jayunit100 / network-policy-subproject

A starter repo to donate to Kubernetes-sigs so the community can own and iterate on stories over time, with issue tracking, as we close out the policy++ wg
13 stars 12 forks source link

[DISCUSSION] Create NetworkPolicy explainer #22

Open mattfenwick opened 4 years ago

mattfenwick commented 4 years ago

Input: 1 or more NetworkPolicies

Output: semantic explanation of policies, indicating what pods/namespaces/etc. will be targeted by the policy

Use case: as a developer or infra engineer, I want a debugging or sanity check tool to help me understand the impact of my network policies

mattfenwick commented 4 years ago

I've taken a first pass at this here, still a lot of work to do on that but would love some feedback on what kinds of support other people use when working on network policies!

jayunit100 commented 4 years ago

if you want to make a PR into hack/explainer/ or whatever feel free to. would be great to have this and at least look at it during the mtng for a few minutes next wk.

jayunit100 commented 4 years ago

paste the output in here when you get a chance to thanks !

mattfenwick commented 4 years ago

Here's a PoC implementation.

Example output from a bunch of network policies:

{"Namespace": "default", "PodSelector": ["MatchLabels",["app: bookstore","role: db"],"MatchExpression",null]}
  ingress:
  - pods matching ["MatchLabels",["app: bookstore","role: search"],"MatchExpression",null] in all namespaces
    all ports all protocols
  - pods matching ["MatchLabels",["app: bookstore","role: api"],"MatchExpression",null] in all namespaces
    all ports all protocols
  - pods matching ["MatchLabels",["app: inventory","role: web"],"MatchExpression",null] in all namespaces
    all ports all protocols

{"Namespace": "default", "PodSelector": ["MatchLabels",["app: foo"],"MatchExpression",null]}
  ingress:
  egress:
  - anywhere: all pods in all namespaces and all IPs
    port 53 on protocol TCP
  - anywhere: all pods in all namespaces and all IPs
    port 53 on protocol UDP
  - all pods in all namespaces
    port 53 on protocol TCP
  - all pods in all namespaces
    port 53 on protocol UDP

{"Namespace": "default", "PodSelector": ["MatchLabels",["app: web"],"MatchExpression",null]}
  ingress:
  - anywhere: all pods in all namespaces and all IPs
    all ports all protocols
  - all pods in all namespaces
    all ports all protocols
  - anywhere: all pods in all namespaces and all IPs
    all ports all protocols
  - all pods in all namespaces
    all ports all protocols
  - all pods in namespaces matching ["MatchLabels",["purpose: production"],"MatchExpression",null]
    all ports all protocols
  - pods matching ["MatchLabels",["type: monitoring"],"MatchExpression",null] in namespaces matching ["MatchLabels",["team: operations"],"MatchExpression",null]
    all ports all protocols
  - anywhere: all pods in all namespaces and all IPs
    all ports all protocols

{"Namespace": "default", "PodSelector": ["MatchLabels",["all: web"],"MatchExpression",null]}
  ingress:

{"Namespace": "default", "PodSelector": ["MatchLabels",["app: bookstore","role: api"],"MatchExpression",null]}
  ingress:
  - pods matching ["MatchLabels",["app: bookstore"],"MatchExpression",null] in all namespaces
    all ports all protocols

{"Namespace": "default", "PodSelector": ["MatchLabels",null,"MatchExpression",null]}
  ingress:
  - all pods in namespace default
    all ports all protocols
  egress:

{"Namespace": "default", "PodSelector": ["MatchLabels",["a: b"],"MatchExpression",null]}
  ingress:
  - pods matching ["MatchLabels",["role: client"],"MatchExpression",null] in namespaces matching ["MatchLabels",["user: alice"],"MatchExpression",null]
    all ports all protocols
  - all pods in namespaces matching ["MatchLabels",["user: alice"],"MatchExpression",null]
    all ports all protocols
  - pods matching ["MatchLabels",["role: client"],"MatchExpression",null] in all namespaces
    all ports all protocols

{"Namespace": "default", "PodSelector": ["MatchLabels",["app: apiserver"],"MatchExpression",null]}
  ingress:
  - pods matching ["MatchLabels",["role: monitoring"],"MatchExpression",null] in all namespaces
    port 5000 on protocol TCP