[Policy Assistant] Predict Verdict and Flow of Decisions made by Policies

kubernetes-sigs / network-policy-api

This repo addresses further work involving Kubernetes network security beyond the initial NetworkPolicy resource

Apache License 2.0

50 stars 28 forks source link

[Policy Assistant] Predict Verdict and Flow of Decisions made by Policies #168

Open huntergregory opened 8 months ago

huntergregory commented 8 months ago

Idea for #150.

Dependency: #152

Predict the effect of Policies on traffic, and visualize the relevant rules (from ANP, NetPol v1, and/or BANP) that produced the effect.

Prototype visualization:

k8s-triage-robot commented 5 months ago

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

After 90d of inactivity, lifecycle/stale is applied
After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

Mark this issue as fresh with /remove-lifecycle stale
Close this issue with /close
Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

huntergregory commented 5 months ago

/remove-lifecycle stale

gabrielggg commented 4 months ago

Hi @huntergregory, can this be sumarized as: "Repurposing cyclonus analyze --mode=query-traffic" ?

huntergregory commented 3 months ago

Hey @gabrielggg, good call out. We're still in a stage of design iteration for this, and query-traffic mode may be a helpful reference for design or implementation. For reference, query-traffic mode looked like this for NetworkPolicyV1 (full output):

On the other hand, this is what we came up with for the KubeCon demo (video and code):

gabrielggg commented 2 months ago

hey @huntergregory awesome, first of all, congratulations on the great presentation on kubecon Paris, i just saw the video. At the end of the video, on the summary, you put a slide with the topics coming next on the project, and i saw that you highlighted this issue #168 , but seeing the demo and your previous screenshots i see that the walkthrough you proposed on this issue is almost done, so i just wanted to know how are you going to proceed with this issue, so that i can help.

huntergregory commented 2 months ago

Thanks @gabrielggg for the congrats and the interest, and sorry for the delay.

Just created #220, which is the main thing lacking right now. We could definitely use some help in this area! Feel free to assign yourself to that issue.

As for this issue (168), let me copy over the KubeCon demo code to main branch as a starting point, but we can work on #220 independently of this.