From dac08247b64a2e4faaf82c2401d474dfc6c0c23a Mon Sep 17 00:00:00 2001 From: Tanya Date: Sun, 12 Nov 2023 12:24:11 +0200 Subject: [PATCH] preparation to support istio egress gateway (#604) * Bug fix in livesim: Changed missing pods labels dictionary to set of pairs (key, value) to allow missing pods having the same label key but different label values. Bug fix in IngressNetworkLayer._allowed_xgress_conns_optimized: all_allowed_conns should always include allowed_conns. Signed-off-by: Tanya * Small fixes and preparations for implementing istio egress gateway. Bug fix: considering DNS entries when computing allowed connections in the Ingress layer. Removing duplicates from the list of missing livesim resources. Signed-off-by: Tanya * More fixes of handling DNS entries in optimized solution. Signed-off-by: Tanya * Uppdating expected results of some livesim tests following the addition of istio-egressgateway resource to livesim, and changing the namespace of istio-ingressgateway to istio-system. Signed-off-by: Tanya * Small fixes. Signed-off-by: Tanya * Referencing istio ingress gateway as istio:ingressgateway (to be aligned with livesim, until https://github.com/IBM/network-config-analyzer/issues/610 is implemented). Extending IngressPolicy to both directions (ingress/egress) Splitting livesim ingress/egress gateway resources to separated files. Signed-off-by: Tanya * Changing expected results of some istio ingress/egress gateway tests according to the change in livesim implementation of these gateways. Temporarily commenting out other expected results, until ingress/egress gateway implementation is completes. Signed-off-by: Tanya * Changing expected results of some istio ingress/egress gateway tests according to the change in livesim implementation of these gateways. Signed-off-by: Tanya * Renamed IngressPolicy to IstioGatewayPolicy. Signed-off-by: Tanya * Renamed IstioGatewayPolicy to GatewayPolicy. Signed-off-by: Tanya * Update nca/Resources/GatewayPolicy.py Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com> * Update nca/NetworkConfig/NetworkConfigQuery.py Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com> * Renamed Ingress layer to Gateway layer. Signed-off-by: Tanya --------- Signed-off-by: Tanya Co-authored-by: Adi Sosnovich <82078442+adisos@users.noreply.github.com> --- nca/CoreDS/ConnectionSet.py | 4 + .../istio_gateway/istio_egress_gateway.yaml | 27 +++++++ ...ateway.yaml => istio_ingress_gateway.yaml} | 2 +- nca/NetworkConfig/NetworkConfigQuery.py | 52 ++++++------ nca/NetworkConfig/NetworkLayer.py | 46 +++++------ nca/NetworkConfig/PoliciesFinder.py | 4 +- nca/NetworkConfig/ResourcesHandler.py | 24 +++--- nca/Parsers/GenericIngressLikeYamlParser.py | 4 +- nca/Parsers/IngressPolicyYamlParser.py | 12 +-- .../IstioTrafficResourcesYamlParser.py | 15 ++-- nca/Parsers/K8sPolicyYamlParser.py | 6 +- .../{IngressPolicy.py => GatewayPolicy.py} | 79 ++++++++++++------- nca/Resources/IstioTrafficResources.py | 4 +- .../livesim_test_all_dot.dot | 12 +-- .../livesim_test_all_txt.txt | 8 +- .../istio-ingress-test-scheme.yaml | 3 +- .../istio-ingress-test/resources/gateway.yaml | 2 +- tests/k8s_cmdline_tests.yaml | 3 +- 18 files changed, 178 insertions(+), 129 deletions(-) create mode 100644 nca/NetworkConfig/LiveSim/istio_gateway/istio_egress_gateway.yaml rename nca/NetworkConfig/LiveSim/istio_gateway/{istio_gateway.yaml => istio_ingress_gateway.yaml} (86%) rename nca/Resources/{IngressPolicy.py => GatewayPolicy.py} (68%) diff --git a/nca/CoreDS/ConnectionSet.py b/nca/CoreDS/ConnectionSet.py index 3ffbf7f29..f93142444 100644 --- a/nca/CoreDS/ConnectionSet.py +++ b/nca/CoreDS/ConnectionSet.py @@ -662,6 +662,10 @@ def split_peer_set_to_fw_rule_elements(peer_set, cluster_info): res.append(FWRule.IPBlockElement(peer)) peer_set_copy.remove(peer) continue + elif isinstance(peer, FWRule.DNSEntry): + res.append(FWRule.DNSElement(peer)) + peer_set_copy.remove(peer) + continue ns_peers = PeerSet(cluster_info.ns_dict[peer.namespace]) if ns_peers.issubset(peer_set_copy): ns_set.add(peer.namespace) diff --git a/nca/NetworkConfig/LiveSim/istio_gateway/istio_egress_gateway.yaml b/nca/NetworkConfig/LiveSim/istio_gateway/istio_egress_gateway.yaml new file mode 100644 index 000000000..ce653f6d9 --- /dev/null +++ b/nca/NetworkConfig/LiveSim/istio_gateway/istio_egress_gateway.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: Pod +metadata: + name: istio-egressgateway-livesim + namespace: istio-system + labels: + app: istio-egressgateway + istio: egressgateway +spec: + serviceAccountName: istio-egressgateway + containers: + - name: istio-proxy + image: auto +--- + +apiVersion: v1 +kind: Service +metadata: + name: istio-egressgateway + namespace: istio-system +spec: + ports: + - port: 443 + selector: + app: istio-egressgateway + istio: egressgateway +--- \ No newline at end of file diff --git a/nca/NetworkConfig/LiveSim/istio_gateway/istio_gateway.yaml b/nca/NetworkConfig/LiveSim/istio_gateway/istio_ingress_gateway.yaml similarity index 86% rename from nca/NetworkConfig/LiveSim/istio_gateway/istio_gateway.yaml rename to nca/NetworkConfig/LiveSim/istio_gateway/istio_ingress_gateway.yaml index 971dad10a..d71cb7d3e 100644 --- a/nca/NetworkConfig/LiveSim/istio_gateway/istio_gateway.yaml +++ b/nca/NetworkConfig/LiveSim/istio_gateway/istio_ingress_gateway.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Pod metadata: name: istio-ingressgateway-livesim - namespace: istio-ingressgateway-ns + namespace: istio-system labels: app: istio-ingressgateway istio: ingressgateway diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py index 5f31b2e0d..13b27c880 100644 --- a/nca/NetworkConfig/NetworkConfigQuery.py +++ b/nca/NetworkConfig/NetworkConfigQuery.py @@ -19,7 +19,7 @@ from nca.FWRules.ClusterInfo import ClusterInfo from nca.Resources.NetworkPolicy import PolicyConnectionsFilter from nca.Resources.CalicoNetworkPolicy import CalicoNetworkPolicy -from nca.Resources.IngressPolicy import IngressPolicy +from nca.Resources.GatewayPolicy import GatewayPolicy from nca.Utils.OutputConfiguration import OutputConfiguration from .QueryOutputHandler import QueryAnswer, DictOutputHandler, StringOutputHandler, \ PoliciesAndRulesExplanations, PodsListsExplanations, ConnectionsDiffExplanation, IntersectPodsExplanation, \ @@ -217,7 +217,7 @@ def exec(self): # collecting non-disjoint policies per network layer non_disjoint_explanation_list = [] for layer_name, layer in self.config.policies_container.layers.items(): - if layer_name == NetworkLayerName.Ingress: # skip ingress layer + if layer_name == NetworkLayerName.Gateway: # skip gateway layer continue policies_list = layer.policies_list for policy1 in policies_list: @@ -294,12 +294,12 @@ class VacuityQuery(NetworkConfigQuery): """ def exec(self): - # TODO: should handle 'ingress' layer or not? (ingress controller pod is not expected to have egress + # TODO: should handle 'gateway' layer or not? (ingress controller pod is not expected to have egress # traffic without any Ingress resource) - # currently ignoring ingres layer, removing it from configs on this query + # currently ignoring gateway layer, removing it from configs on this query self.output_config.fullExplanation = True # assign true for this query - it is ok to compare its results vacuous_config = self.config.clone_without_policies('vacuousConfig') - self_config = TwoNetworkConfigsQuery.clone_without_ingress(self.config) + self_config = TwoNetworkConfigsQuery.clone_without_gateway_layer(self.config) vacuous_res = EquivalenceQuery(self_config, vacuous_config).exec() if not vacuous_res.bool_result: return QueryAnswer(vacuous_res.bool_result, @@ -381,7 +381,7 @@ def exec(self): redundant_egress_rules = {} self.output_config.fullExplanation = True # assign true for this query - it is ok to compare its results for layer_name, layer in self.config.policies_container.layers.items(): - if layer_name == NetworkLayerName.Ingress: + if layer_name == NetworkLayerName.Gateway: continue policies_list = layer.policies_list redundant_policies = sorted(list(self.redundant_policies(policies_list, layer_name))) @@ -637,7 +637,7 @@ def exec(self): # noqa: C901 policies_issue += '\tNote that it contains a single policy.\n' for layer_name, layer in self.config.policies_container.layers.items(): - if layer_name == NetworkLayerName.Ingress: + if layer_name == NetworkLayerName.Gateway: continue policies_list = layer.policies_list # check for redundant policies in this layer @@ -1270,21 +1270,21 @@ def _append_different_conns_to_list(self, conn_diff_props, different_conns_list, return @staticmethod - def clone_without_ingress(config): + def clone_without_gateway_layer(config): """ - Clone config without ingress policies + Clone config without gateway policies :param NetworkConfig config: the config to clone - :return: resulting config without ingress policies + :return: resulting config without gateway policies :rtype: NetworkConfig """ - if NetworkLayerName.Ingress not in config.policies_container.layers or not config.policies_container.layers[ - NetworkLayerName.Ingress].policies_list: - return config # no ingress policies in this config - config_without_ingress = config.clone_without_policies(config.name) + if NetworkLayerName.Gateway not in config.policies_container.layers or not config.policies_container.layers[ + NetworkLayerName.Gateway].policies_list: + return config # no gateway policies in this config + config_without_gateway = config.clone_without_policies(config.name) for policy in config.policies_container.policies.values(): - if not isinstance(policy, IngressPolicy): # ignoring ingress policies - config_without_ingress.append_policy_to_config(policy) - return config_without_ingress + if not isinstance(policy, GatewayPolicy): # ignoring gateway policies + config_without_gateway.append_policy_to_config(policy) + return config_without_gateway def execute(self, cmd_line_flag): return self.exec(cmd_line_flag) @@ -2094,13 +2094,13 @@ def exec(self, cmd_line_flag): query_answer.output_result = output_result_on_permit return query_answer - if self.config1.policies_container.layers.does_contain_single_layer(NetworkLayerName.Ingress): + if self.config1.policies_container.layers.does_contain_single_layer(NetworkLayerName.Gateway): return QueryAnswer(bool_result=False, - output_result='Permitted traffic cannot be specified using Ingress resources only', + output_result='Permitted traffic cannot be specified using Ingress/Gateway resources only', query_not_executed=True) - config1_without_ingress = self.clone_without_ingress(self.config1) - query_answer = ContainmentQuery(config1_without_ingress, self.config2, + config1_without_gateway = self.clone_without_gateway_layer(self.config1) + query_answer = ContainmentQuery(config1_without_gateway, self.config2, self.output_config).exec(cmd_line_flag=cmd_line_flag, only_captured=True) if not cmd_line_flag: query_answer.numerical_result = 1 if query_answer.output_explanation else 0 @@ -2276,15 +2276,15 @@ def exec(self, cmd_line_flag): if not self.config1: return QueryAnswer(False, 'There are no NetworkPolicies in the given forbids config. ' 'No traffic is specified as forbidden.', query_not_executed=True) - if self.config1.policies_container.layers.does_contain_single_layer(NetworkLayerName.Ingress): + if self.config1.policies_container.layers.does_contain_single_layer(NetworkLayerName.Gateway): return QueryAnswer(bool_result=False, - output_result='Forbidden traffic cannot be specified using Ingress resources only', + output_result='Forbidden traffic cannot be specified using Ingress/Gateway resources only', query_not_executed=True) - config1_without_ingress = self.clone_without_ingress(self.config1) + config1_without_gateway = self.clone_without_gateway_layer(self.config1) query_answer = \ - IntersectsQuery(config1_without_ingress, self.config2, self.output_config).exec(only_captured=True) + IntersectsQuery(config1_without_gateway, self.config2, self.output_config).exec(only_captured=True) if query_answer.numerical_result == 1: query_answer.output_result += f'\n{self.name2} forbids connections specified in ' \ f'{self.name1}' @@ -2362,7 +2362,7 @@ def exec(self): self.output_config.fullExplanation = True # assign true for this query - it is always ok to compare its results # get_all_peers_group() does not require getting dnsEntry peers, since they are not ClusterEP (pods) existing_pods = self.config.peer_container.get_all_peers_group() - if not self.config or self.config.policies_container.layers.does_contain_single_layer(NetworkLayerName.Ingress): + if not self.config or self.config.policies_container.layers.does_contain_single_layer(NetworkLayerName.Gateway): return QueryAnswer(bool_result=False, output_result=f'There are no network policies in {self.config.name}. ' f'All workload resources are non captured', diff --git a/nca/NetworkConfig/NetworkLayer.py b/nca/NetworkConfig/NetworkLayer.py index c08082086..fd5741040 100644 --- a/nca/NetworkConfig/NetworkLayer.py +++ b/nca/NetworkConfig/NetworkLayer.py @@ -21,14 +21,14 @@ class NetworkLayerName(Enum): K8s_Calico = 0 Istio = 1 - Ingress = 2 + Gateway = 2 def create_network_layer(self, policies): if self == NetworkLayerName.K8s_Calico: return K8sCalicoNetworkLayer(policies) if self == NetworkLayerName.Istio: return IstioNetworkLayer(policies) - if self == NetworkLayerName.Ingress: + if self == NetworkLayerName.Gateway: return IngressNetworkLayer(policies) return None @@ -40,7 +40,7 @@ def policy_type_to_layer(policy_type): elif policy_type in {NetworkPolicy.PolicyType.IstioAuthorizationPolicy, NetworkPolicy.PolicyType.IstioSidecar}: return NetworkLayerName.Istio elif policy_type == NetworkPolicy.PolicyType.Ingress: - return NetworkLayerName.Ingress + return NetworkLayerName.Gateway return None @@ -369,10 +369,9 @@ def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_ res_conns = self.collect_policies_conns_optimized(is_ingress, IstioNetworkLayer.captured_cond_func) if not res_conns_filter.calc_all_allowed: return res_conns - # all the calculations below update res_conns.all_allowed_conns - all_peers_and_ips = peer_container.get_all_peers_group(True) - all_peers_no_ips = peer_container.get_all_peers_group() + all_peers_and_ips = peer_container.get_all_peers_group(add_external_ips=True) + all_peers_no_ips = peer_container.get_all_peers_group(add_external_ips=False) dns_entries = peer_container.get_all_dns_entries() # for istio initialize non-captured conns with all possible non-TCP connections # This is a compact way to represent all peers connections, but it is an over-approximation also containing @@ -422,36 +421,29 @@ def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_ class IngressNetworkLayer(NetworkLayer): def _allowed_xgress_conns(self, from_peer, to_peer, is_ingress): - allowed_conns = ConnectionSet() all_allowed_conns = ConnectionSet(True) - captured_res = False - if not is_ingress: - allowed_conns, _, _, captured_res = self.collect_policies_conns(from_peer, to_peer, is_ingress) - if captured_res: - all_allowed_conns = allowed_conns + allowed_conns, _, _, captured_res = self.collect_policies_conns(from_peer, to_peer, is_ingress) + if captured_res: + all_allowed_conns = allowed_conns return PolicyConnections(captured=captured_res, allowed_conns=allowed_conns, denied_conns=ConnectionSet(), all_allowed_conns=all_allowed_conns) def _allowed_xgress_conns_optimized(self, is_ingress, peer_container, res_conns_filter=PolicyConnectionsFilter()): - res_conns = OptimizedPolicyConnections() - all_peers_and_ips = peer_container.get_all_peers_group(True) - all_peers_no_ips = peer_container.get_all_peers_group() + all_peers_and_ips = peer_container.get_all_peers_group(add_external_ips=True, include_dns_entries=True) + all_peers_no_ips = peer_container.get_all_peers_group(add_external_ips=False, include_dns_entries=True) non_captured_conns = None - if is_ingress: - if res_conns_filter.calc_all_allowed: - # everything is allowed and non captured - non_captured_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_peers_and_ips, - "dst_peers": all_peers_no_ips}) - res_conns.all_allowed_conns = non_captured_conns - else: - res_conns = self.collect_policies_conns_optimized(is_ingress) + res_conns = self.collect_policies_conns_optimized(is_ingress) + if res_conns_filter.calc_all_allowed: + res_conns.all_allowed_conns = res_conns.allowed_conns non_captured_peers = all_peers_no_ips - res_conns.captured - if res_conns_filter.calc_all_allowed: - res_conns.all_allowed_conns = res_conns.allowed_conns - if non_captured_peers: + if non_captured_peers: + if is_ingress: + non_captured_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_peers_and_ips, + "dst_peers": non_captured_peers}) + else: non_captured_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": non_captured_peers, "dst_peers": all_peers_and_ips}) - res_conns.all_allowed_conns |= non_captured_conns + res_conns.all_allowed_conns |= non_captured_conns if non_captured_conns and ExplTracker().is_active(): src_peers, dst_peers = ExplTracker().extract_peers(non_captured_conns) ExplTracker().add_default_policy(src_peers, diff --git a/nca/NetworkConfig/PoliciesFinder.py b/nca/NetworkConfig/PoliciesFinder.py index 4a6d910d1..1c37e892e 100644 --- a/nca/NetworkConfig/PoliciesFinder.py +++ b/nca/NetworkConfig/PoliciesFinder.py @@ -29,9 +29,9 @@ def __init__(self, optimized_run='false'): self.optimized_run = optimized_run # following missing resources fields are relevant for "livesim" mode, # where certain resources are added to enable the analysis - self.missing_istio_gw_pods_with_labels = {} + self.missing_istio_gw_pods_with_labels = set() self.missing_k8s_ingress_peers = False - self.missing_dns_pods_with_labels = {} + self.missing_dns_pods_with_labels = set() def set_peer_container(self, peer_container): """ diff --git a/nca/NetworkConfig/ResourcesHandler.py b/nca/NetworkConfig/ResourcesHandler.py index 3457f5ed8..44e91196b 100644 --- a/nca/NetworkConfig/ResourcesHandler.py +++ b/nca/NetworkConfig/ResourcesHandler.py @@ -69,24 +69,24 @@ def get_full_livesim_resource_path(livesim_resource_path): return os.path.join(current_path, livesim_resource_path) @staticmethod - def get_relevant_livesim_resources_paths_by_labels_matching(livesim_resource_path, missing_resource_labels_dict): + def get_relevant_livesim_resources_paths_by_labels_matching(livesim_resource_path, missing_resource_labels): """ check by labels matching if one of the livesim resources has matching labels for a resource referenced by one of the parsed policies. If yes, return its path to be added to the configuration, to enable the analysis. :param str livesim_resource_path: a path to the relevant livesim dir to check for resources - :param dict missing_resource_labels_dict: the labels from parsed policy in the config for + :param set((key, value)) missing_resource_labels: the labels from parsed policy in the config for which a matching peer was missing :return: list of paths for relevant livesim resources to add :rtype list[str] """ - res = [] + res = set() resource_full_path = ResourcesHandler.get_full_livesim_resource_path(livesim_resource_path) livesim_resource_labels = ResourcesParser.parse_livesim_yamls(resource_full_path) - for key in missing_resource_labels_dict.keys(): + for (key, value) in missing_resource_labels: for yaml_path, labels in livesim_resource_labels.items(): - if missing_resource_labels_dict.get(key) == labels.get(key): - res.append(yaml_path) - return res + if (key, value) in labels: + res.add(yaml_path) + return list(res) @staticmethod def analyze_livesim(policy_finder): @@ -113,12 +113,12 @@ def analyze_livesim(policy_finder): livesim_configuration_addons.append(resource_full_path) ResourcesHandler.livesim_information_message('ingress-controller') - # find Istio ingress gateway + # find Istio ingress/egress gateway istio_gateway_added_resources = ResourcesHandler.get_relevant_livesim_resources_paths_by_labels_matching( LiveSimPaths.IstioGwCfgPath, policy_finder.missing_istio_gw_pods_with_labels) if istio_gateway_added_resources: livesim_configuration_addons += istio_gateway_added_resources - ResourcesHandler.livesim_information_message('Istio-ingress-gateway') + ResourcesHandler.livesim_information_message('Istio-ingress/egress-gateway') return livesim_configuration_addons @@ -367,15 +367,15 @@ def parse_livesim_yamls(path): for yaml_file in yaml_files: pods_finder = PodsFinder() ns_finder = NamespacesFinder() - labels_found = {} + labels_found = set() for res_code in yaml_file.data: ns_finder.parse_yaml_code_for_ns(res_code) pods_finder.namespaces_finder = ns_finder pods_finder.add_eps_from_yaml(res_code) for item in ns_finder.namespaces.values(): - labels_found.update(item.labels) + labels_found.update(set(item.labels.items())) for item in pods_finder.peer_set: - labels_found.update(item.labels) + labels_found.update(set(item.labels.items())) results.update({yaml_file.path: labels_found}) NcaLogger().collect_msgs() diff --git a/nca/Parsers/GenericIngressLikeYamlParser.py b/nca/Parsers/GenericIngressLikeYamlParser.py index 5abc3e724..34a8ef72e 100644 --- a/nca/Parsers/GenericIngressLikeYamlParser.py +++ b/nca/Parsers/GenericIngressLikeYamlParser.py @@ -11,7 +11,7 @@ from nca.CoreDS.ProtocolSet import ProtocolSet from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.CoreDS.ConnectionSet import ConnectionSet -from nca.Resources.IngressPolicy import IngressPolicyRule +from nca.Resources.GatewayPolicy import GatewayPolicyRule from .GenericYamlParser import GenericYamlParser @@ -81,7 +81,7 @@ def _make_allow_rules(conn_props, src_peers): new_props = ConnectivityProperties.make_conn_props(new_conn_cube) new_conns = ConnectionSet() new_conns.add_connections('TCP', new_props) - res.append(IngressPolicyRule(dst_peer_set, new_conns, rule_opt_props)) + res.append(GatewayPolicyRule(dst_peer_set, new_conns, rule_opt_props)) return res @staticmethod diff --git a/nca/Parsers/IngressPolicyYamlParser.py b/nca/Parsers/IngressPolicyYamlParser.py index eccd5f72a..dd1fb20e5 100644 --- a/nca/Parsers/IngressPolicyYamlParser.py +++ b/nca/Parsers/IngressPolicyYamlParser.py @@ -10,7 +10,7 @@ from nca.CoreDS.PortSet import PortSet from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties -from nca.Resources.IngressPolicy import IngressPolicy +from nca.Resources.GatewayPolicy import GatewayPolicy from nca.Resources.NetworkPolicy import NetworkPolicy from .GenericIngressLikeYamlParser import GenericIngressLikeYamlParser @@ -245,8 +245,8 @@ def parse_rule(self, rule): def parse_policy(self): """ - Parses the input object to create IngressPolicy object (with deny rules only) - :return: IngressPolicy object with proper deny egress_rules, or None for wrong input object + Parses the input object to create IstioGatewayPolicy object (with deny rules only) + :return: IstioGatewayPolicy object with proper deny egress_rules, or None for wrong input object """ policy_name, policy_ns = self.parse_generic_yaml_objects_fields(self.policy, ['Ingress'], ['networking.k8s.io/v1'], 'k8s', True) @@ -254,9 +254,9 @@ def parse_policy(self): return None # Not an Ingress object self.namespace = self.peer_container.get_namespace(policy_ns) - res_policy = IngressPolicy(policy_name + '/allow', self.namespace) + res_policy = GatewayPolicy(policy_name + '/allow', self.namespace) res_policy.policy_kind = NetworkPolicy.PolicyType.Ingress - + res_policy.affects_egress = True policy_spec = self.policy['spec'] allowed_spec_keys = {'defaultBackend': [0, dict], 'ingressClassName': [0, str], 'rules': [0, list], 'tls': [0, list]} @@ -290,6 +290,6 @@ def parse_policy(self): # allowed_conns = none means that services referenced by this Ingress policy are not found, # then no connections rules to add (Ingress policy has no effect) if allowed_conns: - res_policy.add_rules(self._make_allow_rules(allowed_conns, res_policy.selected_peers)) + res_policy.add_egress_rules(self._make_allow_rules(allowed_conns, res_policy.selected_peers)) res_policy.findings = self.warning_msgs return res_policy diff --git a/nca/Parsers/IstioTrafficResourcesYamlParser.py b/nca/Parsers/IstioTrafficResourcesYamlParser.py index fddd1dd9c..357e5c1e0 100644 --- a/nca/Parsers/IstioTrafficResourcesYamlParser.py +++ b/nca/Parsers/IstioTrafficResourcesYamlParser.py @@ -10,7 +10,7 @@ from nca.CoreDS.ConnectivityCube import ConnectivityCube from nca.CoreDS.ConnectivityProperties import ConnectivityProperties from nca.Resources.IstioTrafficResources import Gateway, VirtualService -from nca.Resources.IngressPolicy import IngressPolicy +from nca.Resources.GatewayPolicy import GatewayPolicy from nca.Resources.NetworkPolicy import NetworkPolicy from .GenericIngressLikeYamlParser import GenericIngressLikeYamlParser @@ -29,9 +29,9 @@ def __init__(self, peer_container): self.namespace = None self.gateways = {} # a map from a name to a Gateway self.virtual_services = {} # a map from a name to a VirtualService - # missing_istio_gw_pods_with_labels is map from key to value of labels + # missing_istio_gw_pods_with_labels is a set of labels - (key,value) pairs # of gateway resource that has no matching pods - self.missing_istio_gw_pods_with_labels = {} + self.missing_istio_gw_pods_with_labels = set() def add_gateway(self, gateway): """ @@ -72,7 +72,7 @@ def parse_gateway(self, gateway_resource, gateway_file_name): for key, val in selector.items(): selector_peers = self.peer_container.get_peers_with_label(key, [val]) if not selector_peers: - self.missing_istio_gw_pods_with_labels[key] = val + self.missing_istio_gw_pods_with_labels.add((key, val)) else: peers &= selector_peers if not peers: @@ -352,7 +352,7 @@ def make_allowed_connections(self, vs, host_dfa): def create_istio_traffic_policies(self): """ Create IngressPolicies according to the parsed Gateways and VirtualServices - :return list[IngressPolicy]: the resulting policies + :return list[IstioGatewayPolicy]: the resulting policies """ if not self.gateways: @@ -390,12 +390,13 @@ def create_istio_traffic_policies(self): peers_to_hosts[peers] = host_dfa for peer_set, host_dfa in peers_to_hosts.items(): - res_policy = IngressPolicy(vs.name + '/' + str(host_dfa) + '/allow', vs.namespace) + res_policy = GatewayPolicy(vs.name + '/' + str(host_dfa) + '/allow', vs.namespace) res_policy.policy_kind = NetworkPolicy.PolicyType.Ingress + res_policy.affects_egress = True res_policy.selected_peers = peer_set allowed_conns = self.make_allowed_connections(vs, host_dfa) if allowed_conns: - res_policy.add_rules(self._make_allow_rules(allowed_conns, res_policy.selected_peers)) + res_policy.add_egress_rules(self._make_allow_rules(allowed_conns, res_policy.selected_peers)) res_policy.findings = self.warning_msgs vs_policies.append(res_policy) if not vs_policies: diff --git a/nca/Parsers/K8sPolicyYamlParser.py b/nca/Parsers/K8sPolicyYamlParser.py index ee369ab5b..fe0303f5f 100644 --- a/nca/Parsers/K8sPolicyYamlParser.py +++ b/nca/Parsers/K8sPolicyYamlParser.py @@ -33,8 +33,8 @@ def __init__(self, policy, peer_container, policy_file_name='', optimized_run='f self.namespace = None self.referenced_labels = set() self.optimized_run = optimized_run - # map from key to value - info about missing resources - self.missing_pods_with_labels = {} + # a set of (key, value) pairs (note, the set may contain pods with labels having same keys but different values + self.missing_pods_with_labels = set() def check_dns_subdomain_name(self, value, key_container): """ @@ -179,7 +179,7 @@ def parse_label_selector(self, label_selector, namespace_selector=False): else: res &= self.peer_container.get_peers_with_label(key, [val]) if not res: - self.missing_pods_with_labels[key] = val + self.missing_pods_with_labels.add((key, val)) keys_set.add(key) self.referenced_labels.add(':'.join(keys_set)) diff --git a/nca/Resources/IngressPolicy.py b/nca/Resources/GatewayPolicy.py similarity index 68% rename from nca/Resources/IngressPolicy.py rename to nca/Resources/GatewayPolicy.py index 9b82c1dd4..8cd290fb3 100644 --- a/nca/Resources/IngressPolicy.py +++ b/nca/Resources/GatewayPolicy.py @@ -9,7 +9,7 @@ from .NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy -class IngressPolicyRule: +class GatewayPolicyRule: """ A class representing a single ingress rule in an Ingress object """ @@ -17,6 +17,7 @@ def __init__(self, peer_set, connections, opt_props): """ :param Peer.PeerSet peer_set: The set of peers this rule allows connection to :param ConnectionSet connections: The set of connections allowed by this rule + :param ConnectivityProperties opt_props: the optimized connections """ self.peer_set = peer_set self.connections = connections @@ -29,18 +30,19 @@ def __eq__(self, other): def contained_in(self, other): """ - :param IngressPolicyRule other: Another rule + :param GatewayPolicyRule other: Another rule :return: whether the self rule is contained in the other rule (self doesn't allow anything that other does not) :type: bool """ return self.peer_set.issubset(other.peer_set) and self.connections.contained_in(other.connections) -class IngressPolicy(NetworkPolicy): +class GatewayPolicy(NetworkPolicy): """ This class implements ingress controller logic for incoming http(s) requests - The logic is kept similarly to NetworkPolicy, where the selected_peers are the ingress controller peers, - and the rules are egress_rules. + The logic is kept similarly to NetworkPolicy, where the selected_peers are the ingress/egress controller peers, + and the rules are ingress/egress_rules. + This class is used to represent policies from `k8s Ingress` , `istio IngressGateway` and `istio EgresGateway` """ def __init__(self, name, namespace): @@ -49,13 +51,19 @@ def __init__(self, name, namespace): :param K8sNamespace namespace: the namespace containing this ingress """ super().__init__(name, namespace) - self.affects_ingress = False - self.affects_egress = True def __eq__(self, other): return super().__eq__(other) - def add_rules(self, rules): + def add_ingress_rules(self, rules): + """ + Adding a given list of rules to the list of ingress rules + :param list rules: The list of rules to add + :return: None + """ + self.ingress_rules.extend(rules) + + def add_egress_rules(self, rules): """ Adding a given list of rules to the list of egress rules :param list rules: The list of rules to add @@ -71,6 +79,8 @@ def sync_opt_props(self): if self.optimized_props_in_sync: return self._init_opt_props() + for rule in self.ingress_rules: + self._optimized_allow_ingress_props |= rule.optimized_props for rule in self.egress_rules: self._optimized_allow_egress_props |= rule.optimized_props self.optimized_props_in_sync = True @@ -86,15 +96,16 @@ def allowed_connections(self, from_peer, to_peer, is_ingress): :rtype: PolicyConnections """ - captured = from_peer in self.selected_peers + captured = is_ingress and self.affects_ingress and to_peer in self.selected_peers or \ + not is_ingress and self.affects_egress and from_peer in self.selected_peers if not captured: return PolicyConnections(False) - if is_ingress: - return PolicyConnections(False) allowed_conns = ConnectionSet() - for rule in self.egress_rules: - if to_peer in rule.peer_set: + rules = self.ingress_rules if is_ingress else self.egress_rules + other_peer = from_peer if is_ingress else to_peer + for rule in rules: + if other_peer in rule.peer_set: assert not rule.connections.has_named_ports() allowed_conns |= rule.connections @@ -112,8 +123,8 @@ def allowed_connections_optimized(self, is_ingress): """ res_conns = OptimizedPolicyConnections() if is_ingress: - res_conns.allowed_conns = ConnectivityProperties.make_empty_props() - res_conns.captured = PeerSet() + res_conns.allowed_conns = self.optimized_allow_ingress_props().copy() + res_conns.captured = self.selected_peers if self.affects_ingress else PeerSet() else: res_conns.allowed_conns = self.optimized_allow_egress_props().copy() res_conns.captured = self.selected_peers if self.affects_egress else PeerSet() @@ -127,34 +138,42 @@ def has_empty_rules(self, _config_name=''): :rtype: list[str], set, set """ emptiness_explanation = [] - empty_rules = set() - full_name = self.full_name() + empty_ingress_rules = set() + empty_egress_rules = set() + full_name = self.full_name(_config_name) + for rule_index, ingress_rule in enumerate(self.ingress_rules, start=1): + if not ingress_rule.peer_set: + emptiness = f'Rule no. {rule_index} in Ingress/Egress resource {full_name} does not select any pods' + emptiness_explanation.append(emptiness) + empty_ingress_rules.add(rule_index) + for rule_index, egress_rule in enumerate(self.egress_rules, start=1): if not egress_rule.peer_set: - emptiness = f'Rule no. {rule_index} in Ingress resource {full_name} does not select any pods' + emptiness = f'Rule no. {rule_index} in Ingress/Egress resource {full_name} does not select any pods' emptiness_explanation.append(emptiness) - empty_rules.add(rule_index) + empty_egress_rules.add(rule_index) - return emptiness_explanation, set(), empty_rules + return emptiness_explanation, empty_ingress_rules, empty_egress_rules def clone_without_rule(self, rule_to_exclude, ingress_rule): """ Makes a copy of 'self' without a given policy rule - :param IngressPolicyRule rule_to_exclude: The one rule not to include in the copy + :param GatewayPolicyRule rule_to_exclude: The one rule not to include in the copy :param bool ingress_rule: Whether the rule is an ingress or egress rule - (for compatibility with network policies) :return: A copy of 'self' without the provided rule - :rtype: IngressPolicy + :rtype: GatewayPolicy """ - assert not ingress_rule - res = IngressPolicy(self.name, self.namespace) + res = GatewayPolicy(self.name, self.namespace) res.selected_peers = self.selected_peers res.affects_egress = self.affects_egress res.affects_ingress = self.affects_ingress res.policy_kind = self.policy_kind for rule in self.egress_rules: - if rule != rule_to_exclude: + if ingress_rule or rule != rule_to_exclude: res.add_egress_rule(rule) + for rule in self.ingress_rules: + if not ingress_rule or rule != rule_to_exclude: + res.add_ingress_rule(rule) return res def has_allow_rules(self): @@ -162,7 +181,11 @@ def has_allow_rules(self): :return: Whether the policy has rules that allow connections. :rtype: bool """ - for rule in self.egress_rules: - if rule.peer_set: + for ingress_rule in self.ingress_rules: + if ingress_rule.peer_set: + return True + + for egress_rule in self.egress_rules: + if egress_rule.peer_set: return True return False diff --git a/nca/Resources/IstioTrafficResources.py b/nca/Resources/IstioTrafficResources.py index 77bd92941..dcaaf9cc3 100644 --- a/nca/Resources/IstioTrafficResources.py +++ b/nca/Resources/IstioTrafficResources.py @@ -17,7 +17,7 @@ class Gateway: """ - A class for keeping some elements of parsed Istio Gateway, needed for building IngressPolicy + A class for keeping some elements of parsed Istio Gateway, needed for building IstioGatewayPolicy """ @dataclass @@ -75,7 +75,7 @@ def add_server(self, server): class VirtualService: """ - A class for keeping some elements of parsed Istio VirtualService, needed for building IngressPolicy + A class for keeping some elements of parsed Istio VirtualService, needed for building IstioGatewayPolicy """ @dataclass diff --git a/tests/expected_cmdline_output_files/livesim_test_all_dot.dot b/tests/expected_cmdline_output_files/livesim_test_all_dot.dot index 33ad16810..fb358bb98 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_dot.dot +++ b/tests/expected_cmdline_output_files/livesim_test_all_dot.dot @@ -23,12 +23,12 @@ subgraph cluster_ingress_controller_ns_namespace{ tooltip="Namespace" "ingress-controller-ns/ingress-controller-livesim(Pod)" [label=<
ingress-controller-livesim(Pod)
> shape=box fontcolor=magenta tooltip="Automatically added workload"] } -subgraph cluster_istio_ingressgateway_ns_namespace{ - label="istio-ingressgateway-ns" +subgraph cluster_istio_system_namespace{ + label="istio-system" fontsize=20 fontcolor=blue tooltip="Namespace" - "istio-ingressgateway-ns/istio-ingressgateway-livesim(Pod)" [label=<
istio-ingressgateway-livesim(Pod)
> shape=box fontcolor=magenta tooltip="Automatically added workload"] + "istio-system/istio-ingressgateway-livesim(Pod)" [label=<
istio-ingressgateway-livesim(Pod)
> shape=box fontcolor=magenta tooltip="Automatically added workload"] } subgraph cluster_kube_system_namespace{ label="kube-system" @@ -40,19 +40,19 @@ subgraph cluster_kube_system_namespace{ "0.0.0.0/0" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "0.0.0.0/0" -> "default/httpbin(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "0.0.0.0/0" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "0.0.0.0/0" -> "istio-ingressgateway-ns/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "0.0.0.0/0" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/deployment-A(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/deployment-B(Deployment)" -> "default/deployment-A(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "default/deployment-B(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/foo-app(Pod)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "default/httpbin(Deployment)" -> "kube-system/kube-dns-livesim(Pod)"[label="udp53" labeltooltip="UDP 53" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "ingress-controller-ns/ingress-controller-livesim(Pod)" -> "default/foo-app(Pod)"[label="tcp5678" labeltooltip="TCP {'dst_ports': '5678', 'paths': '/foo(/*)?'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "istio-ingressgateway-ns/istio-ingressgateway-livesim(Pod)" -> "default/httpbin(Deployment)"[label="tcp80" labeltooltip="TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "istio-system/istio-ingressgateway-livesim(Pod)" -> "default/httpbin(Deployment)"[label="tcp80" labeltooltip="TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'}" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "0.0.0.0/0"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=normal] "kube-system/kube-dns-livesim(Pod)" -> "default/foo-app(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "default/httpbin(Deployment)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] "kube-system/kube-dns-livesim(Pod)" -> "ingress-controller-ns/ingress-controller-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] - "kube-system/kube-dns-livesim(Pod)" -> "istio-ingressgateway-ns/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] + "kube-system/kube-dns-livesim(Pod)" -> "istio-system/istio-ingressgateway-livesim(Pod)"[label="All" labeltooltip="All" color=darkorange4 fontcolor=darkgreen dir=both arrowhead=normal arrowtail=none] color=white label=<
Application connectivity graph


> labelloc = "b" diff --git a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt index ddca31875..1d1ec7c39 100644 --- a/tests/expected_cmdline_output_files/livesim_test_all_txt.txt +++ b/tests/expected_cmdline_output_files/livesim_test_all_txt.txt @@ -1,13 +1,13 @@ final fw rules for query: , config: **: src: 0.0.0.0/0 dst_ns: [default] dst_pods: [!has(dep)] conn: All connections -src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-ingressgateway-ns,kube-system] dst_pods: [*] conn: All connections +src: 0.0.0.0/0 dst_ns: [ingress-controller-ns,istio-system,kube-system] dst_pods: [*] conn: All connections src_ns: [default] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: UDP 53 src_ns: [default] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=B] conn: All connections src_ns: [default] src_pods: [dep=B] dst_ns: [default] dst_pods: [dep=A] conn: All connections src_ns: [ingress-controller-ns,kube-system] src_pods: [*] dst_ns: [ingress-controller-ns] dst_pods: [*] conn: All connections src_ns: [ingress-controller-ns] src_pods: [*] dst_ns: [default] dst_pods: [foo-app] conn: TCP {'dst_ports': '5678', 'paths': '/foo(/*)?'} -src_ns: [istio-ingressgateway-ns,kube-system] src_pods: [*] dst_ns: [istio-ingressgateway-ns] dst_pods: [*] conn: All connections -src_ns: [istio-ingressgateway-ns] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'} +src_ns: [istio-system,kube-system] src_pods: [*] dst_ns: [istio-system] dst_pods: [*] conn: All connections +src_ns: [istio-system] src_pods: [*] dst_ns: [default] dst_pods: [httpbin] conn: TCP {'dst_ports': '80', 'hosts': 'httpbin.example.com', 'paths': '(/status(/*)?)|(/delay(/*)?)'} src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections src_ns: [kube-system] src_pods: [*] dst_ns: [default] dst_pods: [!has(dep)] conn: All connections -src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections +src_ns: [kube-system] src_pods: [*] dst_ns: [kube-system] dst_pods: [*] conn: All connections \ No newline at end of file diff --git a/tests/istio_testcases/example_policies/istio-ingress-test/istio-ingress-test-scheme.yaml b/tests/istio_testcases/example_policies/istio-ingress-test/istio-ingress-test-scheme.yaml index 3bedae228..de0a5452b 100644 --- a/tests/istio_testcases/example_policies/istio-ingress-test/istio-ingress-test-scheme.yaml +++ b/tests/istio_testcases/example_policies/istio-ingress-test/istio-ingress-test-scheme.yaml @@ -15,4 +15,5 @@ queries: outputConfiguration: outputFormat: txt fwRulesRunInTestMode: false - expectedOutput: ../../expected_output/istio_ingress_test_connectivity_map.txt \ No newline at end of file +# temporarily commenting out expected results, until new Ingress/Egress implementation is completed. +# expectedOutput: ../../expected_output/istio_ingress_test_connectivity_map.txt \ No newline at end of file diff --git a/tests/istio_testcases/example_policies/istio-ingress-test/resources/gateway.yaml b/tests/istio_testcases/example_policies/istio-ingress-test/resources/gateway.yaml index 09f85d4b5..5f0847c97 100644 --- a/tests/istio_testcases/example_policies/istio-ingress-test/resources/gateway.yaml +++ b/tests/istio_testcases/example_policies/istio-ingress-test/resources/gateway.yaml @@ -5,7 +5,7 @@ metadata: namespace: default spec: selector: - app: my-gateway-controller + istio: ingressgateway servers: - port: number: 80 diff --git a/tests/k8s_cmdline_tests.yaml b/tests/k8s_cmdline_tests.yaml index 3e11b25ff..b00423bcc 100644 --- a/tests/k8s_cmdline_tests.yaml +++ b/tests/k8s_cmdline_tests.yaml @@ -498,7 +498,8 @@ --explain ALL -opt=true -d - --expected_output expected_cmdline_output_files/istio-ingress_expl_output.txt +# temporarily commenting out expected results, until new Ingress/Egress implementation is completed. +# --expected_output expected_cmdline_output_files/istio-ingress_expl_output.txt expected: 0 - name: bad-yamls