search

kubernetes-sigs / network-policy-api

This repo addresses further work involving Kubernetes network security beyond the initial NetworkPolicy resource
Apache License 2.0
54 stars 29 forks source link

feat: [Policy Assistant] walkthrough mode and a README (KubeCon demo PR 2/2) #245

Open huntergregory opened 1 month ago

huntergregory commented 1 month ago

A followup PR can leverage #227 to specify traffic for the walkthrough (traffic is hard-coded right now). Also, #239 will give us the power to read policies from file/cluster.

Outputs

walkthrough

$ ./cyclonus analyze --policy-path examples/demos/kubecon-eu-2024 --mode walkthrough             
verdict walkthrough:
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
|                TRAFFIC                | VERDICT |                     INGRESS WALKTHROUGH                     |      EGRESS WALKTHROUGH      |
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
| demo/[pod=a] -> demo/[pod=b]:80 (TCP) | Allowed | [ANP] Allow (allow-80)                                      | no policies targeting egress |
+---------------------------------------+---------+-------------------------------------------------------------+                              +
| demo/[pod=a] -> demo/[pod=b]:81 (TCP) | Denied  | [ANP] Pass (pass-81) -> [BANP] Deny (baseline-deny)         |                              |
+---------------------------------------+---------+-------------------------------------------------------------+                              +
| demo/[pod=b] -> demo/[pod=a]:80 (TCP) | Allowed | [ANP] Allow (allow-80)                                      |                              |
+---------------------------------------+---------+-------------------------------------------------------------+                              +
| demo/[pod=b] -> demo/[pod=a]:81 (TCP) | Denied  | [ANP] Pass (pass-81) -> [NPv1] Dropped (demo/deny-to-pod-a) |                              |
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+

probe

$ ./cyclonus analyze --policy-path examples/demos/kubecon-eu-2024 --mode probe --probe-path examples/demos/kubecon-eu-2024/demo-probe.json
simulated connectivity:
INFO[2024-08-07T17:26:28-07:00] probe on port 80, protocol TCP               
Ingress:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | X      | #      |
+--------+--------+--------+

Egress:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | .      | #      |
+--------+--------+--------+

Combined:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | X      | #      |
+--------+--------+--------+

INFO[2024-08-07T17:26:28-07:00] probe on port 81, protocol TCP               
Ingress:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | X      | #      |
+--------+--------+--------+

Egress:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | .      | #      |
+--------+--------+--------+

Combined:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | X      | #      |
+--------+--------+--------+
k8s-ci-robot commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: huntergregory

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[cmd/policy-assistant/OWNERS](https://github.com/kubernetes-sigs/network-policy-api/blob/main/cmd/policy-assistant/OWNERS)~~ [huntergregory] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment
netlify[bot] commented 1 month ago

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
Latest commit 9db719beb3e31ce247dd284cad8ab3a1016cfef1
Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-network-policy-api/deploys/66b43156a9a35b0008dc560b
Deploy Preview https://deploy-preview-245--kubernetes-sigs-network-policy-api.netlify.app
Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

huntergregory commented 1 month ago

Also, https://github.com/kubernetes-sigs/network-policy-api/pull/239 will give us the power to read policies from file/cluster.

I have a local hack imitating #239 to produce outputs using --policy-path

k8s-ci-robot commented 3 weeks ago

PR needs rebase.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.