Azure · rayaisaiah · Feb 27, 2025 · Jan 28, 2025 · Feb 3, 2025 · Feb 3, 2025
diff --git a/tools/azure-npm-to-cilium-validator.go b/tools/azure-npm-to-cilium-validator.go
@@ -0,0 +1,397 @@
+package main
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	"log"
+	"strings"
+
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/api/core/v1"
+	networkingv1 "k8s.io/api/networking/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/clientcmd"
+)
+
+// Use this tool to validate if your cluster is ready to migrate from Azure Network Policy Manager (NPM) to Cilium.
+// go run azure-npm-to-cilium-validator.go --kubeconfig ~/.kube/config
+
+func main() {
+	// Parse the kubeconfig flag
+	kubeconfig := flag.String("kubeconfig", "~/.kube/config", "absolute path to the kubeconfig file")
+	flag.Parse()
+
+	// Build the Kubernetes client config
+	config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig)
+	if err != nil {
+		log.Fatalf("Error building kubeconfig: %v", err)
+	}
+
+	// Create a Kubernetes client
+	clientset, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		log.Fatalf("Error creating Kubernetes client: %v", err)
+	}
+
+	// Get namespaces
+	namespaces, err := clientset.CoreV1().Namespaces().List(context.TODO(), metav1.ListOptions{})
+	if err != nil {
+		log.Fatalf("Error getting namespaces: %v\n", err)
+	}
+
+	// Store network policies and services in maps
+	policiesByNamespace := make(map[string][]networkingv1.NetworkPolicy)
+	servicesByNamespace := make(map[string][]corev1.Service)
+
+	// Iterate over namespaces and store policies/services
+	for _, ns := range namespaces.Items {
+		fmt.Printf("Writing policies and services for namespace %s...\n", ns.Name)
+
+		// Get network policies
+		networkPolicies, err := clientset.NetworkingV1().NetworkPolicies(ns.Name).List(context.TODO(), metav1.ListOptions{})
+		if err != nil {
+			fmt.Printf("Error getting network policies in namespace %s: %v\n", ns.Name, err)
+			continue
+		}
+		policiesByNamespace[ns.Name] = networkPolicies.Items
+
+		// Get services
+		services, err := clientset.CoreV1().Services(ns.Name).List(context.TODO(), metav1.ListOptions{})
+		if err != nil {
+			fmt.Printf("Error getting services in namespace %s: %v\n", ns.Name, err)
+			continue
+		}
+		servicesByNamespace[ns.Name] = services.Items
+	}
+
+	fmt.Println("Migration Summary:")
+	fmt.Println("+------------------------------+-------------------------------+")
+	fmt.Printf("%-30s | %-30s \n", "Breaking Change", "No Impact / Safe to Migrate")
+	fmt.Println("+------------------------------+-------------------------------+")
+
+	// Check the endports of the network policies
+	foundEnportNetworkPolicy := checkEndportNetworkPolicies(policiesByNamespace)
+
+	fmt.Println("+------------------------------+-------------------------------+")
+
+	// Check the cidr of the network policies
+	foundCIDRNetworkPolicy := checkCIDRNetworkPolicies(policiesByNamespace)
+
+	fmt.Println("+------------------------------+-------------------------------+")
+
+	// Check the egress of the network policies
+	foundEgressPolicy := checkForEgressPolicies(policiesByNamespace)
+
+	fmt.Println("+------------------------------+-------------------------------+")
+
+	// Check services that have externalTrafficPolicy!=Local
+	foundServiceDispruption := checkExternalTrafficPolicyServices(namespaces, servicesByNamespace, policiesByNamespace)
+
+	fmt.Println("+------------------------------+-------------------------------+")
+	if foundEnportNetworkPolicy || foundCIDRNetworkPolicy || foundEgressPolicy || foundServiceDispruption {
+		fmt.Println("\033[31m✘ Review above issues before migration.\033[0m")
+		fmt.Println("Please see \033[32maka.ms/azurenpmtocilium\033[0m for instructions on how to evaluate/assess the above warnings marked by ❌.")
+		fmt.Println("NOTE: rerun this script if any modifications (create/update/delete) are made to services or policies.")
+	} else {
+		fmt.Println("\033[32m✔ Safe to migrate this cluster.\033[0m")
+		fmt.Println("For more details please see \033[32maka.ms/azurenpmtocilium\033[0m.")
+	}
+}
+
+func checkEndportNetworkPolicies(policiesByNamespace map[string][]networkingv1.NetworkPolicy) bool {
+	networkPolicyWithEndport := false
+	for namespace, policies := range policiesByNamespace {
+		for _, policy := range policies {
+			foundEndPort := false
+			for _, egress := range policy.Spec.Egress {
+				for _, port := range egress.Ports {
+					if port.EndPort != nil {
+						foundEndPort = true
+						if !networkPolicyWithEndport {
+							fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with endPort", "❌")
+							fmt.Println("Policies affected:")
+							networkPolicyWithEndport = true
+						}
+						fmt.Printf("❌ Found NetworkPolicy: \033[31m%s\033[0m with endPort field in namespace: \033[31m%s\033[0m\n", policy.Name, namespace)
+						// Exit egress.port loop
+						break
+					}
+				}
+				if foundEndPort {
+					// Exit egress loop
+					break
+				}
+			}
+		}
+	}
+	// Print no impact if no network policy has endport
+	if !networkPolicyWithEndport {
+		fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with endPort", "✅")
+		return false
+	}
+	return true
+}
+
+func checkCIDRNetworkPolicies(policiesByNamespace map[string][]networkingv1.NetworkPolicy) bool {
+	networkPolicyWithCIDR := false
+	for namespace, policies := range policiesByNamespace {
+		for _, policy := range policies {
+			foundCIDRIngress := false
+			foundCIDREgress := false
+			// Check the ingress field for cidr
+			for _, ingress := range policy.Spec.Ingress {
+				for _, from := range ingress.From {
+					if from.IPBlock != nil {
+						if from.IPBlock.CIDR != "" {
+							foundCIDRIngress = true
+							// Print the network policy if it has an ingress cidr
+							if !networkPolicyWithCIDR {
+								fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with cidr", "❌")
+								fmt.Println("Policies affected:")
+								networkPolicyWithCIDR = true
+							}
+							fmt.Printf("❌ Found NetworkPolicy: \033[31m%s\033[0m with ingress cidr field in namespace: \033[31m%s\033[0m\n", policy.Name, namespace)
+
+							// Exit ingress.from.ipBlock loop
+							break
+						}
+					}
+				}
+				if foundCIDRIngress {
+					// Exit ingress loop
+					break
+				}
+			}
+			// Check the egress field for cidr
+			for _, egress := range policy.Spec.Egress {
+				for _, to := range egress.To {
+					if to.IPBlock != nil {
+						if to.IPBlock.CIDR != "" {
+							foundCIDREgress = true
+							// Print the network policy if it has an egress cidr
+							if !networkPolicyWithCIDR {
+								fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with cidr", "❌")
+								fmt.Println("Policies affected:")
+								networkPolicyWithCIDR = true
+							}
+							fmt.Printf("❌ Found NetworkPolicy: \033[31m%s\033[0m with egress cidr field in namespace: \033[31m%s\033[0m\n", policy.Name, namespace)
+
+							// Exit egress.to.ipBlock loop
+							break
+						}
+					}
+				}
+				if foundCIDREgress {
+					// Exit egress loop
+					break
+				}
+			}
+		}
+	}
+	// Print no impact if no network policy has cidr
+	if !networkPolicyWithCIDR {
+		fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with cidr", "✅")
+		return false
+	}
+	return true
+}
+
+func checkForEgressPolicies(policiesByNamespace map[string][]networkingv1.NetworkPolicy) bool {
+	networkPolicyWithEgress := false
+	for namespace, policies := range policiesByNamespace {
+		for _, policy := range policies {
+			for _, egress := range policy.Spec.Egress {
+				// If the policy has a egress field thats not an egress allow all flag it
+				if len(egress.To) > 0 || len(egress.Ports) > 0 {
+					if !networkPolicyWithEgress {
+						fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with egress", "❌")
+						fmt.Printf("%-30s | %-30s \n", "(Not allow all egress)", "")
+						fmt.Println("Policies affected:")
+						networkPolicyWithEgress = true
+					}
+					fmt.Printf("❌ Found NetworkPolicy: \033[31m%s\033[0m with egress field (non-allow all) in namespace: \033[31m%s\033[0m\n", policy.Name, namespace)
+
+					// Exit egress loop
+					break
+				}
+			}
+		}
+	}
+	if !networkPolicyWithEgress {
+		fmt.Printf("%-30s | %-30s \n", "NetworkPolicy with egress", "✅")
+		return false
+	}
+	return true
+}
+
+func checkExternalTrafficPolicyServices(namespaces *corev1.NamespaceList, servicesByNamespace map[string][]corev1.Service, policiesByNamespace map[string][]networkingv1.NetworkPolicy) bool {
+	var servicesAtRisk, noSelectorServices, safeServices []string
+
+	for _, namespace := range namespaces.Items {
+		// Check if are there ingress policies in the namespace if not skip
+		if !hasIngressPolicies(policiesByNamespace[namespace.Name]) {
+			continue
+		}
+		serviceListAtNamespace := servicesByNamespace[namespace.Name]
+
+		// Check if are there services with externalTrafficPolicy=Cluster (applicable if Type=NodePort or Type=LoadBalancer)
+		for _, service := range serviceListAtNamespace {
+			if service.Spec.Type == v1.ServiceTypeLoadBalancer || service.Spec.Type == v1.ServiceTypeNodePort {
+				servicePorts := []string{}
+				// get the Port and Protocol of the service
+				for _, port := range service.Spec.Ports {
+					servicePorts = append(servicePorts, fmt.Sprintf("%d/%s", port.Port, port.Protocol))
+				}
+				externalTrafficPolicy := service.Spec.ExternalTrafficPolicy
+				// If the service has externalTrafficPolicy is set to "Cluster" add it to the servicesAtRisk list (ExternalTrafficPolicy: "" defaults to Cluster)
+				if externalTrafficPolicy != v1.ServiceExternalTrafficPolicyTypeLocal {
+					// Any service with externalTrafficPolicy=Cluster is at risk so need to elimate any services that are incorrectly flagged
+					servicesAtRisk = append(servicesAtRisk, fmt.Sprintf("%s/%s", namespace.Name, service.Name))
+					// If the service has no selector add it to the noSelectorServices list
+					if service.Spec.Selector == nil {
+						noSelectorServices = append(noSelectorServices, fmt.Sprintf("%s/%s", namespace.Name, service.Name))
+					} else {
+						// Check if are there services with selector that match the network policy
+						safeServices = checkServiceRisk(service, namespace.Name, servicePorts, policiesByNamespace[namespace.Name], safeServices)
+					}
+				}
+			}
+		}
+	}
+
+	// Get the services that are at risk but not in the safe services or no selector services lists
+	unsafeServices := difference(servicesAtRisk, safeServices, noSelectorServices)
+
+	// If there is no unsafe services then migration is safe for services with extranalTrafficPolicy=Cluster
+	if len(unsafeServices) == 0 {
+		fmt.Printf("%-30s | %-30s \n", "Disruption for some", "✅")
+		fmt.Printf("%-30s | %-30s \n", "Services with", "")
+		fmt.Printf("%-30s | %-30s \n", "externalTrafficPolicy=Cluster", "")
+		return false
+	} else {
+		fmt.Printf("%-30s | %-30s \n", "Disruption for some", "❌")
+		fmt.Printf("%-30s | %-30s \n", "Services with", "")
+		fmt.Printf("%-30s | %-30s \n", "externalTrafficPolicy=Cluster", "")
+		fmt.Println("Services affected:")
+		// If there are any no selector services or unsafe services then print them as they could be impacted by migration
+		if len(noSelectorServices) > 0 {
+			for _, service := range noSelectorServices {
+				serviceName := strings.Split(service, "/")[1]
+				serviceNamespace := strings.Split(service, "/")[0]
+				fmt.Printf("❌ Found Service: \033[31m%s\033[0m without selectors in namespace: \033[31m%s\033[0m\n", serviceName, serviceNamespace)
+			}
+		}
+		if len(unsafeServices) > 0 {
+			for _, service := range unsafeServices {
+				serviceName := strings.Split(service, "/")[1]
+				serviceNamespace := strings.Split(service, "/")[0]
+				fmt.Printf("❌ Found Service: \033[31m%s\033[0m with selectors in namespace: \033[31m%s\033[0m\n", serviceName, serviceNamespace)
+			}
+		}
+		fmt.Println("Manual investigation is required to evaluate if ingress is allowed to the service's backend Pods.")
+		fmt.Println("Please evaluate if these services would be impacted by migration.")
+		return true
+	}
+
+}
+
+func hasIngressPolicies(policies []networkingv1.NetworkPolicy) bool {
+	// Check if any policy is ingress
+	for _, policy := range policies {
+		for _, ingress := range policy.Spec.Ingress {
+			if len(ingress.From) > 0 {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+func checkServiceRisk(service v1.Service, namespace string, servicePorts []string, policiesListAtNamespace []networkingv1.NetworkPolicy, safeServices []string) []string {
+	for _, policy := range policiesListAtNamespace {
+		for _, ingress := range policy.Spec.Ingress {
+			// Check if there is an allow all ingress policy that matches labels the service is safe
+			if len(ingress.From) == 0 && len(ingress.Ports) == 0 {
+				// Check if there is an allow all ingress policy with empty selectors return true as the policy allows all services in the namespace
+				if len(policy.Spec.PodSelector.MatchLabels) == 0 {
+					fmt.Printf("found an allow all ingress policy: %s with empty selectors so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)
+					safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
+					return safeServices
+				}
+				// Check if there is an allow all ingress policy that matches the service labels
+				if checkPolicyMatchServiceLabels(service.Spec.Selector, policy.Spec.PodSelector.MatchLabels) {
+					fmt.Printf("found an allow all ingress policy: %s with matching selectors so service %s in the namespace %s is safe\n", policy.Name, service.Name, namespace)
+					safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
+					return safeServices
+				}
+			}
+			// Check if all the labels in
+			// // If there are no ingress from but there are ports in the policy; check if the service is safe
+			// if len(ingress.From) == 0 && len(ingress.Ports) > 0 {
+			// 	if matchAllServiceSelector(&metav1.LabelSelector{MatchLabels: service.Spec.Selector}, &policy.Spec.PodSelector) {
+			// 		matchingPorts := []string{}
+			// 		for _, port := range ingress.Ports {
+			// 			matchingPorts = append(matchingPorts, fmt.Sprintf("%d/%s", port.Port.IntVal, string(*port.Protocol)))
+			// 		}
+			// 		for _, sevicePort := range servicePorts {
+			// 			if contains(matchingPorts, sevicePort) {
+			// 				safeServices = append(safeServices, fmt.Sprintf("%s/%s", namespace, service.Name))
+			// 				return
+			// 			}
+			// 		}
+			// 	}
+			// }
+		}
+	}
+	return safeServices
+}
+
+func checkPolicyMatchServiceLabels(serviceLabels, policyLabels map[string]string) bool {
+	// Return false if the policy has more labels than the service
+	if len(policyLabels) > len(serviceLabels) {
+		return false
+	}
+
+	// Check for each policy label that that label is present in the service labels
+	for policyKey, policyValue := range policyLabels {
+		matchedPolicyLabelToServiceLabel := false
+		for serviceKey, serviceValue := range serviceLabels {
+			if policyKey == serviceKey && policyValue == serviceValue {
+				matchedPolicyLabelToServiceLabel = true
+				break
+			}
+		}
+		if !matchedPolicyLabelToServiceLabel {
+			return false
+		}
+	}
+	return true
+}
+
+func contains(slice []string, item string) bool {
+	for _, s := range slice {
+		if s == item {
+			return true
+		}
+	}
+	return false
+}
+
+func difference(slice1, slice2, slice3 []string) []string {
+	m := make(map[string]bool)
+	for _, s := range slice2 {
+		m[s] = true
+	}
+	for _, s := range slice3 {
+		m[s] = true
+	}
+	var diff []string
+	for _, s := range slice1 {
+		if !m[s] {
+			diff = append(diff, s)
+		}
+	}
+	return diff
+}