feat(Netpol Assistant): data structures simulating connectivity matrix for ANP/BANP

Author: huntergregory

cmd/cyclonus/README.md

@@ -1,51 +1,16 @@
-# Cyclonus
+# NetworkPolicy Assistant (derived from Cyclonus)
 
-## Network policy explainer, prober, and test case generator
+Explains your configuration of (Baseline)AdminNetworkPolicy and v1 NetworkPolicy. Additionally, can test conformance of (B)ANP and v1 NetworkPolicy via a connectivity matrix. Derived from the great work of @mattfenwick et al. in [Cyclonus](https://github.com/mattfenwick/cyclonus).
 
-Parse, explain, and probe network policies to understand their implications and help design
-policies that suit your needs!
+More details here: [Cyclonus](https://github.com/mattfenwick/cyclonus).
 
-## Quickstart
+## Usage
 
-Users: check out our [Quickstart guide](./docs/quickstart.md)
+CLI currently under development. Will build off of `cyclonus analyze` (visualization) and `cyclonus generate` (conformance tests).
 
-Developers: check out our [Developer guide](./docs/developer-guide.md)
+## Development
 
-Cyclonus functionality:
+Integration tests located at *test/integration/integration_test.go*. The tests verify:
 
- - [run a single network policy test on a cluster](./docs/probe.md)
- - [run network policy conformance tests on a cluster](./docs/generator.md)
- - [understand test runs](./docs/test-runs.md)
- - [analyze network policies](./docs/analyze.md)
-
-
-## Integrations
-
-Cyclonus is available as a [**krew/kubectl plugin**](https://github.com/mattfenwick/kubectl-cyclonus):
-
- - [Set up krew](https://krew.sigs.k8s.io/docs/user-guide/quickstart/)
- - install: `kubectl krew install cyclonus`
- - use: `kubectl cyclonus -h`
-
-**Antrea testing**: [Cyclonus runs network policy tests for Antrea on a daily basis](https://github.com/vmware-tanzu/antrea/actions/workflows/netpol_cyclonus.yml).
-
-**Cilium testing**: [Cyclonus runs network policy tests for Cilium on a daily basis](https://github.com/cilium/cilium/pull/14889).
-
-**Sonobuoy plugin**: [run Cyclonus tests through Sonobuoy](./hack/sonobuoy).
-
-
-## Motivation and History
-
-Testing network policies for CNI providers on Kubernetes has historically been very difficult, requiring a lot of boiler plate.
-This was recently improved upstream via truth table based tests 
-([see KEP](https://github.com/kubernetes/enhancements/tree/master/keps/sig-network/1611-network-policy-validation)).
-Cyclonus is the next evolution of the truth table tests which are part of upstream Kubernetes.
-Cyclonus generates hundreds of network policies, their connectivity tables, and outputs results in the same, easy to read format.
-
-## Thanks to contributors
-
- - @dougsland
- - @jayunit100
- - @johnSchnake
- - @enhaocui
- - @matmerr
+1. Building/translating NetPol spec into interim data structures (matchers).
+2. Simulation of expected connectivity for ANP, BANP, and v1 NetPols.

cmd/cyclonus/go.mod

@@ -12,10 +12,12 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/cobra v1.7.0
+	github.com/stretchr/testify v1.8.2
 	golang.org/x/exp v0.0.0-20220706164943-b4a6d9510983
 	k8s.io/api v0.28.1
 	k8s.io/apimachinery v0.28.1
 	k8s.io/client-go v0.28.1
+	sigs.k8s.io/network-policy-api v0.1.1
 	sigs.k8s.io/yaml v1.3.0
 )
 
@@ -44,6 +46,7 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	golang.org/x/net v0.14.0 // indirect
 	golang.org/x/oauth2 v0.8.0 // indirect

cmd/cyclonus/go.sum

@@ -193,6 +193,8 @@ k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrC
 k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
+sigs.k8s.io/network-policy-api v0.1.1 h1:KDW+AkvCCQI3h8yH8j0hurhvPLNtLeVvmZoqtMaG9ew=
+sigs.k8s.io/network-policy-api v0.1.1/go.mod h1:F7S5fsb7QEzlLjuMgTGfUT4LRHylRbx2xDDpHfJKKEs=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=

cmd/cyclonus/pkg/cli/analyze.go

@@ -5,10 +5,8 @@ import (
 	"strings"
 
 	"github.com/mattfenwick/collections/pkg/json"
-	"github.com/mattfenwick/collections/pkg/set"
 	"github.com/mattfenwick/cyclonus/pkg/connectivity/probe"
 	"github.com/mattfenwick/cyclonus/pkg/generator"
-	"github.com/mattfenwick/cyclonus/pkg/linter"
 
 	"github.com/mattfenwick/cyclonus/pkg/kube"
 	"github.com/mattfenwick/cyclonus/pkg/kube/netpol"
@@ -25,7 +23,6 @@ import (
 const (
 	ParseMode        = "parse"
 	ExplainMode      = "explain"
-	LintMode         = "lint"
 	QueryTrafficMode = "query-traffic"
 	QueryTargetMode  = "query-target"
 	ProbeMode        = "probe"
@@ -34,7 +31,6 @@ const (
 var AllModes = []string{
 	ParseMode,
 	ExplainMode,
-	LintMode,
 	QueryTrafficMode,
 	QueryTargetMode,
 	ProbeMode,
@@ -135,9 +131,6 @@ func RunAnalyzeCommand(args *AnalyzeArgs) {
 		case ExplainMode:
 			fmt.Println("explained policies:")
 			ExplainPolicies(policies)
-		case LintMode:
-			fmt.Println("policy lint:")
-			Lint(kubePolicies)
 		case QueryTargetMode:
 			pods := make([]*QueryTargetPod, len(kubePods))
 			for i, p := range kubePods {
@@ -168,11 +161,6 @@ func ExplainPolicies(explainedPolicies *matcher.Policy) {
 	fmt.Printf("%s\n", explainedPolicies.ExplainTable())
 }
 
-func Lint(kubePolicies []*networkingv1.NetworkPolicy) {
-	warnings := linter.Lint(kubePolicies, set.FromSlice[linter.Check](nil))
-	fmt.Println(linter.WarningsTable(warnings))
-}
-
 // QueryTargetPod matches targets; targets exist in only a single namespace and can't be matched by namespace
 //
 //	label, therefore we match by exact namespace and by pod labels.
@@ -199,10 +187,14 @@ func QueryTargets(explainedPolicies *matcher.Policy, podPath string, pods []*Que
 }
 
 func QueryTargetHelper(policies *matcher.Policy, pod *QueryTargetPod) (*matcher.Policy, *matcher.Policy) {
-	ingressTargets := policies.TargetsApplyingToPod(true, pod.Namespace, pod.Labels)
+	podInfo := &matcher.InternalPeer{
+		Namespace: pod.Namespace,
+		PodLabels: pod.Labels,
+	}
+	ingressTargets := policies.TargetsApplyingToPod(true, podInfo)
 	combinedIngressTarget := matcher.CombineTargetsIgnoringPrimaryKey(pod.Namespace, metav1.LabelSelector{MatchLabels: pod.Labels}, ingressTargets)
 
-	egressTargets := policies.TargetsApplyingToPod(false, pod.Namespace, pod.Labels)
+	egressTargets := policies.TargetsApplyingToPod(false, podInfo)
 	combinedEgressTarget := matcher.CombineTargetsIgnoringPrimaryKey(pod.Namespace, metav1.LabelSelector{MatchLabels: pod.Labels}, egressTargets)
 
 	var combinedIngresses []*matcher.Target

cmd/cyclonus/pkg/connectivity/probe/resources.go

@@ -16,6 +16,8 @@ type Resources struct {
 	Namespaces map[string]map[string]string
 	Pods       []*Pod
 	//ExternalIPs []string
+	ports     []int
+	protocols []v1.Protocol
 }
 
 func NewDefaultResources(kubernetes kube.IKubernetes, namespaces []string, podNames []string, ports []int, protocols []v1.Protocol, externalIPs []string, podCreationTimeoutSeconds int, batchJobs bool, imageRegistry string) (*Resources, error) {
@@ -24,6 +26,8 @@ func NewDefaultResources(kubernetes kube.IKubernetes, namespaces []string, podNa
 	r := &Resources{
 		Namespaces: map[string]map[string]string{},
 		//ExternalIPs: externalIPs,
+		ports:     ports,
+		protocols: protocols,
 	}
 
 	for _, ns := range namespaces {

cmd/cyclonus/pkg/connectivity/probe/table.go

@@ -1,11 +1,14 @@
 package probe
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/mattfenwick/collections/pkg/slice"
 	"github.com/mattfenwick/cyclonus/pkg/utils"
 	"github.com/pkg/errors"
 	"golang.org/x/exp/maps"
-	"strings"
+	v1 "k8s.io/api/core/v1"
 )
 
 type Item struct {
@@ -26,6 +29,73 @@ type Table struct {
 	Wrapped *TruthTable
 }
 
+func NewTableWithDefaultConnectivity(r *Resources, ingress, egress Connectivity) *Table {
+	return &Table{Wrapped: NewTruthTableFromItems(r.SortedPodNames(), func(fr, to string) interface{} {
+		results := make(map[string]*JobResult, len(r.ports)*len(r.protocols))
+		for _, proto := range r.protocols {
+			for _, port := range r.ports {
+				jr := &JobResult{
+					Job: &Job{
+						FromKey:          fr,
+						ToKey:            to,
+						ResolvedPort:     port,
+						ResolvedPortName: "",
+						Protocol:         proto,
+						TimeoutSeconds:   3,
+					},
+					Ingress: &ingress,
+					Egress:  &egress,
+				}
+
+				setCombined(jr)
+
+				k := fmt.Sprintf("%s/%d", proto, port)
+				results[k] = jr
+			}
+		}
+
+		return &Item{
+			From:       fr,
+			To:         to,
+			JobResults: results,
+		}
+	})}
+}
+
+// SetEgress should be used to set connectivity for tables with connectivity already specified via NewTableWithDefaultConnectivity()
+func (t *Table) SetEgress(egress Connectivity, from, to string, port int, proto v1.Protocol) {
+	portProto := fmt.Sprintf("%s/%d", proto, port)
+	jr, ok := t.Get(from, to).JobResults[portProto]
+	if !ok || jr.Ingress == nil || jr.Egress == nil {
+		panic(errors.Errorf("cannot set connectivity: job result non-existent/invalid for %s/%d", proto, port))
+	}
+
+	jr.Egress = &egress
+	setCombined(jr)
+}
+
+// SetIngress should be used to set connectivity for tables with connectivity already specified via NewTableWithDefaultConnectivity()
+func (t *Table) SetIngress(ingress Connectivity, from, to string, port int, proto v1.Protocol) {
+	portProto := fmt.Sprintf("%s/%d", proto, port)
+	jr, ok := t.Get(from, to).JobResults[portProto]
+	if !ok || jr.Ingress == nil || jr.Egress == nil {
+		panic(errors.Errorf("cannot set connectivity: job result non-existent/invalid for %s/%d", proto, port))
+	}
+
+	jr.Ingress = &ingress
+	setCombined(jr)
+}
+
+func setCombined(jr *JobResult) {
+	if *jr.Ingress == ConnectivityBlocked || *jr.Egress == ConnectivityBlocked {
+		jr.Combined = ConnectivityBlocked
+	}
+
+	if *jr.Ingress == ConnectivityAllowed && *jr.Egress == ConnectivityAllowed {
+		jr.Combined = ConnectivityAllowed
+	}
+}
+
 func NewTable(items []string) *Table {
 	return &Table{Wrapped: NewTruthTableFromItems(items, func(fr, to string) interface{} {
 		return &Item{

cmd/cyclonus/pkg/connectivity/stepresult.go

@@ -3,6 +3,8 @@ package connectivity
 import (
 	"github.com/mattfenwick/cyclonus/pkg/connectivity/probe"
 	"github.com/mattfenwick/cyclonus/pkg/matcher"
+	"sigs.k8s.io/network-policy-api/apis/v1alpha1"
+
 	networkingv1 "k8s.io/api/networking/v1"
 )
 
@@ -11,7 +13,10 @@ type StepResult struct {
 	KubeProbes     []*probe.Table
 	Policy         *matcher.Policy
 	KubePolicies   []*networkingv1.NetworkPolicy
-	comparisons    []*ComparisonTable
+	// FIXME use ANP and BANP here
+	ANPs        []*v1alpha1.AdminNetworkPolicy
+	BANP        *v1alpha1.BaselineAdminNetworkPolicy
+	comparisons []*ComparisonTable
 }
 
 func NewStepResult(simulated *probe.Table, policy *matcher.Policy, kubePolicies []*networkingv1.NetworkPolicy) *StepResult {

cmd/cyclonus/pkg/kube/labelselector.go

@@ -2,11 +2,12 @@ package kube
 
 import (
 	"fmt"
+	"strings"
+
 	"github.com/mattfenwick/collections/pkg/slice"
 	"github.com/mattfenwick/cyclonus/pkg/utils"
 	"golang.org/x/exp/maps"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"strings"
 )
 
 // IsNameMatch follows the kube pattern of "empty string means matches All"
@@ -102,7 +103,7 @@ func SerializeLabelSelector(ls metav1.LabelSelector) string {
 
 func LabelSelectorTableLines(selector metav1.LabelSelector) string {
 	if IsLabelSelectorEmpty(selector) {
-		return "all pods"
+		return "all"
 	}
 	var lines []string
 	if len(selector.MatchLabels) > 0 {

cmd/cyclonus/pkg/kube/networkpolicy.go

@@ -2,10 +2,11 @@ package kube
 
 import (
 	"fmt"
+	"strings"
+
 	"github.com/olekukonko/tablewriter"
 	. "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"strings"
 )
 
 func NetworkPoliciesToTable(policies []*NetworkPolicy) string {
@@ -20,6 +21,9 @@ func NetworkPoliciesToTable(policies []*NetworkPolicy) string {
 		name := fmt.Sprintf("%s/%s", policy.Namespace, policy.Name)
 		//target := SerializeLabelSelector(policy.Spec.PodSelector)
 		target := LabelSelectorTableLines(policy.Spec.PodSelector)
+		if target == "all" {
+			target = "all pods"
+		}
 
 		for _, policyType := range policy.Spec.PolicyTypes {
 			if policyType == PolicyTypeIngress {