connlist implementing exposure analysis

[shireenf-ibm]

issue #236

task + sub-task :

- [on base branch ] initial computing of exposure analysis - (basic exposure cases - entire class + rules with `namespaceSelector`)
   *  - [ this branch] code implementations in connlist: compute (separate) exposure-analysis results in `getConnectionsBetweenPeers` into the new returned value

the focus in this PR is to store the exposure analysis conns separately from the p2pconns; i.e implementations in connlist pkg

main file changes in connlist:

• pkg/netpol/connlist/connlist.go : *relevant to review:

  • the functions at the end of the file - splitting exposure conns and p2pconns , and storing the exposure analysis conns in a map , and the call from and getConnectionsBetweenPeers, and getConnectionsList
  • will be changed in next PRs:
    • all the returned values []ExposedPeer (in the API functions, and etc.), emptyExposedListOrNil() : will be reverted in next PR (next sub task),
    • checking if a peer is representative by comparing its name : will be enhanced in a later PR (implementing RepresentativePeer`

• pkg/netpol/connlist/exposed_peer.go: (changes are relevant to review)

• pkg/netpol/connlist/exposure_analysis.go : all the file is relevant to review, implementing the interfaces from pkg/netpol/connlist/exposed_peer.go + functionality to compute []ExposedPeer from the map computed in connlist.go

main changes under eval pkg which are relevant to review are related to the new pod flags : IngressProtected and EgressProtected (adding + handling them), + removed unused code

[shireenf-ibm]

tested changes locally by printing the []ExposedPeer result for debug , got expected results

[adisos]

tested changes locally by printing the []ExposedPeer result for debug , got expected results

can you add here few examples for those printed results?

[shireenf-ibm]

tested changes locally by printing the []ExposedPeer result for debug , got expected results

can you add here few examples for those printed results? 1. allow-all-test : we have one workload and an ingress + egress netpol that allowe all :

(the &{true map[]} is for all connections , i simply printed %v for the variable containing AllowedConnectivity interface value)

2. test : minimal_test_with_unmatched_ns : two peers:

   • one is not protected by netpols at all
   • and one peer is protected on ingress only, with potential namespaces having a selector "foo"

3. same test as in (2.), but added to the ingress netpol following rule

   - from:
   - namespaceSelector: {}
   ports:
   - port: 8050
     protocol: TCP

so we have the any-namespace and the namespace with foo selector enabled on same TCP connection we should only see that it is exposed to entire ns on that connection (since the ns with selector included in it)