Exposure analysis

[adisos]

Consider enhancement of the connectivity analysis: A "what-if" analysis, to report if an analyzed workload is exposed (ingress of egress) to workloads which are not included in the input manifests.

[adisos]

More details:

Possible situations, which may not be reflected on the current connectivity report (since such connections may only be possible with peer workloads that do not exists on the input dir of the analyzed workload manifests):

• Pod is exposed to entire cluster (both ingress and egress) – not protected by netpols
• Pod is exposed to cluster only on ingress / egress (protected only on one direction by netpols)
• exposure to entire namespace (one or more, also potentials)
• Pod is exposed to potential specific namespaces / specific pods (which may exist or not on the cluster, but do not exist on the analyzed workload manifests)

How to provide/add this information in a connectivity report / graph? (Currently, the concept of a “connection” between workloads in the report is defined only for workloads that exist on the input dir, and for which both source is allowed by netpols to egress to destination, and destination is allowed by netpols to ingress from source).

[zivnevo]

The analysis provided by ACS only includes the first two bullets + indicating pods that are externally exposed.

[shireenf-ibm]

work plan:

• [x] initial computing of exposure analysis - (basic exposure cases - entire class + rules with namespaceSelector)

  • • [x] define new interface ExposedPeer and change the connlist API more info(#295)
  • • [x] code implementations in connlist: compute (separate) exposure-analysis results in getConnectionsBetweenPeers into the new returned value (#296)
  • • [x] revert changes to connlist API funcs, add new func to get the []ExposedPeer Also, do not change types for existing APIs (#298)
  • • [x] add connlist exposure_analysis_test.go , unit-tests for functionality of connlist\exposure_analysis.go (#299)
  • • [x] save on the fly - if a peer is exposed to entire cluster and the largest connection-set the allows such connectivity, and remove fake pod for "any namespace" more info and here (#304)
  • • [x] optimize policy pre-processing : store data on policy's general conns (to whole world/ entire cluster)more info(#306)
  • • [x] adding new api func for policy-engine for running exposure-analysis individually(info)(#307 )
  • • [x] implement RepresentativePeer interface/struct (#309)
  • • [x] optimize fake-pods generations (#314)
    • first add fake pods for all non-empty rules while policies upsert
    • refine pods that has a match in the resources
  • • [x] basic tests for exposure analysis results (#316)
  • • [ ] optimize exposure connections refinement in connlist pkg more info
  • • [ ] consider not returning an internal interface in the exposed result more info

• [x] adding flag --exposure to turn on this feature only when needed

• [x] adding exposure analysis results in textual output (#331)

• [x] adding exposure analysis results in graphical output(#333 )

• [x] expanding the exposure analysis to rules with PodSelector (#343)

  • • [x] handling cases of empty nsSelector (any-namespace) with non-empty podSelector : don't refine its representative peer if there is a matching pod in a specific namespace(#352)

• [ ] handling cases of labels containment with same conns (more info)

• [x] support running exposure analysis with focus-workload which is in-cluster (+adding tests)(#349)

• [ ] add docs explaining the new feature

• [x] adding more complicated tests

• [x] support all output formats of connnlist with exposure analysis (#360)

• [ ] support selectors with matchExpression (all operators)(#377)

• [x] add support for considering policies that capture representative peers (consider for each generated representative peer to keep a reference to the policies that capture it)(more info)