handle load balancer - Githubissues

np-guard / vpc-network-config-analyzer

A tool for analyzing the configured network connectivity of VPCs as specified by various VPC resources

Apache License 2.0

6 stars 0 forks source link

handle load balancer #469

Open haim-kermany opened 3 months ago

haim-kermany commented 3 months ago

from the parser to the output

haim-kermany commented 2 months ago

[x] check non trivial SG example (add test)
[x] issue #581
[x] support non abstraction mode - add as debug output , with PiP level display differently the private IPs -- those that are original vs the added ones. consider a separate issue to migrate "debug output format" to "debug switch"
[x] validity of current connectivity report: if the abstraction is inaccurate, at least add ** by the relevant connection, with details/warning that this connectivity depends on the sunets of the private IPs for this LB.
[ ] issue #560
[ ] format and report linting messages (see #478)
[ ] support explainability
[ ] support multi explainability

~~handle rules policies (not in scope yet)~~

adisos commented 1 month ago

user -> ip
ip -> backend

in both segments, check if connectivity is separated by one of the PIPs , if yes - at least mark with **

** this connectivity does not cover all endpoints (more details in linting )

add debug mode with private IPs in the connectivity report

haim-kermany commented 1 month ago

check non trivial SG example (add test) - both iks_workers_large and iks_config_obj has SG on LB. after implementing non abstraction mode, it will be easier to review

adisos commented 1 month ago

check non trivial SG example (add test) - both iks_workers_large and iks_config_obj has SG on LB. after implementing non abstraction mode, it will be easier to review

can you provide more details? are those non-trivial SG? why is it difficult to see their impact on connectivity results with current LB abstraction?

haim-kermany commented 1 month ago

check non trivial SG example (add test) - both iks_workers_large and iks_config_obj has SG on LB. after implementing non abstraction mode, it will be easier to review

can you provide more details? are those non-trivial SG? why is it difficult to see their impact on connectivity results with current LB abstraction?

the SGs are applied on the pips. and the LB abstraction remove the pips and their connectivity, so it is hard to see the impact of the SGs on the connectivity

adisos commented 1 month ago

check non trivial SG example (add test) - both iks_workers_large and iks_config_obj has SG on LB. after implementing non abstraction mode, it will be easier to review

can you provide more details? are those non-trivial SG? why is it difficult to see their impact on connectivity results with current LB abstraction?

the SGs are applied on the pips. and the LB abstraction remove the pips and their connectivity, so it is hard to see the impact of the SGs on the connectivity

but it should have impact on the connectivity of the LB itself..

haim-kermany commented 1 month ago

check non trivial SG example (add test) - both iks_workers_large and iks_config_obj has SG on LB. after implementing non abstraction mode, it will be easier to review

can you provide more details? are those non-trivial SG? why is it difficult to see their impact on connectivity results with current LB abstraction?

the SGs are applied on the pips. and the LB abstraction remove the pips and their connectivity, so it is hard to see the impact of the SGs on the connectivity

but it should have impact on the connectivity of the LB itself..

it should, but not all the time, and it is hard to investigate it without seeing the pip connectivity report

adisos commented 1 month ago

check non trivial SG example (add test) - both iks_workers_large and iks_config_obj has SG on LB. after implementing non abstraction mode, it will be easier to review

can you provide more details? are those non-trivial SG? why is it difficult to see their impact on connectivity results with current LB abstraction?

the SGs are applied on the pips. and the LB abstraction remove the pips and their connectivity, so it is hard to see the impact of the SGs on the connectivity

but it should have impact on the connectivity of the LB itself..

it should, but not all the time, and it is hard to investigate it without seeing the pip connectivity report

not all the time -- because the connectivity is not consistent for all pips? I think we should have a basic example where it is consistent for all pips, and reflected clearly in the report for the abstracted LB connectivity.

haim-kermany commented 1 month ago

lets take it online

haim-kermany commented 1 month ago

iks_config_object has a SG that reflect the LB connectivity I added a test to the branch "non-lb-abstraction-mode". there was already a test for abstract mode