There is a policy engine that calculates whether traffic is allowed/denied for a given set of:
protocol
destination port
source Pod info
destination Pod info
Can we brute force calculate all possible connections between each Deployment/DaemonSet in a cluster? There are only 65,000 ports, so this may be feasible?
This issue is more about the data structure and code for calculating it. A follow-up goal will be to display the data structure in a useful/pretty way.
Parent issue: #150
Goal
For all the Deployments and DaemonSets in a cluster, calculate the set of allowed connections given a set of policies.
Current Functionality
Check whether traffic is allowed/denied for the specified source, destination, and port/protocol.
Proposed New Feature
Produce JSON of all allowed connections and the effective policy rules causing this.
Here is one idea for the format (let me put this in a PR):
Implementation
There is a policy engine that calculates whether traffic is allowed/denied for a given set of:
Can we brute force calculate all possible connections between each Deployment/DaemonSet in a cluster? There are only 65,000 ports, so this may be feasible?
Code
It's determined whether traffic is allowed here: https://github.com/kubernetes-sigs/network-policy-api/blob/669dfbc72245a2c7c6f3a3dd5c6188b7af9f8014/cmd/policy-assistant/pkg/matcher/policy.go#L269
https://github.com/kubernetes-sigs/network-policy-api/blob/669dfbc72245a2c7c6f3a3dd5c6188b7af9f8014/cmd/policy-assistant/pkg/matcher/policy.go#L311
Based on the port/protocol logic from the
PeerMatcher
interface: https://github.com/kubernetes-sigs/network-policy-api/blob/669dfbc72245a2c7c6f3a3dd5c6188b7af9f8014/cmd/policy-assistant/pkg/matcher/peermatcher.go#L29