Livesim - Add missing elements while analyzing in the left - issue #262 (#393)

Signed-off-by: adisos <[email protected]>

Author: shmfr

README.md

@@ -100,6 +100,11 @@ The arguments to `--resource_list` and to `--base_resource_list` should be one o
 
 For more information on command-line switches combinations, see [Common Query Patterns](docs/CommonQueryPatterns.md#cmdline-queries)
 
+##### Simulating live cluster missing resources:
+- There are several key elements that may be assumed to exist in the live cluster and be missing form the topology configurations in the repo.
+In those case, nca will add complementary configurations to make the topology and the connectivity whole. 
+- Fine-tuning instructions can be found [here](docs/SimulatingLiveClusterMissingResources.md)
+
 #### Exit Code Meaning:
 The exit value of running a command-line without a scheme is the combination of three factors:
 1. The result of running the query (0/1) as specified [here](docs/CmdLineQueriesResults.md)

docs/CommonQueryPatterns.md

@@ -58,4 +58,3 @@ otherwise, an empty peer container is created
   - otherwise, global namespaces will be used if existed else cluster has empty namespaces container
 - If any specific key is specified it will override the relevant contents in resourceList
 
-

docs/SimulatingLiveClusterMissingResources.md

@@ -0,0 +1,10 @@
+## Simulating live cluster missing resources:
+- There are several key elements that may be assumed to exist in the live cluster and be missing form the topology configurations in the repo.
+At those case, nca will add complementary configurations to make the topology and the connectivity whole. 
+- Fine-tune of the configurations can be made in dedicated yaml files.
+
+| Missing Element        | Element name when added to the topology                                       |
+|------------------------|-------------------------------------------------------------------------------|
+| kube-dns               | [kube-dns-livesim](../nca/NetworkConfig/LiveSim/dns)                          |
+| ingress controller     | [ingress-controller-livesim](../nca/NetworkConfig/LiveSim/ingress_controller) |
+| Istio ingress gateway  | [istio-ingressgateway-livesim](../nca/NetworkConfig/LiveSim/istio_gateway)    |

nca/FWRules/ConnectivityGraph.py

@@ -62,6 +62,35 @@ def _get_peer_name(self, peer):
             return peer.workload_name, False
         return str(peer), False
 
+    @staticmethod
+    def _is_peer_livesim(peer):
+        """
+        check if peer name indicates that this is a peer related to "livesim": resources added
+        during parsing, since they are required for the analysis but were missing from the input config
+
+        current convention is that such peers suffix is "-livesim"
+
+        :param Peer peer: the peer object
+        :rtype bool
+        """
+        livesim_peer_name_suffix = "-livesim"
+        return peer.full_name().endswith(livesim_peer_name_suffix)
+
+    @staticmethod
+    def _get_peer_color(is_livesim, is_ip_block):
+        """
+        determine peer color for connectivity graph
+        :param is_livesim: is peer added from "livesim" (missing resource at input config)
+        :param is_ip_block:  is peer of type ip-block
+        :return: str of the peer color in the dot format
+        :rtype str
+        """
+        if is_livesim:
+            return "coral4"
+        elif is_ip_block:
+            return "red2"
+        return "blue"
+
     def get_connectivity_dot_format_str(self, connectivity_restriction=None):
         """
         :param Union[str,None] connectivity_restriction: specify if connectivity is restricted to
@@ -79,7 +108,7 @@ def get_connectivity_dot_format_str(self, connectivity_restriction=None):
         peer_lines = set()
         for peer in self.cluster_info.all_peers:
             peer_name, is_ip_block = self._get_peer_name(peer)
-            peer_color = "red2" if is_ip_block else "blue"
+            peer_color = self._get_peer_color(self._is_peer_livesim(peer), is_ip_block)
             peer_lines.add(f'\t\"{peer_name}\" [label=\"{peer_name}\" color=\"{peer_color}\" fontcolor=\"{peer_color}\"]\n')
 
         edge_lines = set()

nca/NetworkConfig/LiveSim/dns/dns_pods.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+  labels:
+    name: kube-system
+    kubernetes.io/metadata.name: kube-system
+---
+apiVersion: apps/v1
+kind: Pod
+metadata:
+  name: kube-dns-livesim
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    projectcalico.org/namespace: kube-system
+spec:
+  containers:
+    - name: nginx
+      image: kube-dns
+---

nca/NetworkConfig/LiveSim/ingress_controller/ingress_controller.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ingress-controller-ns
+  labels:
+    name: ingress-controller-ns
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingress-nginx
+  namespace: ingress-controller-ns
+spec:
+  selector:
+    app: ingress-nginx
+  ports:
+  - port: 5678
+---
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ingress-controller-livesim
+  namespace: ingress-controller-ns
+  labels:
+    app: ingress-nginx
+spec:
+  containers:
+  - name: ingress-nginx
+    image: ingress-nginx:1.2.3
+---

nca/NetworkConfig/LiveSim/istio_gateway/istio_custom_gateway.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: custom-ingressgateway-livesim
+  namespace: custom-gateways
+  labels:
+    istio: custom-ingressgateway
+spec:
+  serviceAccountName: custom-ingressgateway-livesim
+  containers:
+  - name: istio-proxy
+    image: auto
+---

nca/NetworkConfig/LiveSim/istio_gateway/istio_gateway.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: istio-ingressgateway-livesim
+  namespace: istio-ingressgateway-ns
+  labels:
+    app: istio-ingressgateway
+    istio: ingressgateway
+spec:
+  serviceAccountName: istio-ingressgateway
+  containers:
+  - name: istio-proxy
+    image: auto
+---

nca/NetworkConfig/PoliciesFinder.py

@@ -25,6 +25,11 @@ def __init__(self):
         self.policies_container = PoliciesContainer()
         self._parse_queue = deque()
         self.peer_container = None
+        # following missing resources fields are relevant for "livesim" mode,
+        # where certain resources are added to enable the analysis
+        self.missing_istio_gw_pods_with_labels = {}
+        self.missing_k8s_ingress_peers = False
+        self.missing_dns_pods_with_labels = {}
 
     def set_peer_container(self, peer_container):
         """
@@ -70,6 +75,8 @@ def parse_policies_in_parse_queue(self):
             elif policy_type == NetworkPolicy.PolicyType.K8sNetworkPolicy:
                 parsed_element = K8sPolicyYamlParser(policy, self.peer_container, file_name)
                 self._add_policy(parsed_element.parse_policy())
+                # add info about missing resources
+                self.missing_dns_pods_with_labels.update(parsed_element.missing_pods_with_labels)
             elif policy_type == NetworkPolicy.PolicyType.IstioAuthorizationPolicy:
                 parsed_element = IstioPolicyYamlParser(policy, self.peer_container, file_name)
                 self._add_policy(parsed_element.parse_policy())
@@ -79,10 +86,14 @@ def parse_policies_in_parse_queue(self):
             elif policy_type == NetworkPolicy.PolicyType.Ingress:
                 parsed_element = IngressPolicyYamlParser(policy, self.peer_container, file_name)
                 self._add_policy(parsed_element.parse_policy())
+                # add info about missing resources
+                self.missing_k8s_ingress_peers |= parsed_element.missing_k8s_ingress_peers
             elif policy_type == NetworkPolicy.PolicyType.Gateway:
                 if not istio_traffic_parser:
                     istio_traffic_parser = IstioTrafficResourcesYamlParser(self.peer_container)
                 istio_traffic_parser.parse_gateway(policy, file_name)
+                # add info about missing resources
+                self.missing_istio_gw_pods_with_labels.update(istio_traffic_parser.missing_istio_gw_pods_with_labels)
             elif policy_type == NetworkPolicy.PolicyType.VirtualService:
                 if not istio_traffic_parser:
                     istio_traffic_parser = IstioTrafficResourcesYamlParser(self.peer_container)