Improve blocked traffic detection in Otterize Cloud by reporting container port names (#308)

Author: omris94

src/mapper/pkg/cloudclient/generated.go

@@ -899,6 +899,7 @@ type FeatureFlags {
 	enableInternetIntentsSuggestions: Boolean
 	enableIAMIntentsSuggestions: Boolean
 	enableNetworkPoliciesInAccessGraph: Boolean
+	enableTrafficFromTCPResolveDestBugfixInAccessGraph: Boolean
 }
 
 type Finding {
@@ -1248,6 +1249,7 @@ input InputFeatureFlags {
 	enableInternetIntentsSuggestions: Boolean
 	enableIAMIntentsSuggestions: Boolean
 	enableNetworkPoliciesInAccessGraph: Boolean
+	enableTrafficFromTCPResolveDestBugfixInAccessGraph: Boolean
 }
 
 """ Findings filter """
@@ -1740,6 +1742,7 @@ input K8sResourceLoadBalancerIngressInput {
 input K8sResourceServiceInput {
 	spec: K8sResourceServiceSpecInput!
 	status: K8sResourceServiceStatusInput
+	targetNamedPorts: [NamedPortInput!]
 }
 
 input K8sResourceServiceLoadBalancerIngressInput {
@@ -2314,6 +2317,12 @@ type Mutation {
 	): Boolean!
 }
 
+input NamedPortInput {
+	name: String!
+	port: Int!
+	protocol: K8sPortProtocol!
+}
+
 type Namespace {
 	id: ID!
 	name: String!
@@ -2556,6 +2565,9 @@ type Query {
 		clientServiceId: ID!
 		serverServiceId: ID!
 	): [NetworkPolicy!]!
+	serviceNetworkPolicies(
+		serviceId: ID!
+	): [NetworkPolicy!]!
 """ Get edge connections count """
 	edgeConnectionsCount(
 		clientId: ID!
@@ -3115,6 +3127,8 @@ scalar String
 type TLSConfiguration {
 	caCertificate: String
 	certificate: String
+	caCertificateFingerprint: String
+	certificateFingerprint: String
 }
 
 input TLSConfigurationInput {

src/mapper/pkg/cloudclient/schema.graphql

@@ -1,14 +1,18 @@
 package resourcevisibility
 
 import (
+	"cmp"
+	"context"
 	"github.com/otterize/intents-operator/src/shared/errors"
 	"github.com/otterize/network-mapper/src/mapper/pkg/cloudclient"
 	"github.com/otterize/nilable"
 	"github.com/samber/lo"
 	"github.com/sirupsen/logrus"
+	"golang.org/x/exp/slices"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 func convertPortProtocol(protocol corev1.Protocol) (*cloudclient.K8sPortProtocol, error) {
@@ -294,7 +298,7 @@ func convertIngressLoadBalancerStatus(status networkingv1.IngressStatus) (nilabl
 	return nilable.From(ingressStatusInput), nil
 }
 
-func convertServiceResource(service corev1.Service) (cloudclient.K8sResourceServiceInput, error) {
+func convertServiceResource(ctx context.Context, k8sClient client.Client, service corev1.Service) (cloudclient.K8sResourceServiceInput, error) {
 	ports := make([]cloudclient.K8sServicePort, 0)
 	for _, port := range service.Spec.Ports {
 		protocol, err := convertPortProtocol(port.Protocol)
@@ -391,6 +395,11 @@ func convertServiceResource(service corev1.Service) (cloudclient.K8sResourceServ
 		input.Status = status
 	}
 
+	targetNamedPorts := getRelatedPodsNamedPortsMap(ctx, k8sClient, &service)
+	if len(targetNamedPorts) > 0 {
+		input.TargetNamedPorts = targetNamedPorts
+	}
+
 	return input, nil
 }
 
@@ -565,3 +574,60 @@ func convertIngressResource(ingress networkingv1.Ingress) (cloudclient.K8sResour
 
 	return input, true, nil
 }
+
+func getRelatedPodsNamedPortsMap(ctx context.Context, k8sClient client.Client, service *corev1.Service) []cloudclient.NamedPortInput {
+	if len(service.Spec.Selector) == 0 {
+		return nil
+	}
+	relatedPods := &corev1.PodList{}
+	labelSelector := client.MatchingLabels(service.Spec.Selector)
+	err := k8sClient.List(ctx, relatedPods, labelSelector, client.InNamespace(service.Namespace))
+	if err != nil {
+		logrus.WithFields(logrus.Fields{"service": service.Name, "namespace": service.Namespace}).WithError(err).Errorf("Failed listing pods for service")
+		return nil
+	}
+
+	namedPorts := make([]cloudclient.NamedPortInput, 0)
+	for _, pod := range relatedPods.Items {
+		for _, container := range pod.Spec.Containers {
+			for _, port := range container.Ports {
+				if port.Name == "" {
+					continue // We are only interested in named ports
+				}
+				namedPorts = append(namedPorts, cloudclient.NamedPortInput{
+					Name:     port.Name,
+					Port:     int(port.ContainerPort),
+					Protocol: convertProtocolToCloudFormat(port.Protocol),
+				})
+			}
+		}
+	}
+
+	namedPorts = lo.Uniq(namedPorts)
+	slices.SortFunc(namedPorts, func(a, b cloudclient.NamedPortInput) int {
+		if cmp.Compare(a.Name, b.Name) != 0 {
+			return cmp.Compare(a.Name, b.Name)
+		}
+		if cmp.Compare(a.Port, b.Port) != 0 {
+			return cmp.Compare(a.Port, b.Port)
+		}
+		if cmp.Compare(a.Protocol, b.Protocol) != 0 {
+			return cmp.Compare(a.Protocol, b.Protocol)
+		}
+		return 0
+	})
+	return namedPorts
+}
+
+func convertProtocolToCloudFormat(proto corev1.Protocol) cloudclient.K8sPortProtocol {
+	switch proto {
+	case corev1.ProtocolTCP:
+		return cloudclient.K8sPortProtocolTcp
+	case corev1.ProtocolUDP:
+		return cloudclient.K8sPortProtocolUdp
+	case corev1.ProtocolSCTP:
+		return cloudclient.K8sPortProtocolSctp
+	default:
+		return cloudclient.K8sPortProtocolTcp
+	}
+}

src/mapper/pkg/resourcevisibility/model_convertion.go

@@ -120,7 +120,11 @@ func (r *ServiceReconciler) getCachedValue(servicesToReport []cloudclient.K8sSer
 }
 
 func reportedServicesCacheValuePart(service cloudclient.K8sServiceInput) string {
-	return fmt.Sprintf("%s-%s-%s", service.ResourceName, service.OtterizeServer, service.Service.Spec.Type.Item)
+	namedPortsStr := ""
+	for _, namedPort := range service.Service.TargetNamedPorts {
+		namedPortsStr += fmt.Sprintf("%s-%d-%s", namedPort.Name, namedPort.Port, namedPort.Protocol)
+	}
+	return fmt.Sprintf("%s-%s-%s-%s", service.ResourceName, service.OtterizeServer, service.Service.Spec.Type.Item, namedPortsStr)
 }
 
 func (r *ServiceReconciler) convertToCloudServices(ctx context.Context, services []corev1.Service) ([]cloudclient.K8sServiceInput, error) {
@@ -153,7 +157,7 @@ func (r *ServiceReconciler) convertToCloudService(ctx context.Context, service c
 		return cloudclient.K8sServiceInput{}, false, nil
 	}
 
-	serviceInput, err := convertServiceResource(service)
+	serviceInput, err := convertServiceResource(ctx, r.Client, service)
 	if err != nil {
 		return cloudclient.K8sServiceInput{}, false, errors.Wrap(err)
 	}