuleSelectors, policyNs string) (err error) { | ||
| for i := range selectors { | ||
| podNs := "" // by default: representative peer has no namespace; (don't generate representative namespaces) | ||
| if selectors[i].NsSelector == nil { | ||
| // note that policyNs is "" (empty) for cluster-scoped policies (ANP and BANP) - means podNs kept empty in this case | ||
| if selectors[i].NsSelector == nil && policyNs != "" { |
There was a problem hiding this comment.
policyNs == "" does not necessarily indicate that the policy is cluster-scoped?
better rely on the policy type ?
There was a problem hiding this comment.
for all current cases, it does (as the code is written ) and because an NP without namespace would raise error before getting here; we can also change to be more "accurate and sure"
There was a problem hiding this comment.
better rely on policy type, so the code is more robust
pkg/netpol/eval/check.go
Outdated
| anpConnsDeterminedAllFlag := false | ||
| // if all cluster-wide conns were determined by the ANP then update the selected peer's cluster wide exposure | ||
| if pe.exposureAnalysisFlag && anpExposure.layerConns.DeterminesAllConns() { | ||
| podExposureUpdatedFlag = true |
There was a problem hiding this comment.
isn't exposure to external ip-blocks determined by regular netpols ?
There was a problem hiding this comment.
not only;
egress rules in (B)ANP can also determine conns to IPs (networks field)
There was a problem hiding this comment.
can podExposureUpdatedFlag be set to true, if possibly more exposure should be inferred from regular netpols?
There was a problem hiding this comment.
i think this is related to the other comment
the anser is no, if the flag is true means ANP determined all conns between the peer and entire-cluster
There was a problem hiding this comment.
it's not clear what do these flags mean? where is it documented?
There was a problem hiding this comment.
what is exposure updated related to? exposure to entire cluster? exposure to entire cluster and external ip-blocks?
what does value true marks?
There was a problem hiding this comment.
to entire cluster only.
we have IP-peers for external exposure
will update the document more ; also described above type policiesLayerXgressConns
There was a problem hiding this comment.
consider removing "entire-world" fields from exposure analysis structs, and mention in documentation that exposure analysis only computes exposure to entire-cluster (for external ip-blocks just copying the conn-list results).
| return anpConns.layerConns.AllowedConns, nil | ||
| } | ||
| // else : exposure-analysis is on and still not determined continue | ||
| anpConnsDeterminedAllFlag = true |
There was a problem hiding this comment.
because if a->b allows all (or at least determined all conns (ports) from ANPs) does not necessary mean that all exposure to entire cluster was also determined from ANPs .. so need to analyze also NPs / BANP for exposure
There was a problem hiding this comment.
example:
ANP denies all conns from a -> b (ANP determined all conns to b; if exposure analysis is off no need to continue to NP/BANP)
But:
NP exposes A to entire-cluster on all-conns (if we don't continue - this would not be computed and will have wrong results as exposure to entire-cluster is computed once for each direction)
There was a problem hiding this comment.
ok. might be useful to add this example in comment as documentation, so it is clear.
Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com>
…ol-analyzer into exposure_analysis_with_anp
because the subject of the ANP is all |
I see.. it's a bit misleading because its connectivity has the same effect as "not protected".. can open issue with this example to consider enhancements later. |
done #489 |
No description provided.