Open adisos opened 10 months ago
More details:
Possible situations, which may not be reflected on the current connectivity report (since such connections may only be possible with peer workloads that do not exists on the input dir of the analyzed workload manifests):
How to provide/add this information in a connectivity report / graph? (Currently, the concept of a “connection” between workloads in the report is defined only for workloads that exist on the input dir, and for which both source is allowed by netpols to egress to destination, and destination is allowed by netpols to ingress from source).
The analysis provided by ACS only includes the first two bullets + indicating pods that are externally exposed.
work plan:
[x] initial computing of exposure analysis - (basic exposure cases - entire class + rules with namespaceSelector
)
ExposedPeer
and change the connlist API more info(#295)getConnectionsBetweenPeers
into the new returned value (#296)connlist
exposure_analysis_test.go
, unit-tests for functionality of connlist\exposure_analysis.go
(#299)fake pods
for all non-empty rules while policies upsert[x] adding flag --exposure
to turn on this feature only when needed
[x] adding exposure analysis results in textual output (#331)
[x] adding exposure analysis results in graphical output(#333 )
[x] expanding the exposure analysis to rules with PodSelector
(#343)
[ ] handling cases of labels containment with same conns (more info)
[x] support running exposure analysis with focus-workload which is in-cluster (+adding tests)(#349)
[ ] add docs explaining the new feature
[x] adding more complicated tests
[x] support all output formats of connnlist
with exposure analysis (#360)
[ ] support selectors with matchExpression
(all operators)(#377)
[x] add support for considering policies that capture representative peers (consider for each generated representative peer to keep a reference to the policies that capture it)(more info)
Consider enhancement of the connectivity analysis: A "what-if" analysis, to report if an analyzed workload is exposed (ingress of egress) to workloads which are not included in the input manifests.