connlist

package
v1.3.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 30, 2025 License: Apache-2.0 Imports: 27 Imported by: 1

Documentation

Overview

The connlist package of netpol-analyzer allows producing a k8s connectivity report based on several resources: k8s NetworkPolicy & AdminNetworkPolicy & BaselineAdminNetworkPolicy, k8s Ingress, openshift Route It lists the set of allowed connections between each pair of different peers (k8s workloads or ip-blocks). Connections between workload to itself are excluded from the output. Connectivity inferred from Ingress/Route resources is between {ingress-controller} to k8s workloads. The resources can be extracted from a directory containing YAML manifests, or from a k8s cluster. For more information, see https://github.com/np-guard/netpol-analyzer.

Copyright 2023- IBM Inc. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0

Copyright 2023- IBM Inc. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0

Copyright 2023- IBM Inc. All Rights Reserved.

SPDX-License-Identifier: Apache-2.0

Index

Constants

This section is empty.

Variables

View Source 
var ValidFormats = []string{output.TextFormat, output.JSONFormat, output.DOTFormat,
	output.CSVFormat, output.MDFormat}

ValidFormats array of possible values of output format

Functions

func GetConnectionSetFromP2PConnection added in v0.4.0 

func GetConnectionSetFromP2PConnection(c Peer2PeerConnection) *common.ConnectionSet

returns a *common.ConnectionSet from Peer2PeerConnection data

func ValidateOutputFormat added in v0.2.0 

func ValidateOutputFormat(format string) error

validate the value of the output format

Types

type ConnlistAnalyzer 

type ConnlistAnalyzer struct {
	// contains filtered or unexported fields
}

A ConnlistAnalyzer provides API to recursively scan a directory for Kubernetes resources including network policies, and get the list of permitted connectivity between the workloads of the K8s application managed in this directory.

func NewConnlistAnalyzer 

func NewConnlistAnalyzer(options ...ConnlistAnalyzerOption) *ConnlistAnalyzer

NewConnlistAnalyzer creates a new instance of ConnlistAnalyzer, and applies the provided functional options.

func (*ConnlistAnalyzer) ConnectionsListToString 

func (ca *ConnlistAnalyzer) ConnectionsListToString(conns []Peer2PeerConnection) (string, error)

ConnectionsListToString returns a string of connections from list of Peer2PeerConnection objects in the required output format

func (*ConnlistAnalyzer) ConnlistFromDirPath 

func (ca *ConnlistAnalyzer) ConnlistFromDirPath(dirPath string) ([]Peer2PeerConnection, []Peer, error)

ConnlistFromDirPath returns the allowed connections list from dir path containing k8s resources, and list of all workloads from the parsed resources

func (*ConnlistAnalyzer) ConnlistFromK8sCluster 

func (ca *ConnlistAnalyzer) ConnlistFromK8sCluster(clientset *kubernetes.Clientset) ([]Peer2PeerConnection, []Peer, error)

ConnlistFromK8sCluster returns the allowed connections list from k8s cluster resources, and list of all peers names Deprecated

func (*ConnlistAnalyzer) ConnlistFromK8sClusterWithPolicyAPI added in v1.3.0 

func (ca *ConnlistAnalyzer) ConnlistFromK8sClusterWithPolicyAPI(clientset *kubernetes.Clientset,
	policyAPIClientset *policyapi.Clientset) ([]Peer2PeerConnection, []Peer, error)

ConnlistFromK8sClusterWithPolicyAPI returns the allowed connections list from k8s cluster resources, and list of all peers names

func (*ConnlistAnalyzer) ConnlistFromResourceInfos added in v1.0.0 

func (ca *ConnlistAnalyzer) ConnlistFromResourceInfos(info []*resource.Info) ([]Peer2PeerConnection, []Peer, error)

The new interface ConnlistFromResourceInfos returns the allowed-connections list from input slice of resource.Info objects, and the list of all workloads from the parsed resources

func (*ConnlistAnalyzer) Errors 

func (ca *ConnlistAnalyzer) Errors() []ConnlistError

Errors returns a slice of ConnlistError with all warnings and errors encountered during processing.

func (*ConnlistAnalyzer) ExposedPeers added in v1.2.0 

func (ca *ConnlistAnalyzer) ExposedPeers() []ExposedPeer

ExposedPeers returns a slice of ExposedPeer objects, capturing for input workloads if/how they may be exposed to potential cluster entities, based on the input network policies

type ConnlistAnalyzerOption 

type ConnlistAnalyzerOption func(*ConnlistAnalyzer)

ConnlistAnalyzerOption is the type for specifying options for ConnlistAnalyzer, using Golang's Options Pattern (https://golang.cafe/blog/golang-functional-options-pattern.html).

func WithExposureAnalysis added in v1.2.0 

func WithExposureAnalysis() ConnlistAnalyzerOption

WithExposureAnalysis is a functional option which directs ConnlistAnalyzer to perform exposure analysis

func WithFocusWorkload 

func WithFocusWorkload(workload string) ConnlistAnalyzerOption

func WithLogger 

func WithLogger(l logger.Logger) ConnlistAnalyzerOption

WithLogger is a functional option which sets the logger for a ConnlistAnalyzer to use. The provided logger must conform with the package's Logger interface.

func WithMuteErrsAndWarns added in v1.0.0 

func WithMuteErrsAndWarns() ConnlistAnalyzerOption

WithMuteErrsAndWarns is a functional option which directs ConnlistAnalyzer to avoid logging errors/warnings

func WithOutputFormat added in v0.2.0 

func WithOutputFormat(outputFormat string) ConnlistAnalyzerOption

WithOutputFormat is a functional option, allowing user to choose the output format txt/json/dot/csv/md.

func WithStopOnError 

func WithStopOnError() ConnlistAnalyzerOption

WithStopOnError is a functional option which directs ConnlistAnalyzer to stop any processing after the first severe error.

type ConnlistError added in v0.1.2 

type ConnlistError common.NetpolError

ConnlistError holds information about a single error/warning that occurred during the parsing and connectivity analysis of k8s-app with network policies

type ExposedPeer added in v1.2.0 

type ExposedPeer interface {
	// ExposedPeer is a peer for which the analysis found some potential exposure info
	ExposedPeer() Peer
	// IsProtectedByIngressNetpols indicates if there are ingress netpols selecting the ExposedPeer
	// if peer is not protected, indicates that the peer is exposed on ingress to the whole world,
	// i.e. exposed to all other peers in the cluster and to any external resource.
	// if peer is not protected by ingress netpols, the IngressExposure list will be empty
	IsProtectedByIngressNetpols() bool
	// IngressExposure is a list of the potential Ingress connections to the ExposedPeer
	IngressExposure() []XgressExposureData
	// IsProtectedByEgressNetpols indicates if there are egress netpols selecting the ExposedPeer
	// if peer is not protected, indicates that the peer is exposed on egress to the whole world
	// i.e. exposed to all other peers in the cluster and to any external resource.
	// if peer is not protected by egress netpols, the EgressExposure list will be empty
	IsProtectedByEgressNetpols() bool
	// EgressExposure is a list of the potential Egress connections from the ExposedPeer
	EgressExposure() []XgressExposureData
}

ExposedPeer captures potential ingress and egress connections data for an exposed Peer

type Peer added in v0.4.2 

type Peer eval.Peer

type Peer2PeerConnection 

type Peer2PeerConnection interface {
	// Src returns the source peer
	Src() Peer
	// Dst returns the destination peer
	Dst() Peer
	// AllProtocolsAndPorts returns true if all ports are allowed for all protocols
	AllProtocolsAndPorts() bool
	// ProtocolsAndPorts returns the set of allowed connections
	ProtocolsAndPorts() map[v1.Protocol][]common.PortRange
}

Peer2PeerConnection encapsulates the allowed connectivity result between two peers.

func NewPeer2PeerConnection added in v0.4.0 

func NewPeer2PeerConnection(src, dst eval.Peer, allConns bool, conns map[v1.Protocol][]common.PortRange) Peer2PeerConnection

NewPeer2PeerConnection returns a Peer2PeerConnection object with given src,dst,allConns and conns map

func RefineConnListByDisjointPeers added in v0.4.0 

func RefineConnListByDisjointPeers(conns []Peer2PeerConnection, srcMap, dstMap map[string]map[string]eval.Peer) ([]Peer2PeerConnection,
	error)

RefineConnListByDisjointPeers is given as input Peer2PeerConnection slice and a map from peer-str to its disjoint peers, and returns a new Peer2PeerConnection slice with refined ip-blocks from their disjoint peers

type XgressExposureData added in v1.2.0 

type XgressExposureData interface {
	// IsExposedToEntireCluster indicates if the peer is exposed to all namespaces in the cluster for the relevant direction.
	// if peer is exposed to entire cluster, NamespaceLabels and PodLabels will be empty
	IsExposedToEntireCluster() bool
	// NamespaceLabels are label selectors of potential namespaces which the peer might be exposed to
	NamespaceLabels() v1.LabelSelector
	// PodLabels are label selectors of potential pods which the peer might be exposed to
	PodLabels() v1.LabelSelector
	// PotentialConnectivity the potential connectivity of the exposure
	PotentialConnectivity() common.Connection
}

XgressExposureData contains the data of potential connectivity for an existing peer in the cluster a peer might be exposed to the entire cluster (any-namespace), to any namespace with labels or any pod with labels in any-namespace, or any pod with labels in a namespace with labels, or any pod with labels in a specific namespace

Source Files

View all Source files

Directories

Path Synopsis
internal
ingressanalyzer

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.