style: PeerMatcherAdmin using only PodPeerMatcher + minor UI changes

Author: huntergregory

cmd/cyclonus/pkg/matcher/builder.go

@@ -224,8 +224,8 @@ func BuildTargetANP(anp *v1alpha1.AdminNetworkPolicy) (*Target, *Target) {
 			v := AdminActionToVerdict(r.Action)
 			matchers := BuildPeerMatcherAdmin(r.From, r.Ports)
 			for _, m := range matchers {
-				matcherV2 := NewPeerMatcherANP(m, v, int(anp.Spec.Priority))
-				ingress.Peers = append(ingress.Peers, matcherV2)
+				matcherAdmin := NewPeerMatcherANP(m, v, int(anp.Spec.Priority))
+				ingress.Peers = append(ingress.Peers, matcherAdmin)
 			}
 		}
 	}
@@ -240,8 +240,8 @@ func BuildTargetANP(anp *v1alpha1.AdminNetworkPolicy) (*Target, *Target) {
 			v := AdminActionToVerdict(r.Action)
 			matchers := BuildPeerMatcherAdmin(r.To, r.Ports)
 			for _, m := range matchers {
-				matcherV2 := NewPeerMatcherANP(m, v, int(anp.Spec.Priority))
-				egress.Peers = append(egress.Peers, matcherV2)
+				matcherAdmin := NewPeerMatcherANP(m, v, int(anp.Spec.Priority))
+				egress.Peers = append(egress.Peers, matcherAdmin)
 			}
 		}
 	}
@@ -267,8 +267,8 @@ func BuildTargetBANP(banp *v1alpha1.BaselineAdminNetworkPolicy) (*Target, *Targe
 			v := BaselineAdminActionToVerdict(r.Action)
 			matchers := BuildPeerMatcherAdmin(r.From, r.Ports)
 			for _, m := range matchers {
-				matcherV2 := NewPeerMatcherBANP(m, v)
-				ingress.Peers = append(ingress.Peers, matcherV2)
+				matcherAdmin := NewPeerMatcherBANP(m, v)
+				ingress.Peers = append(ingress.Peers, matcherAdmin)
 			}
 		}
 	}
@@ -283,16 +283,16 @@ func BuildTargetBANP(banp *v1alpha1.BaselineAdminNetworkPolicy) (*Target, *Targe
 			v := BaselineAdminActionToVerdict(r.Action)
 			matchers := BuildPeerMatcherAdmin(r.To, r.Ports)
 			for _, m := range matchers {
-				matcherV2 := NewPeerMatcherBANP(m, v)
-				egress.Peers = append(egress.Peers, matcherV2)
+				matcherAdmin := NewPeerMatcherBANP(m, v)
+				egress.Peers = append(egress.Peers, matcherAdmin)
 			}
 		}
 	}
 
 	return ingress, egress
 }
 
-func BuildPeerMatcherAdmin(peers []v1alpha1.AdminNetworkPolicyPeer, ports *[]v1alpha1.AdminNetworkPolicyPort) []PeerMatcher {
+func BuildPeerMatcherAdmin(peers []v1alpha1.AdminNetworkPolicyPeer, ports *[]v1alpha1.AdminNetworkPolicyPort) []*PodPeerMatcher {
 	if len(peers) == 0 {
 		panic(errors.Errorf("invalid admin to/from field: must have at least one peer"))
 	}
@@ -306,7 +306,7 @@ func BuildPeerMatcherAdmin(peers []v1alpha1.AdminNetworkPolicyPeer, ports *[]v1a
 	}
 
 	// 2. build Peers
-	var peerMatchers []PeerMatcher
+	var peerMatchers []*PodPeerMatcher
 	for _, peer := range peers {
 		if (peer.Namespaces == nil && peer.Pods == nil) || (peer.Namespaces != nil && peer.Pods != nil) {
 			panic(errors.Errorf("invalid admin peer: must have exactly one of Namespaces or Pods"))

cmd/cyclonus/pkg/matcher/explain.go

@@ -63,15 +63,17 @@ func (s *SliceBuilder) TargetsTableLines(targets []*Target, isIngress bool) {
 		} else {
 			for _, peer := range slice.SortOn(func(p PeerMatcher) string { return json.MustMarshalToString(p) }, target.Peers) {
 				switch a := peer.(type) {
+				case *PeerMatcherAdmin:
+					s.PodPeerMatcherTableLines(a.PodPeerMatcher, a.effectFromMatch)
 				case *AllPeersMatcher:
 					s.Append("all pods, all ips", "all ports, all protocols")
 				case *PortsForAllPeersMatcher:
-					pps := PortMatcherTableLines(a.Port)
+					pps := PortMatcherTableLines(a.Port, NetworkPolicyV1)
 					s.Append("all pods, all ips", strings.Join(pps, "\n"))
 				case *IPPeerMatcher:
 					s.IPPeerMatcherTableLines(a)
 				case *PodPeerMatcher:
-					s.PodPeerMatcherTableLines(a)
+					s.PodPeerMatcherTableLines(a, NewV1Effect(true))
 				default:
 					panic(errors.Errorf("invalid PeerMatcher type %T", a))
 				}
@@ -82,12 +84,12 @@ func (s *SliceBuilder) TargetsTableLines(targets []*Target, isIngress bool) {
 
 func (s *SliceBuilder) IPPeerMatcherTableLines(ip *IPPeerMatcher) {
 	peer := ip.IPBlock.CIDR + "\n" + fmt.Sprintf("except %+v", ip.IPBlock.Except)
-	pps := PortMatcherTableLines(ip.Port)
+	pps := PortMatcherTableLines(ip.Port, NetworkPolicyV1)
 	s.Append(peer, strings.Join(pps, "\n"))
 }
 
-func (s *SliceBuilder) PodPeerMatcherTableLines(nsPodMatcher *PodPeerMatcher) {
-	// FIXME add action/priority column
+func (s *SliceBuilder) PodPeerMatcherTableLines(nsPodMatcher *PodPeerMatcher, e Effect) {
+	// FIXME add action/priority column using e
 	var namespaces string
 	switch ns := nsPodMatcher.Namespace.(type) {
 	case *AllNamespaceMatcher:
@@ -109,10 +111,10 @@ func (s *SliceBuilder) PodPeerMatcherTableLines(nsPodMatcher *PodPeerMatcher) {
 	default:
 		panic(errors.Errorf("invalid PodMatcher type %T", p))
 	}
-	s.Append("namespace: "+namespaces+"\n"+"pods: "+pods, strings.Join(PortMatcherTableLines(nsPodMatcher.Port), "\n"))
+	s.Append("namespace: "+namespaces+"\n"+"pods: "+pods, strings.Join(PortMatcherTableLines(nsPodMatcher.Port, e.PolicyKind), "\n"))
 }
 
-func PortMatcherTableLines(pm PortMatcher) []string {
+func PortMatcherTableLines(pm PortMatcher, kind PolicyKind) []string {
 	switch port := pm.(type) {
 	case *AllPortMatcher:
 		return []string{"all ports, all protocols"}
@@ -122,7 +124,11 @@ func PortMatcherTableLines(pm PortMatcher) []string {
 			if portProtocol.Port == nil {
 				lines = append(lines, "all ports on protocol "+string(portProtocol.Protocol))
 			} else if portProtocol.Port.StrVal != "" {
-				lines = append(lines, fmt.Sprintf("namedport '%s'", portProtocol.Port.StrVal))
+				if kind == NetworkPolicyV1 {
+					lines = append(lines, fmt.Sprintf("namedport '%s' on protocol %s", portProtocol.Port.StrVal, portProtocol.Protocol))
+				} else {
+					lines = append(lines, fmt.Sprintf("namedport '%s'", portProtocol.Port.StrVal))
+				}
 			} else {
 				lines = append(lines, fmt.Sprintf("port %d on protocol %s", portProtocol.Port.IntVal, portProtocol.Protocol))
 			}

cmd/cyclonus/pkg/matcher/peermatcher.go

@@ -19,11 +19,11 @@ These are the original PeerMatcher implementations made for v1 NetPol:
 - IPPeerMatcher
 - PodPeerMatcher
 
-Now we also have PeerMatcherV2, a wrapper for the above to model ANP and BANP,
-as well as NamespaceMatcher objects for SameLabels and NotSameLabels.
-
-All of these (except AllPeersMatcher) use a PortMatcher.
+All PeerMatcher implementations (except AllPeersMatcher) use a PortMatcher.
 If the traffic doesn't match the port matcher, then Matches() will be false.
+
+Now we also have PeerMatcherAdmin, a wrapper for PodPeerMatcher to model ANP and BANP.
+We also made NamespaceMatcher objects for SameLabels and NotSameLabels.
 */
 type PeerMatcher interface {
 	Matches(subject, peer *TrafficPeer, portInt int, portName string, protocol v1.Protocol) bool

cmd/cyclonus/pkg/matcher/peermatcherv2.go

@@ -5,17 +5,18 @@ import (
 	"sigs.k8s.io/network-policy-api/apis/v1alpha1"
 )
 
-// PeerMatcherV2 models an ANP or BANP rule, incorporating an ANP/BANP action and an ANP priority.
-// NOTE: best approach right now is to only use PodPeerMatcher as the PeerMatcher.
-type PeerMatcherV2 struct {
-	PeerMatcher
+// PeerMatcherAdmin models an ANP or BANP rule, incorporating an ANP/BANP action and an ANP priority.
+// NOTE: we only use the PodPeerMatcher out of all the PeerMatcher imlementations.
+// This is because ANP and BANP only deal with Pod to Pod traffic, and do not deal with external IPs.
+type PeerMatcherAdmin struct {
+	*PodPeerMatcher
 	effectFromMatch Effect
 }
 
-// NewPeerMatcherANP creates a PeerMatcherV2 for an ANP rule
-func NewPeerMatcherANP(peer PeerMatcher, v Verdict, priority int) *PeerMatcherV2 {
-	return &PeerMatcherV2{
-		PeerMatcher: peer,
+// NewPeerMatcherANP creates a PeerMatcherAdmin for an ANP rule
+func NewPeerMatcherANP(peer *PodPeerMatcher, v Verdict, priority int) *PeerMatcherAdmin {
+	return &PeerMatcherAdmin{
+		PodPeerMatcher: peer,
 		effectFromMatch: Effect{
 			PolicyKind: AdminNetworkPolicy,
 			Priority:   priority,
@@ -24,10 +25,10 @@ func NewPeerMatcherANP(peer PeerMatcher, v Verdict, priority int) *PeerMatcherV2
 	}
 }
 
-// NewPeerMatcherBANP creates a new PeerMatcherV2 for a BANP rule
-func NewPeerMatcherBANP(peer PeerMatcher, v Verdict) *PeerMatcherV2 {
-	return &PeerMatcherV2{
-		PeerMatcher: peer,
+// NewPeerMatcherBANP creates a new PeerMatcherAdmin for a BANP rule
+func NewPeerMatcherBANP(peer *PodPeerMatcher, v Verdict) *PeerMatcherAdmin {
+	return &PeerMatcherAdmin{
+		PodPeerMatcher: peer,
 		effectFromMatch: Effect{
 			PolicyKind: BaselineAdminNetworkPolicy,
 			Verdict:    v,

cmd/cyclonus/pkg/matcher/policy.go

@@ -301,11 +301,11 @@ func (p *Policy) IsIngressOrEgressAllowed(traffic *Traffic, isIngress bool) Dire
 	effects := make([]Effect, 0)
 	for _, target := range matchingTargets {
 		for _, m := range target.Peers {
-			// check if m is a PeerMatcherV2
+			// check if m is a PeerMatcherAdmin
 			e := NewV1Effect(true)
-			matcherV2, ok := m.(*PeerMatcherV2)
+			matcherAdmin, ok := m.(*PeerMatcherAdmin)
 			if ok {
-				e = matcherV2.effectFromMatch
+				e = matcherAdmin.effectFromMatch
 			}
 
 			if !m.Matches(subject, peer, traffic.ResolvedPort, traffic.ResolvedPortName, traffic.Protocol) {

cmd/cyclonus/pkg/matcher/simplifier.go

@@ -15,8 +15,8 @@ func Simplify(matchers []PeerMatcher) []PeerMatcher {
 
 	result := make([]PeerMatcher, 0)
 	for _, m := range matchers {
-		if matcherV2, ok := m.(*PeerMatcherV2); ok {
-			result = append(result, matcherV2)
+		if matcherAdmin, ok := m.(*PeerMatcherAdmin); ok {
+			result = append(result, matcherAdmin)
 		}
 	}
 
@@ -28,7 +28,7 @@ func Simplify(matchers []PeerMatcher) []PeerMatcher {
 func SimplifyV1(matchers []PeerMatcher) []PeerMatcher {
 	v1Matchers := make([]PeerMatcher, 0)
 	for _, m := range matchers {
-		if _, ok := m.(*PeerMatcherV2); !ok {
+		if _, ok := m.(*PeerMatcherAdmin); !ok {
 			v1Matchers = append(v1Matchers, m)
 		}
 	}

cmd/cyclonus/pkg/matcher/target.go

@@ -172,7 +172,7 @@ func (s *SubjectAdmin) Matches(candidate *InternalPeer) bool {
 
 func (s *SubjectAdmin) TargetString() string {
 	// FIXME
-	return "FIXME: implement target string for admin network policies"
+	return "FIXME: implement target string like v1's except it supports namespace selector and (not) same labels"
 }
 
 func (s *SubjectAdmin) GetPrimaryKey() string {