From 46844111c69744880d3d8008f5789563841461aa Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 10 Dec 2024 09:51:35 +0200 Subject: [PATCH 01/20] explainability --- pkg/cli/list.go | 5 + pkg/internal/testutils/testutils.go | 13 + pkg/netpol/connlist/connlist.go | 47 +- pkg/netpol/connlist/conns_formatter.go | 37 +- pkg/netpol/connlist/conns_formatter_csv.go | 9 +- pkg/netpol/connlist/conns_formatter_dot.go | 2 +- pkg/netpol/connlist/conns_formatter_json.go | 5 +- pkg/netpol/connlist/conns_formatter_md.go | 9 +- pkg/netpol/connlist/conns_formatter_txt.go | 61 +- pkg/netpol/connlist/explanation_test.go | 78 ++ pkg/netpol/connlist/exposure_analysis.go | 2 + pkg/netpol/connlist/exposure_analysis_test.go | 35 +- .../ingressanalyzer/ingress_analyzer.go | 22 +- .../ingressanalyzer/ingress_analyzer_test.go | 7 +- .../internal/ingressanalyzer/service_test.go | 2 +- pkg/netpol/eval/check.go | 34 +- pkg/netpol/eval/eval_test.go | 11 +- pkg/netpol/eval/internal/k8s/adminnetpol.go | 48 +- .../internal/k8s/baseline_admin_netpol.go | 12 +- pkg/netpol/eval/internal/k8s/netpol.go | 126 +-- pkg/netpol/eval/internal/k8s/netpol_test.go | 14 +- pkg/netpol/eval/internal/k8s/pod.go | 12 +- .../eval/internal/k8s/policy_connections.go | 54 +- pkg/netpol/eval/resources.go | 9 +- .../internal/common/augmented_intervalset.go | 721 ++++++++++++++++++ pkg/netpol/internal/common/connection.go | 2 +- pkg/netpol/internal/common/connectionset.go | 319 +++++--- pkg/netpol/internal/common/portset.go | 135 ++-- .../anp_banp_blog_demo_2_explain_output.txt | 126 +++ ..._workload_my-monitoring_explain_output.txt | 33 + tests/anp_banp_blog_demo_2/ns.yaml | 35 + tests/anp_banp_blog_demo_2/policies.yaml | 87 +++ tests/anp_banp_blog_demo_2/workloads.yaml | 57 ++ 33 files changed, 1858 insertions(+), 311 deletions(-) create mode 100644 pkg/netpol/connlist/explanation_test.go create mode 100644 pkg/netpol/internal/common/augmented_intervalset.go create mode 100644 test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt create mode 100644 test_outputs/connlist/anp_banp_blog_demo_focus_workload_my-monitoring_explain_output.txt create mode 100644 tests/anp_banp_blog_demo_2/ns.yaml create mode 100644 tests/anp_banp_blog_demo_2/policies.yaml create mode 100644 tests/anp_banp_blog_demo_2/workloads.yaml diff --git a/pkg/cli/list.go b/pkg/cli/list.go index 37a11e61..3d52a69f 100644 --- a/pkg/cli/list.go +++ b/pkg/cli/list.go @@ -22,6 +22,7 @@ import ( var ( focusWorkload string exposureAnalysis bool + explain bool output string // output format outFile string // output file ) @@ -85,6 +86,9 @@ func getConnlistOptions(l *logger.DefaultLogger) []connlist.ConnlistAnalyzerOpti if exposureAnalysis { res = append(res, connlist.WithExposureAnalysis()) } + if explain { + res = append(res, connlist.WithExplanation()) + } return res } @@ -130,6 +134,7 @@ defined`, c.Flags().StringVarP(&focusWorkload, "focusworkload", "", "", "Focus connections of specified workload in the output ( or )") c.Flags().BoolVarP(&exposureAnalysis, "exposure", "", false, "Enhance the analysis of permitted connectivity with exposure analysis") + c.Flags().BoolVarP(&explain, "explain", "", false, "Enhance the analysis of permitted connectivity with explainability information") // output format - default txt // output format - default txt supportedFormats := strings.Join(connlist.ValidFormats, ",") diff --git a/pkg/internal/testutils/testutils.go b/pkg/internal/testutils/testutils.go index 8e1f05c9..89a71237 100644 --- a/pkg/internal/testutils/testutils.go +++ b/pkg/internal/testutils/testutils.go @@ -26,6 +26,7 @@ var update = flag.Bool("update", false, "write or override golden files") const ( connlistExpectedOutputFilePartialName = "connlist_output." + explainExpectedOutputFilePartialName = "explain_output." exposureExpectedOutputFilePartialName = "exposure_output." underscore = "_" dotSign = "." @@ -56,6 +57,18 @@ func ConnlistTestNameByTestArgs(dirName, focusWorkload, format string, exposureF return testName, expectedOutputFileName } +// ExplainTestNameByTestArgs returns explain test name and test's expected output file from some tests args +func ExplainTestNameByTestArgs(dirName, focusWorkload string) (testName, expectedOutputFileName string) { + namePrefix := dirName + if focusWorkload != "" { + namePrefix += focusWlAnnotation + strings.Replace(focusWorkload, "/", underscore, 1) + } + testName = namePrefix + outputPartialName := explainExpectedOutputFilePartialName + expectedOutputFileName = namePrefix + underscore + outputPartialName + output.TextFormat + return testName, expectedOutputFileName +} + // DiffTestNameByTestArgs returns diff test name and test's expected output file from some tests args func DiffTestNameByTestArgs(ref1, ref2, format string) (testName, expectedOutputFileName string) { namePrefix := "diff_between_" + ref2 + "_and_" + ref1 diff --git a/pkg/netpol/connlist/connlist.go b/pkg/netpol/connlist/connlist.go index 5381d971..522665ff 100644 --- a/pkg/netpol/connlist/connlist.go +++ b/pkg/netpol/connlist/connlist.go @@ -47,6 +47,7 @@ type ConnlistAnalyzer struct { focusWorkload string exposureAnalysis bool exposureResult []ExposedPeer + explain bool outputFormat string muteErrsAndWarns bool peersList []Peer // internally used peersList used in dot formatting; in case of focusWorkload option contains only relevant peers @@ -136,6 +137,13 @@ func WithExposureAnalysis() ConnlistAnalyzerOption { } } +// WithExplanation is a functional option which directs ConnlistAnalyzer to return explainability of connectivity +func WithExplanation() ConnlistAnalyzerOption { + return func(c *ConnlistAnalyzer) { + c.explain = true + } +} + // WithOutputFormat is a functional option, allowing user to choose the output format txt/json/dot/csv/md. func WithOutputFormat(outputFormat string) ConnlistAnalyzerOption { return func(p *ConnlistAnalyzer) { @@ -158,6 +166,7 @@ func NewConnlistAnalyzer(options ...ConnlistAnalyzerOption) *ConnlistAnalyzer { stopOnError: false, exposureAnalysis: false, exposureResult: nil, + explain: false, errors: []ConnlistError{}, outputFormat: output.DefaultFormat, } @@ -201,10 +210,10 @@ func (ca *ConnlistAnalyzer) hasFatalError() error { func (ca *ConnlistAnalyzer) getPolicyEngine(objectsList []parser.K8sObject) (*eval.PolicyEngine, error) { // TODO: do we need logger in policyEngine? if !ca.exposureAnalysis { - return eval.NewPolicyEngineWithObjects(objectsList) + return eval.NewPolicyEngineWithObjects(objectsList, ca.explain) } // else build new policy engine with exposure analysis option - pe := eval.NewPolicyEngineWithOptions(ca.exposureAnalysis) + pe := eval.NewPolicyEngineWithOptions(ca.exposureAnalysis, ca.explain) err := pe.AddObjectsForExposureAnalysis(objectsList) return pe, err } @@ -225,7 +234,7 @@ func (ca *ConnlistAnalyzer) connsListFromParsedResources(objectsList []parser.K8 // ConnlistFromK8sCluster returns the allowed connections list from k8s cluster resources, and list of all peers names func (ca *ConnlistAnalyzer) ConnlistFromK8sCluster(clientset *kubernetes.Clientset) ([]Peer2PeerConnection, []Peer, error) { - pe := eval.NewPolicyEngineWithOptions(ca.exposureAnalysis) + pe := eval.NewPolicyEngineWithOptions(ca.exposureAnalysis, ca.explain) // get all resources from k8s cluster ctx, cancel := context.WithTimeout(context.Background(), ctxTimeoutSeconds*time.Second) @@ -275,7 +284,7 @@ func (ca *ConnlistAnalyzer) ConnectionsListToString(conns []Peer2PeerConnection) ca.errors = append(ca.errors, newResultFormattingError(err)) return "", err } - out, err := connsFormatter.writeOutput(conns, ca.exposureResult, ca.exposureAnalysis) + out, err := connsFormatter.writeOutput(conns, ca.exposureResult, ca.exposureAnalysis, ca.explain) if err != nil { ca.errors = append(ca.errors, newResultFormattingError(err)) return "", err @@ -325,10 +334,11 @@ const ( // connection implements the Peer2PeerConnection interface type connection struct { - src Peer - dst Peer - allConnections bool - protocolsAndPorts map[v1.Protocol][]common.PortRange + src Peer + dst Peer + allConnections bool + commonImplyingRules common.ImplyingRulesType // used for explainability, when allConnections is true + protocolsAndPorts map[v1.Protocol][]common.PortRange } func (c *connection) Src() Peer { @@ -344,13 +354,19 @@ func (c *connection) ProtocolsAndPorts() map[v1.Protocol][]common.PortRange { return c.protocolsAndPorts } +func (c *connection) OnlySystemDefaultRule() bool { + return c.allConnections && len(c.protocolsAndPorts) == 0 && c.commonImplyingRules.OnlySystemDefaultRule() +} + // returns a *common.ConnectionSet from Peer2PeerConnection data func GetConnectionSetFromP2PConnection(c Peer2PeerConnection) *common.ConnectionSet { protocolsToPortSetMap := make(map[v1.Protocol]*common.PortSet, len(c.ProtocolsAndPorts())) for protocol, portRangeArr := range c.ProtocolsAndPorts() { protocolsToPortSetMap[protocol] = common.MakePortSet(false) for _, p := range portRangeArr { - protocolsToPortSetMap[protocol].AddPortRange(p.Start(), p.End()) + augmentedRange := p.(*common.PortRangeData) + // we cannot fill explainability data here, so we pass an empty rule name and an arbitrary direction (isIngress being true) + protocolsToPortSetMap[protocol].AddPortRange(augmentedRange.Start(), augmentedRange.End(), augmentedRange.InSet(), "", true) } } connectionSet := &common.ConnectionSet{AllowAll: c.AllProtocolsAndPorts(), AllowedProtocols: protocolsToPortSetMap} @@ -538,8 +554,8 @@ func (ca *ConnlistAnalyzer) getConnectionsBetweenPeers(pe *eval.PolicyEngine, pe return nil, nil, err } } - // skip empty connections - if allowedConnections.IsEmpty() { + // skip empty connections when running without explainability + if allowedConnections.IsEmpty() && !ca.explain { continue } p2pConnection, err := ca.getP2PConnOrUpdateExposureConn(pe, allowedConnections, srcPeer, dstPeer, exposureMaps) @@ -636,10 +652,11 @@ func (ca *ConnlistAnalyzer) getP2PConnOrUpdateExposureConn(pe *eval.PolicyEngine // helper function - returns a connection object from the given fields func createConnectionObject(allowedConnections common.Connection, src, dst Peer) *connection { return &connection{ - src: src, - dst: dst, - allConnections: allowedConnections.IsAllConnections(), - protocolsAndPorts: allowedConnections.ProtocolsAndPortsMap(), + src: src, + dst: dst, + allConnections: allowedConnections.IsAllConnections(), + commonImplyingRules: allowedConnections.(*common.ConnectionSet).CommonImplyingRules, + protocolsAndPorts: allowedConnections.ProtocolsAndPortsMap(true), } } diff --git a/pkg/netpol/connlist/conns_formatter.go b/pkg/netpol/connlist/conns_formatter.go index a7701610..4456aa73 100644 --- a/pkg/netpol/connlist/conns_formatter.go +++ b/pkg/netpol/connlist/conns_formatter.go @@ -37,12 +37,12 @@ type ipMaps struct { // saveConnsWithIPs gets a P2P connection; if the connection includes an IP-Peer as one of its end-points; the conn is saved in the // matching map of the formatText maps -func (i *ipMaps) saveConnsWithIPs(conn Peer2PeerConnection) { +func (i *ipMaps) saveConnsWithIPs(conn Peer2PeerConnection, explain bool) { if conn.Src().IsPeerIPType() { - i.PeerToConnsFromIPs[conn.Dst().String()] = append(i.PeerToConnsFromIPs[conn.Dst().String()], formSingleP2PConn(conn)) + i.PeerToConnsFromIPs[conn.Dst().String()] = append(i.PeerToConnsFromIPs[conn.Dst().String()], formSingleP2PConn(conn, explain)) } if conn.Dst().IsPeerIPType() { - i.peerToConnsToIPs[conn.Src().String()] = append(i.peerToConnsToIPs[conn.Src().String()], formSingleP2PConn(conn)) + i.peerToConnsToIPs[conn.Src().String()] = append(i.peerToConnsToIPs[conn.Src().String()], formSingleP2PConn(conn, explain)) } } @@ -57,14 +57,15 @@ func createIPMaps(initMapsFlag bool) (ipMaps ipMaps) { // connsFormatter implements output formatting in the required output format type connsFormatter interface { - writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag bool) (string, error) + writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag bool, explain bool) (string, error) } // singleConnFields represents a single connection object type singleConnFields struct { - Src string `json:"src"` - Dst string `json:"dst"` - ConnString string `json:"conn"` + Src string `json:"src"` + Dst string `json:"dst"` + ConnString string `json:"conn"` + Explanation string `json:"explanation,omitempty"` } // string representation of the singleConnFields struct @@ -72,10 +73,22 @@ func (c singleConnFields) string() string { return fmt.Sprintf("%s => %s : %s", c.Src, c.Dst, c.ConnString) } +func (c singleConnFields) nodePairString() string { + return fmt.Sprintf("%s => %s", c.Src, c.Dst) +} + +func (c singleConnFields) stringWithExplanation() string { + return fmt.Sprintf("CONNECTIONS BETWEEN %s => %s:\n\n%s", c.Src, c.Dst, c.Explanation) +} + // formSingleP2PConn returns a string representation of single connection fields as singleConnFields object -func formSingleP2PConn(conn Peer2PeerConnection) singleConnFields { +func formSingleP2PConn(conn Peer2PeerConnection, explain bool) singleConnFields { connStr := common.ConnStrFromConnProperties(conn.AllProtocolsAndPorts(), conn.ProtocolsAndPorts()) - return singleConnFields{Src: conn.Src().String(), Dst: conn.Dst().String(), ConnString: connStr} + expl := "" + if explain { + expl = common.ExplanationFromConnProperties(conn.AllProtocolsAndPorts(), conn.(*connection).commonImplyingRules, conn.ProtocolsAndPorts()) + } + return singleConnFields{Src: conn.Src().String(), Dst: conn.Dst().String(), ConnString: connStr, Explanation: expl} } // commonly (to be) used for exposure analysis output formatters @@ -181,13 +194,13 @@ func getRepresentativePodString(podLabels v1.LabelSelector, txtOutFlag bool) str // getConnlistAsSortedSingleConnFieldsArray returns a sorted singleConnFields list from Peer2PeerConnection list. // creates ipMaps object if the format requires it (to be used for exposure results later) -func getConnlistAsSortedSingleConnFieldsArray(conns []Peer2PeerConnection, ipMaps ipMaps, saveToIPMaps bool) []singleConnFields { +func getConnlistAsSortedSingleConnFieldsArray(conns []Peer2PeerConnection, ipMaps ipMaps, saveToIPMaps, explain bool) []singleConnFields { connItems := make([]singleConnFields, len(conns)) for i := range conns { if saveToIPMaps { - ipMaps.saveConnsWithIPs(conns[i]) + ipMaps.saveConnsWithIPs(conns[i], explain) } - connItems[i] = formSingleP2PConn(conns[i]) + connItems[i] = formSingleP2PConn(conns[i], explain) } return sortConnFields(connItems, true) } diff --git a/pkg/netpol/connlist/conns_formatter_csv.go b/pkg/netpol/connlist/conns_formatter_csv.go index a8ed59df..acfaf70a 100644 --- a/pkg/netpol/connlist/conns_formatter_csv.go +++ b/pkg/netpol/connlist/conns_formatter_csv.go @@ -18,12 +18,13 @@ type formatCSV struct { // writeOutput returns a CSV string form of connections from list of Peer2PeerConnection objects // and exposure analysis results from list ExposedPeer if exists -func (cs *formatCSV) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag bool) (string, error) { +func (cs *formatCSV) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag, explain bool) (string, error) { + // Tanya TODO - handle explain flag // writing csv rows into a buffer buf := new(bytes.Buffer) writer := csv.NewWriter(buf) - err := cs.writeCsvConnlistTable(conns, writer, exposureFlag) + err := cs.writeCsvConnlistTable(conns, writer, exposureFlag, explain) if err != nil { return "", err } @@ -61,14 +62,14 @@ func writeTableRows(conns []singleConnFields, writer *csv.Writer, srcFirst bool) } // writeCsvConnlistTable writes csv table for the Peer2PeerConnection list -func (cs *formatCSV) writeCsvConnlistTable(conns []Peer2PeerConnection, writer *csv.Writer, saveIPConns bool) error { +func (cs *formatCSV) writeCsvConnlistTable(conns []Peer2PeerConnection, writer *csv.Writer, saveIPConns, explain bool) error { err := writeCsvColumnsHeader(writer, true) if err != nil { return err } cs.ipMaps = createIPMaps(saveIPConns) // get an array of sorted conns items ([]singleConnFields), if required also save the relevant conns to ipMaps - sortedConnItems := getConnlistAsSortedSingleConnFieldsArray(conns, cs.ipMaps, saveIPConns) + sortedConnItems := getConnlistAsSortedSingleConnFieldsArray(conns, cs.ipMaps, saveIPConns, explain) return writeTableRows(sortedConnItems, writer, true) } diff --git a/pkg/netpol/connlist/conns_formatter_dot.go b/pkg/netpol/connlist/conns_formatter_dot.go index adcde568..94660398 100644 --- a/pkg/netpol/connlist/conns_formatter_dot.go +++ b/pkg/netpol/connlist/conns_formatter_dot.go @@ -59,7 +59,7 @@ func getPeerLine(peer Peer) (string, bool) { // returns a dot string form of connections from list of Peer2PeerConnection objects // and from exposure-analysis results if exists -func (d *formatDOT) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag bool) (string, error) { +func (d *formatDOT) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag, explain bool) (string, error) { // 1. declaration of maps and slices to be used for forming the graph lines nsPeers := make(map[string][]string) // map from namespace to its peers (grouping peers by namespaces) nsRepPeers := make(map[string][]string) // map from representative namespace to its representative peers diff --git a/pkg/netpol/connlist/conns_formatter_json.go b/pkg/netpol/connlist/conns_formatter_json.go index c7b8ecce..09b1d966 100644 --- a/pkg/netpol/connlist/conns_formatter_json.go +++ b/pkg/netpol/connlist/conns_formatter_json.go @@ -29,13 +29,14 @@ type exposureFields struct { // writeOutput returns a json string form of connections from list of Peer2PeerConnection objects // and exposure analysis results from list ExposedPeer if exists -func (j *formatJSON) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag bool) (string, error) { +func (j *formatJSON) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag, explain bool) (string, error) { + // Tanya TODO - handle explain flag j.ipMaps = createIPMaps(exposureFlag) // output variables var jsonConns []byte var err error // get an array of sorted connlist items ([]singleConnFields) - sortedConnItems := getConnlistAsSortedSingleConnFieldsArray(conns, j.ipMaps, exposureFlag) + sortedConnItems := getConnlistAsSortedSingleConnFieldsArray(conns, j.ipMaps, exposureFlag, explain) if exposureFlag { // get an array of sorted exposure items ingressExposureItems, egressExposureItems, _ := getExposureConnsAsSortedSingleConnFieldsArray(exposureConns, j.ipMaps) diff --git a/pkg/netpol/connlist/conns_formatter_md.go b/pkg/netpol/connlist/conns_formatter_md.go index 888dc92d..256d76c3 100644 --- a/pkg/netpol/connlist/conns_formatter_md.go +++ b/pkg/netpol/connlist/conns_formatter_md.go @@ -45,9 +45,10 @@ func getMDLine(c singleConnFields, srcFirst bool) string { // writeOutput returns a md string form of connections from list of Peer2PeerConnection objects, // and exposure analysis results from list ExposedPeer if exists -func (md *formatMD) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag bool) (string, error) { +func (md *formatMD) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag, explain bool) (string, error) { + // Tanya TODO - handle explain flag // first write connlist lines - allLines := md.writeMdConnlistLines(conns, exposureFlag) + allLines := md.writeMdConnlistLines(conns, exposureFlag, explain) if !exposureFlag { return strings.Join(allLines, newLineChar) + newLineChar, nil } @@ -66,9 +67,9 @@ func writeMdLines(conns []singleConnFields, srcFirst bool) []string { } // writeMdConnlistLines returns md lines from the list of Peer2PeerConnection -func (md *formatMD) writeMdConnlistLines(conns []Peer2PeerConnection, saveIPConns bool) []string { +func (md *formatMD) writeMdConnlistLines(conns []Peer2PeerConnection, saveIPConns, explain bool) []string { md.ipMaps = createIPMaps(saveIPConns) - sortedConns := getConnlistAsSortedSingleConnFieldsArray(conns, md.ipMaps, saveIPConns) + sortedConns := getConnlistAsSortedSingleConnFieldsArray(conns, md.ipMaps, saveIPConns, explain) connlistLines := []string{getMDHeader(true)} // connlist results are formatted: src | dst | conn connlistLines = append(connlistLines, writeMdLines(sortedConns, true)...) return connlistLines diff --git a/pkg/netpol/connlist/conns_formatter_txt.go b/pkg/netpol/connlist/conns_formatter_txt.go index 2168419f..cee00c6f 100644 --- a/pkg/netpol/connlist/conns_formatter_txt.go +++ b/pkg/netpol/connlist/conns_formatter_txt.go @@ -9,7 +9,8 @@ package connlist import ( "fmt" "sort" - "strings" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common" ) // formatText: implements the connsFormatter interface for txt output format @@ -19,8 +20,8 @@ type formatText struct { // writeOutput returns a textual string format of connections from list of Peer2PeerConnection objects, // and exposure analysis results if exist -func (t *formatText) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag bool) (string, error) { - res := t.writeConnlistOutput(conns, exposureFlag) +func (t *formatText) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer, exposureFlag, explain bool) (string, error) { + res := t.writeConnlistOutput(conns, exposureFlag, explain) if !exposureFlag { return res, nil } @@ -33,22 +34,62 @@ func (t *formatText) writeOutput(conns []Peer2PeerConnection, exposureConns []Ex } // writeConnlistOutput writes the section of the connlist result of the output -func (t *formatText) writeConnlistOutput(conns []Peer2PeerConnection, saveIPConns bool) string { - connLines := make([]string, len(conns)) +func (t *formatText) writeConnlistOutput(conns []Peer2PeerConnection, saveIPConns, explain bool) string { + connLines := make([]singleConnFields, 0, len(conns)) + systemDefaultConnLines := make([]singleConnFields, 0, len(conns)) t.ipMaps = createIPMaps(saveIPConns) for i := range conns { - connLines[i] = formSingleP2PConn(conns[i]).string() + p2pConn := formSingleP2PConn(conns[i], explain) + if explain { + // when running with explanation, we print system default connections at the end + if conns[i].(*connection).OnlySystemDefaultRule() { + systemDefaultConnLines = append(systemDefaultConnLines, p2pConn) + } else { + connLines = append(connLines, p2pConn) + } + } else { + connLines = append(connLines, p2pConn) + } // if we have exposure analysis results, also check if src/dst is an IP and store the connection if saveIPConns { - t.ipMaps.saveConnsWithIPs(conns[i]) + t.ipMaps.saveConnsWithIPs(conns[i], explain) + } + } + sortConnFields(connLines, true) + if explain { + sortConnFields(systemDefaultConnLines, true) + } + result := "" + if explain { + result = writeExplanationOutput(connLines, systemDefaultConnLines) + } else { + for _, p2pConn := range connLines { + result += p2pConn.string() + newLineChar + } + } + return result +} + +func writeExplanationOutput(connLines, systemDefaultConnLines []singleConnFields) string { + result := "" + for _, p2pConn := range connLines { + result += nodePairSeparationLine + result += p2pConn.stringWithExplanation() + newLineChar + } + if len(systemDefaultConnLines) > 0 { + result += nodePairSeparationLine + systemDefaultPairsHeader + for _, p2pConn := range systemDefaultConnLines { + result += p2pConn.nodePairString() + newLineChar } } - sort.Strings(connLines) - return strings.Join(connLines, newLineChar) + newLineChar + return result } const ( - unprotectedHeader = "\nWorkloads not protected by network policies:\n" + unprotectedHeader = "\nWorkloads not protected by network policies:\n" + separationLine80 = "--------------------------------------------------------------------------------" + nodePairSeparationLine = separationLine80 + separationLine80 + common.NewLine + systemDefaultPairsHeader = "The following nodes are connected due to " + common.SystemDefaultRule + ":\n" ) // writeExposureOutput writes the section of the exposure-analysis result diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go new file mode 100644 index 00000000..a308e941 --- /dev/null +++ b/pkg/netpol/connlist/explanation_test.go @@ -0,0 +1,78 @@ +/* +Copyright 2023- IBM Inc. All Rights Reserved. + +SPDX-License-Identifier: Apache-2.0 +*/ +package connlist + +import ( + "fmt" + "testing" + + "github.com/np-guard/netpol-analyzer/pkg/internal/output" + "github.com/np-guard/netpol-analyzer/pkg/internal/testutils" + + "github.com/stretchr/testify/require" +) + +// file for testing functionality of explainability analysis + +func TestExplainFromDir(t *testing.T) { + t.Parallel() + for _, tt := range explainTests { + tt := tt + t.Run(tt.testDirName, func(t *testing.T) { + t.Parallel() + pTest := prepareExplainTest(tt.testDirName, tt.focusWorkload) + res, _, err := pTest.analyzer.ConnlistFromDirPath(pTest.dirPath) + require.Nil(t, err, pTest.testInfo) + out, err := pTest.analyzer.ConnectionsListToString(res) + require.Nil(t, err, pTest.testInfo) + testutils.CheckActualVsExpectedOutputMatch(t, pTest.expectedOutputFileName, out, + pTest.testInfo, currentPkg) + }) + } +} + +func prepareExplainTest(dirName, focusWorkload string) preparedTest { + res := preparedTest{} + res.testName, res.expectedOutputFileName = testutils.ExplainTestNameByTestArgs(dirName, focusWorkload) + res.testInfo = fmt.Sprintf("test: %q", res.testName) + cAnalyzer := NewConnlistAnalyzer(WithOutputFormat(output.TextFormat), WithFocusWorkload(focusWorkload), WithExplanation()) + res.analyzer = cAnalyzer + res.dirPath = testutils.GetTestDirPath(dirName) + return res +} + +var explainTests = []struct { + testDirName string + focusWorkload string +}{ + // { + // testDirName: "anp_test_10", + // }, + { + testDirName: "anp_banp_blog_demo", + focusWorkload: "my-monitoring", + }, + { + testDirName: "anp_banp_blog_demo_2", + // focusWorkload: "my-monitoring", + }, + // { + // testDirName: "ipblockstest", + // }, + // { + // testDirName: "onlineboutique", + // }, + // { + // testDirName: "anp_banp_blog_demo", + // }, + // { + // testDirName: "acs-security-demos", + // }, + // { + // testDirName: "acs-security-demos", + // focusWorkload: "ingress-controller", + // }, +} diff --git a/pkg/netpol/connlist/exposure_analysis.go b/pkg/netpol/connlist/exposure_analysis.go index e2c76d74..a3491975 100644 --- a/pkg/netpol/connlist/exposure_analysis.go +++ b/pkg/netpol/connlist/exposure_analysis.go @@ -78,6 +78,8 @@ func xgressExposureListToXgressExposureDataList(xgressExp []*xgressExposure) []X res := make([]XgressExposureData, len(xgressExp)) for i := range xgressExp { res[i] = xgressExp[i] + exposure := res[i].(*xgressExposure) + exposure.potentialConn = exposure.potentialConn.GetEquivalentCanonicalConnectionSet() } return res } diff --git a/pkg/netpol/connlist/exposure_analysis_test.go b/pkg/netpol/connlist/exposure_analysis_test.go index ccda3db3..fd46228e 100644 --- a/pkg/netpol/connlist/exposure_analysis_test.go +++ b/pkg/netpol/connlist/exposure_analysis_test.go @@ -54,7 +54,7 @@ func newTCPConnWithPorts(ports []int) *common.ConnectionSet { conn := common.MakeConnectionSet(false) portSet := common.MakePortSet(false) for i := range ports { - portSet.AddPort(intstr.FromInt(ports[i])) + portSet.AddPort(intstr.FromInt(ports[i]), common.InitImplyingRules()) } conn.AddConnection(v1.ProtocolTCP, portSet) return conn @@ -337,16 +337,41 @@ func checkExpectedVsActualData(t *testing.T, testName string, actualExp ExposedP "test: %q, mismatch in is egress protected for peer %q", testName, actualExp.ExposedPeer().String()) require.Equal(t, expectedData.isIngressProtected, actualExp.IsProtectedByIngressNetpols(), "test: %q, mismatch in is ingress protected for peer %q", testName, actualExp.ExposedPeer().String()) - require.Equal(t, expectedData.lenIngressExposedConns, len(actualExp.IngressExposure()), + ingressExposure := actualExp.IngressExposure() + require.Equal(t, expectedData.lenIngressExposedConns, len(ingressExposure), "test: %q, mismatch in length of ingress exposure slice for peer %q", testName, actualExp.ExposedPeer().String()) for i := range expectedData.ingressExp { - require.Contains(t, actualExp.IngressExposure(), expectedData.ingressExp[i], + require.True(t, checkXgressExposureContainment(ingressExposure, expectedData.ingressExp[i]), "test: %q, expected ingress data %v is not contained in actual results", testName, expectedData.ingressExp[i]) } - require.Equal(t, expectedData.lenEgressExposedConns, len(actualExp.EgressExposure()), + egressExposure := actualExp.EgressExposure() + require.Equal(t, expectedData.lenEgressExposedConns, len(egressExposure), "test: %q, mismatch in length of egress exposure slice for peer %q", testName, actualExp.ExposedPeer().String()) for i := range expectedData.egressExp { - require.Contains(t, actualExp.EgressExposure(), expectedData.egressExp[i], + require.True(t, checkXgressExposureContainment(egressExposure, expectedData.egressExp[i]), "test: %q, expected egress data %v is not contained in actual results", testName, expectedData.egressExp[i]) } } + +func checkXgressExposureContainment(actualArray []XgressExposureData, expectedItem *xgressExposure) bool { + for i := range actualArray { + currItem := actualArray[i].(*xgressExposure) + if currItem.IsExposedToEntireCluster() != expectedItem.IsExposedToEntireCluster() { + continue + } + if !currItem.IsExposedToEntireCluster() { + if currItem.namespaceLabels.String() != expectedItem.namespaceLabels.String() { + continue + } + if currItem.podLabels.String() != expectedItem.podLabels.String() { + continue + } + } + conn1 := expectedItem.PotentialConnectivity().(*common.ConnectionSet) + conn2 := currItem.PotentialConnectivity().(*common.ConnectionSet) + if conn1.Equal(conn2) { + return true + } + } + return false +} diff --git a/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go b/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go index 897f9701..c6c488b2 100644 --- a/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go +++ b/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go @@ -7,6 +7,7 @@ SPDX-License-Identifier: Apache-2.0 package ingressanalyzer import ( + "fmt" "strconv" ocroutev1 "github.com/openshift/api/route/v1" @@ -283,7 +284,7 @@ func (ia *IngressAnalyzer) AllowedIngressConnections() (map[string]*PeerAndIngre func mergeResults(routesMap, ingressMap map[string]*PeerAndIngressConnSet) { for k, v := range routesMap { if _, ok := ingressMap[k]; ok { - ingressMap[k].ConnSet.Union(v.ConnSet) + ingressMap[k].ConnSet.Union(v.ConnSet, false) } else { ingressMap[k] = v } @@ -301,20 +302,20 @@ func (ia *IngressAnalyzer) allowedIngressConnectionsByResourcesType(mapToIterate continue } for objName, svcList := range objSvcMap { - ingressObjTargetPeersAndPorts, err := ia.getIngressObjectTargetedPeersAndPorts(ns, svcList) + ingObjStr := types.NamespacedName{Namespace: ns, Name: objName}.String() + ingressObjTargetPeersAndPorts, err := ia.getIngressObjectTargetedPeersAndPorts(ns, ingObjStr, svcList, ingType) if err != nil { return nil, err } // avoid duplicates in the result, consider the different ports supported for peer, pConn := range ingressObjTargetPeersAndPorts { - ingObjStr := types.NamespacedName{Namespace: ns, Name: objName}.String() if _, ok := res[peer.String()]; !ok { mapLen := 2 ingressObjs := make(map[string][]string, mapLen) ingressObjs[ingType] = []string{ingObjStr} res[peer.String()] = &PeerAndIngressConnSet{Peer: peer, ConnSet: pConn, IngressObjects: ingressObjs} } else { - res[peer.String()].ConnSet.Union(pConn) + res[peer.String()].ConnSet.Union(pConn, false) res[peer.String()].IngressObjects[ingType] = append(res[peer.String()].IngressObjects[ingType], ingObjStr) } } @@ -326,23 +327,24 @@ func (ia *IngressAnalyzer) allowedIngressConnectionsByResourcesType(mapToIterate // getIngressObjectTargetedPeersAndPorts returns map from peers which are targeted by Route/k8s-Ingress objects in their namespace to // the Ingress required connections -func (ia *IngressAnalyzer) getIngressObjectTargetedPeersAndPorts(ns string, - svcList []serviceInfo) (map[eval.Peer]*common.ConnectionSet, error) { +func (ia *IngressAnalyzer) getIngressObjectTargetedPeersAndPorts(ns, ingObjStr string, + svcList []serviceInfo, ingType string) (map[eval.Peer]*common.ConnectionSet, error) { res := make(map[eval.Peer]*common.ConnectionSet) for _, svc := range svcList { peersAndPorts, ok := ia.servicesToPortsAndPeersMap[ns][svc.serviceName] if !ok { ia.logWarning("Ignoring target service " + svc.serviceName + " : service not found") } + ruleName := fmt.Sprintf("[%s] %s//service %s", ingType, ingObjStr, svc.serviceName) for _, peer := range peersAndPorts.peers { - currIngressPeerConn, err := ia.getIngressPeerConnection(peer, peersAndPorts.ports, svc.servicePort) + currIngressPeerConn, err := ia.getIngressPeerConnection(peer, peersAndPorts.ports, svc.servicePort, ruleName) if err != nil { return nil, err } if _, ok := res[peer]; !ok { res[peer] = currIngressPeerConn } else { - res[peer].Union(currIngressPeerConn) + res[peer].Union(currIngressPeerConn, false) } } } @@ -351,7 +353,7 @@ func (ia *IngressAnalyzer) getIngressObjectTargetedPeersAndPorts(ns string, // getIngressPeerConnection returns the ingress connection to a peer based on the required port specified in the ingress objects func (ia *IngressAnalyzer) getIngressPeerConnection(peer eval.Peer, actualServicePorts []corev1.ServicePort, - requiredPort intstr.IntOrString) (*common.ConnectionSet, error) { + requiredPort intstr.IntOrString, ruleName string) (*common.ConnectionSet, error) { peerTCPConn := eval.GetPeerExposedTCPConnections(peer) // get the peer port/s which may be accessed by the service required port // (if the required port is not specified, all service ports are allowed) @@ -374,7 +376,7 @@ func (ia *IngressAnalyzer) getIngressPeerConnection(peer eval.Peer, actualServic if peerTCPConn.Contains(strconv.Itoa(portNum), string(corev1.ProtocolTCP)) { permittedPort := common.MakePortSet(false) - permittedPort.AddPort(intstr.FromInt(portNum)) + permittedPort.AddPort(intstr.FromInt(portNum), common.MakeImplyingRulesWithRule(ruleName, true)) res.AddConnection(corev1.ProtocolTCP, permittedPort) } } diff --git a/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer_test.go b/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer_test.go index 307e6f6a..b4dfbc3e 100644 --- a/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer_test.go +++ b/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer_test.go @@ -27,7 +27,7 @@ func getIngressAnalyzerFromDirObjects(t *testing.T, testName, dirName string, pr objects, fpErrs := parser.ResourceInfoListToK8sObjectsList(rList, logger.NewDefaultLogger(), false) require.Len(t, fpErrs, processingErrsNum, "test: %q, expected %d processing errors but got %d", testName, processingErrsNum, len(fpErrs)) - pe, err := eval.NewPolicyEngineWithObjects(objects) + pe, err := eval.NewPolicyEngineWithObjects(objects, false) require.Empty(t, err, "test: %q", testName) ia, err := NewIngressAnalyzerWithObjects(objects, pe, logger.NewDefaultLogger(), false) require.Empty(t, err, "test: %q", testName) @@ -97,9 +97,10 @@ func checkConnsEquality(t *testing.T, testName string, ingressConns map[string]* "test: %q, mismatch in ingress connections to %q", testName, peerStr) // if all connections is false; check if actual conns are as expected if !expectedIngressToPeer.allConnections { - require.Contains(t, ingressConnsToPeer.ConnSet.ProtocolsAndPortsMap(), v1.Protocol(expectedIngressToPeer.protocol), + require.Contains(t, ingressConnsToPeer.ConnSet.ProtocolsAndPortsMap(false), v1.Protocol(expectedIngressToPeer.protocol), "test: %q, mismatch in ingress connections to peer %q, should contain protocol %q", testName, peerStr, expectedIngressToPeer.protocol) - connPortRange := ingressConnsToPeer.ConnSet.ProtocolsAndPortsMap()[v1.Protocol(expectedIngressToPeer.protocol)] + connSet := ingressConnsToPeer.ConnSet.GetEquivalentCanonicalConnectionSet() + connPortRange := connSet.ProtocolsAndPortsMap(false)[v1.Protocol(expectedIngressToPeer.protocol)] require.Len(t, connPortRange, len(expectedIngressToPeer.ports), "test: %q, mismatch in ingress connections to %q", testName, peerStr) for i := range expectedIngressToPeer.ports { diff --git a/pkg/netpol/connlist/internal/ingressanalyzer/service_test.go b/pkg/netpol/connlist/internal/ingressanalyzer/service_test.go index 7939629e..d73c7341 100644 --- a/pkg/netpol/connlist/internal/ingressanalyzer/service_test.go +++ b/pkg/netpol/connlist/internal/ingressanalyzer/service_test.go @@ -90,7 +90,7 @@ func TestServiceMappingToPods(t *testing.T) { objects, processingErrs := parser.ResourceInfoListToK8sObjectsList(rList, logger.NewDefaultLogger(), false) require.Len(t, processingErrs, 1, "test: %q", tt.name) // no policies require.Len(t, objects, 17, "test: %q", tt.name) // found 6 services and 11 pods - pe, err := eval.NewPolicyEngineWithObjects(objects) + pe, err := eval.NewPolicyEngineWithObjects(objects, false) require.Empty(t, err, "test: %q", tt.name) ia, err := NewIngressAnalyzerWithObjects(objects, pe, logger.NewDefaultLogger(), false) require.Empty(t, err, "test: %q", tt.name) diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go index 3964a0f1..f7568ced 100644 --- a/pkg/netpol/eval/check.go +++ b/pkg/netpol/eval/check.go @@ -16,7 +16,6 @@ import ( "k8s.io/apimachinery/pkg/types" "github.com/np-guard/models/pkg/netset" - "github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors" "github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s" "github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common" @@ -247,7 +246,10 @@ func (pe *PolicyEngine) allAllowedConnectionsBetweenPeers(srcPeer, dstPeer Peer) var err error // cases where any connection is always allowed if isPodToItself(srcK8sPeer, dstK8sPeer) || isPeerNodeIP(srcK8sPeer, dstK8sPeer) || isPeerNodeIP(dstK8sPeer, srcK8sPeer) { - return common.MakeConnectionSet(true), nil + res = common.MakeConnectionSet(true) + res.AddCommonImplyingRule(common.PodToItselfRule, true) + res.AddCommonImplyingRule(common.PodToItselfRule, false) + return res, nil } // egress: get egress allowed connections between the src and dst by // walking through all k8s egress policies capturing the src; @@ -256,6 +258,7 @@ func (pe *PolicyEngine) allAllowedConnectionsBetweenPeers(srcPeer, dstPeer Peer) if err != nil { return nil, err } + res.SetExplResult(false) if res.IsEmpty() { return res, nil } @@ -266,6 +269,7 @@ func (pe *PolicyEngine) allAllowedConnectionsBetweenPeers(srcPeer, dstPeer Peer) if err != nil { return nil, err } + ingressRes.SetExplResult(true) res.Intersection(ingressRes) return res, nil } @@ -276,6 +280,10 @@ func (pe *PolicyEngine) allAllowedConnectionsBetweenPeers(srcPeer, dstPeer Peer) // admin-network-policies, network-policies and baseline-admin-network-policies; // considering the precedence of each policy func (pe *PolicyEngine) allAllowedXgressConnections(src, dst k8s.Peer, isIngress bool) (allowedConns *common.ConnectionSet, err error) { + // Tanya TODO: think about the implicitly denied protocols/port ranges + // (due to NPs capturing this src/dst, but defining only some of protocols/ports) + // How to update implying rules in this case? + // first get allowed xgress conn between the src and dst from the ANPs // note that: // - anpConns may contain allowed, denied or/and passed connections @@ -287,6 +295,7 @@ func (pe *PolicyEngine) allAllowedXgressConnections(src, dst k8s.Peer, isIngress } // optimization: if all the conns between src and dst were determined by the ANPs : return the allowed conns if anpCaptured && anpConns.DeterminesAllConns() { + anpConns.AllowedConns.Subtract(anpConns.DeniedConns) // update explainabiliy data return anpConns.AllowedConns, nil } // second get the allowed xgress conns between the src and dst from the netpols @@ -386,7 +395,7 @@ func (pe *PolicyEngine) getAllAllowedXgressConnsFromNetpols(src, dst k8s.Peer, i if pe.exposureAnalysisFlag { updatePeerXgressClusterWideExposure(policy, src, dst, isIngress) } - allowedConns.Union(policyAllowedConnectionsPerDirection) + allowedConns.Union(policyAllowedConnectionsPerDirection, true) // collect implying rules from multiple NPs } // putting the result in policiesConns object to be compared with conns allowed by ANP/BANP later policiesConns = k8s.NewPolicyConnections() @@ -406,7 +415,7 @@ func (pe *PolicyEngine) determineAllowedConnsPerDirection(policy *k8s.NetworkPol case policy.IngressPolicyExposure.ClusterWideExposure.AllowAll && src.PeerType() == k8s.PodType: return policy.IngressPolicyExposure.ClusterWideExposure, nil default: - return policy.GetIngressAllowedConns(src, dst) + return policy.GetXgressAllowedConns(src, dst, true) } } // else get egress allowed conns between src and dst @@ -416,7 +425,7 @@ func (pe *PolicyEngine) determineAllowedConnsPerDirection(policy *k8s.NetworkPol case policy.EgressPolicyExposure.ClusterWideExposure.AllowAll && dst.PeerType() == k8s.PodType: return policy.EgressPolicyExposure.ClusterWideExposure, nil default: - return policy.GetEgressAllowedConns(dst) + return policy.GetXgressAllowedConns(src, dst, false) } } @@ -485,7 +494,11 @@ func (pe *PolicyEngine) getAllAllowedXgressConnectionsFromANPs(src, dst k8s.Peer } if policiesConns.IsEmpty() { // conns between src and dst were not captured by the adminNetpols, to be determined by netpols/default conns - return k8s.NewPolicyConnections(), false, nil + policiesConns.ComplementPassConns() + return policiesConns, false, nil + } + if !policiesConns.PassConns.AllowAll { + policiesConns.ComplementPassConns() } return policiesConns, true, nil @@ -502,7 +515,7 @@ func (pe *PolicyEngine) getAllAllowedXgressConnectionsFromANPs(src, dst k8s.Peer func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool) (*k8s.PolicyConnections, error) { res := k8s.NewPolicyConnections() if pe.baselineAdminNetpol == nil { - res.AllowedConns = common.MakeConnectionSet(true) + res.AllowedConns = common.MakeAllConnectionSetWithRule(common.SystemDefaultRule, isIngress) return res, nil } if isIngress { // ingress @@ -530,8 +543,9 @@ func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool) } } } - if res.IsEmpty() { // banp rules didn't capture xgress conn between src and dst, return system-default: allow-all - res.AllowedConns = common.MakeConnectionSet(true) - } + // if banp rules didn't capture xgress conn between src and dst, return system-default: allow-all; + // if banp rule captured xgress conn, only DeniedConns should be impacted by banp rule, + // whenever AllowedConns should anyway be system-default: allow-all + res.AllowedConns = common.MakeAllConnectionSetWithRule(common.SystemDefaultRule, isIngress) return res, nil } diff --git a/pkg/netpol/eval/eval_test.go b/pkg/netpol/eval/eval_test.go index 6a5ccb45..83d9be89 100644 --- a/pkg/netpol/eval/eval_test.go +++ b/pkg/netpol/eval/eval_test.go @@ -1786,7 +1786,7 @@ func TestPolicyEngineWithWorkloads(t *testing.T) { if len(processingErrs) > 0 { t.Fatalf("TestPolicyEngineWithWorkloads errors: %v", processingErrs) } - pe, err := NewPolicyEngineWithObjects(objects) + pe, err := NewPolicyEngineWithObjects(objects, false) if err != nil { t.Fatalf("TestPolicyEngineWithWorkloads error: %v", err) } @@ -1806,6 +1806,9 @@ func pickContainedConn(conn *common.ConnectionSet) (resProtocol, resPort string) return string(v1.ProtocolTCP), defaultPort } for protocol, portSet := range conn.AllowedProtocols { + if portSet.IsEmpty() { // at least in some protocol, portSet will not be empty + continue + } resProtocol = string(protocol) if portSet.IsAll() { resPort = defaultPort @@ -1829,7 +1832,8 @@ func runParsedResourcesEvalTests(t *testing.T, testList []examples.ParsedResourc test := &testList[i] t.Run(test.Name, func(t *testing.T) { t.Parallel() - pe, err := NewPolicyEngineWithObjects(test.GetK8sObjects()) + // TODO - support explain (and then change the 'false' below to 'true') + pe, err := NewPolicyEngineWithObjects(test.GetK8sObjects(), false) require.Nil(t, err, test.TestInfo) for _, evalTest := range test.EvalTests { src := evalTest.Src @@ -1956,7 +1960,8 @@ func TestDirPathEvalResults(t *testing.T) { require.Empty(t, errs, "test: %q", testName) objectsList, processingErrs := parser.ResourceInfoListToK8sObjectsList(rList, logger.NewDefaultLogger(), false) require.Empty(t, processingErrs, "test: %q", testName) - pe, err := NewPolicyEngineWithObjects(objectsList) + // TODO - support explain (and then change the 'false' below to 'true') + pe, err := NewPolicyEngineWithObjects(objectsList, false) require.Nil(t, err, "test: %q", testName) var src, dst string for podStr, podObj := range pe.podsMap { diff --git a/pkg/netpol/eval/internal/k8s/adminnetpol.go b/pkg/netpol/eval/internal/k8s/adminnetpol.go index 96f6a826..721dc4ba 100644 --- a/pkg/netpol/eval/internal/k8s/adminnetpol.go +++ b/pkg/netpol/eval/internal/k8s/adminnetpol.go @@ -119,7 +119,8 @@ func ingressRuleSelectsPeer(rulePeers []apisv1a.AdminNetworkPolicyIngressPeer, s // updateConnsIfEgressRuleSelectsPeer checks if the given dst is selected by given egress rule, // if yes, updates given policyConns with the rule's connections func updateConnsIfEgressRuleSelectsPeer(rulePeers []apisv1a.AdminNetworkPolicyEgressPeer, - rulePorts *[]apisv1a.AdminNetworkPolicyPort, dst Peer, policyConns *PolicyConnections, action string, isBANPrule bool) error { + rulePorts *[]apisv1a.AdminNetworkPolicyPort, ruleName string, dst Peer, policyConns *PolicyConnections, + action string, isBANPrule bool) error { if len(rulePeers) == 0 { return errors.New(netpolerrors.ANPEgressRulePeersErr) } @@ -130,14 +131,15 @@ func updateConnsIfEgressRuleSelectsPeer(rulePeers []apisv1a.AdminNetworkPolicyEg if !peerSelected { return nil } - err = updatePolicyConns(rulePorts, policyConns, dst, action, isBANPrule) + err = updatePolicyConns(rulePorts, ruleName, policyConns, dst, action, isBANPrule, false) return err } // updateConnsIfIngressRuleSelectsPeer checks if the given src is selected by given ingress rule, // if yes, updates given policyConns with the rule's connections func updateConnsIfIngressRuleSelectsPeer(rulePeers []apisv1a.AdminNetworkPolicyIngressPeer, - rulePorts *[]apisv1a.AdminNetworkPolicyPort, src, dst Peer, policyConns *PolicyConnections, action string, isBANPrule bool) error { + rulePorts *[]apisv1a.AdminNetworkPolicyPort, ruleName string, src, dst Peer, policyConns *PolicyConnections, + action string, isBANPrule bool) error { if len(rulePeers) == 0 { return errors.New(netpolerrors.ANPIngressRulePeersErr) } @@ -148,16 +150,16 @@ func updateConnsIfIngressRuleSelectsPeer(rulePeers []apisv1a.AdminNetworkPolicyI if !peerSelected { return nil } - err = updatePolicyConns(rulePorts, policyConns, dst, action, isBANPrule) + err = updatePolicyConns(rulePorts, ruleName, policyConns, dst, action, isBANPrule, true) return err } // updatePolicyConns gets the rule connections from the rule.ports and updates the input policy connections // with the rule's conns considering the action -func updatePolicyConns(rulePorts *[]apisv1a.AdminNetworkPolicyPort, policyConns *PolicyConnections, dst Peer, - action string, isBANPrule bool) error { +func updatePolicyConns(rulePorts *[]apisv1a.AdminNetworkPolicyPort, ruleName string, policyConns *PolicyConnections, dst Peer, + action string, isBANPrule, isIngress bool) error { // get rule connections from rulePorts - ruleConns, err := ruleConnections(rulePorts, dst) + ruleConns, err := ruleConnections(rulePorts, ruleName, dst, isIngress) if err != nil { return err } @@ -167,9 +169,9 @@ func updatePolicyConns(rulePorts *[]apisv1a.AdminNetworkPolicyPort, policyConns } // ruleConnections returns the connectionSet from the current rule.Ports -func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, dst Peer) (*common.ConnectionSet, error) { - if ports == nil { - return common.MakeConnectionSet(true), nil // If Ports is not set then the rule does not filter traffic via port. +func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, ruleName string, dst Peer, isIngress bool) (*common.ConnectionSet, error) { + if ports == nil { // If Ports is not set then the rule does not filter traffic via port. + return common.MakeAllConnectionSetWithRule(ruleName, isIngress), nil } res := common.MakeConnectionSet(false) for _, anpPort := range *ports { @@ -183,7 +185,7 @@ func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, dst Peer) (*common if anpPort.PortNumber.Protocol != "" { protocol = anpPort.PortNumber.Protocol } - portSet.AddPort(intstr.FromInt32(anpPort.PortNumber.Port)) + portSet.AddPort(intstr.FromInt32(anpPort.PortNumber.Port), common.MakeImplyingRulesWithRule(ruleName, isIngress)) case anpPort.NamedPort != nil: podProtocol, podPort := dst.GetPeerPod().ConvertPodNamedPort(*anpPort.NamedPort) if podPort == common.NoPort { // pod does not have this named port in its container @@ -192,7 +194,7 @@ func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, dst Peer) (*common if podProtocol != "" { protocol = v1.Protocol(podProtocol) } - portSet.AddPort(intstr.FromInt32(podPort)) + portSet.AddPort(intstr.FromInt32(podPort), common.MakeImplyingRulesWithRule(ruleName, isIngress)) case anpPort.PortRange != nil: if anpPort.PortRange.Protocol != "" { protocol = anpPort.PortRange.Protocol @@ -200,7 +202,7 @@ func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, dst Peer) (*common if isEmptyPortRange(int64(anpPort.PortRange.Start), int64(anpPort.PortRange.End)) { continue // @todo should raise a warning } - portSet.AddPortRange(int64(anpPort.PortRange.Start), int64(anpPort.PortRange.End)) + portSet.AddPortRange(int64(anpPort.PortRange.Start), int64(anpPort.PortRange.End), true, ruleName, isIngress) } res.AddConnection(protocol, portSet) } @@ -400,13 +402,27 @@ func (anp *AdminNetworkPolicy) anpRuleErr(ruleName, description string) error { return fmt.Errorf("%s %q: %s %q: %s", anpErrTitle, anp.Name, ruleErrTitle, ruleName, description) } +func (anp *AdminNetworkPolicy) fullName() string { + return "[ANP] " + anp.Name +} + +func ruleFullName(policyName, ruleName, action string, isIngress bool) string { + xgress := egressName + if isIngress { + xgress = ingressName + } + return fmt.Sprintf("%s//%s rule %s (%s)", policyName, xgress, ruleName, action) +} + // GetIngressPolicyConns returns the connections from the ingress rules selecting the src in spec of the adminNetworkPolicy func (anp *AdminNetworkPolicy) GetIngressPolicyConns(src, dst Peer) (*PolicyConnections, error) { res := NewPolicyConnections() for _, rule := range anp.Spec.Ingress { // rule is apisv1a.AdminNetworkPolicyIngressRule rulePeers := rule.From rulePorts := rule.Ports - if err := updateConnsIfIngressRuleSelectsPeer(rulePeers, rulePorts, src, dst, res, string(rule.Action), false); err != nil { + if err := updateConnsIfIngressRuleSelectsPeer(rulePeers, rulePorts, + ruleFullName(anp.fullName(), rule.Name, string(rule.Action), true), + src, dst, res, string(rule.Action), false); err != nil { return nil, anp.anpRuleErr(rule.Name, err.Error()) } } @@ -419,7 +435,9 @@ func (anp *AdminNetworkPolicy) GetEgressPolicyConns(dst Peer) (*PolicyConnection for _, rule := range anp.Spec.Egress { // rule is apisv1a.AdminNetworkPolicyEgressRule rulePeers := rule.To rulePorts := rule.Ports - if err := updateConnsIfEgressRuleSelectsPeer(rulePeers, rulePorts, dst, res, string(rule.Action), false); err != nil { + if err := updateConnsIfEgressRuleSelectsPeer(rulePeers, rulePorts, + ruleFullName(anp.fullName(), rule.Name, string(rule.Action), false), + dst, res, string(rule.Action), false); err != nil { return nil, anp.anpRuleErr(rule.Name, err.Error()) } } diff --git a/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go b/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go index a4e99ed8..181f79f9 100644 --- a/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go +++ b/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go @@ -51,13 +51,19 @@ func banpRuleErr(ruleName, description string) error { return fmt.Errorf("%s%s %q: %s", banpErrTitle, ruleErrTitle, ruleName, description) } +func (banp *BaselineAdminNetworkPolicy) fullName() string { + return "[BANP] " + banp.Name +} + // GetEgressPolicyConns returns the connections from the egress rules selecting the dst in spec of the baselineAdminNetworkPolicy func (banp *BaselineAdminNetworkPolicy) GetEgressPolicyConns(dst Peer) (*PolicyConnections, error) { res := NewPolicyConnections() for _, rule := range banp.Spec.Egress { // rule is apisv1a.BaselineAdminNetworkPolicyEgressRule rulePeers := rule.To rulePorts := rule.Ports - if err := updateConnsIfEgressRuleSelectsPeer(rulePeers, rulePorts, dst, res, string(rule.Action), true); err != nil { + if err := updateConnsIfEgressRuleSelectsPeer(rulePeers, rulePorts, + ruleFullName(banp.fullName(), rule.Name, string(rule.Action), false), + dst, res, string(rule.Action), true); err != nil { return nil, banpRuleErr(rule.Name, err.Error()) } } @@ -70,7 +76,9 @@ func (banp *BaselineAdminNetworkPolicy) GetIngressPolicyConns(src, dst Peer) (*P for _, rule := range banp.Spec.Ingress { // rule is apisv1a.BaselineAdminNetworkPolicyIngressRule rulePeers := rule.From rulePorts := rule.Ports - if err := updateConnsIfIngressRuleSelectsPeer(rulePeers, rulePorts, src, dst, res, string(rule.Action), true); err != nil { + if err := updateConnsIfIngressRuleSelectsPeer(rulePeers, rulePorts, + ruleFullName(banp.fullName(), rule.Name, string(rule.Action), true), + src, dst, res, string(rule.Action), true); err != nil { return nil, banpRuleErr(rule.Name, err.Error()) } } diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index c2784fcd..ca715730 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -61,8 +61,10 @@ type PolicyExposureWithoutSelectors struct { // if so, also consider concurrent access (or declare not goroutine safe?) const ( - portBase = 10 - portBits = 32 + portBase = 10 + portBits = 32 + egressName = "Egress" + ingressName = "Ingress" ) func getProtocolStr(p *v1.Protocol) string { @@ -116,6 +118,13 @@ func isEmptyPortRange(start, end int64) bool { return start == common.NoPort && end == common.NoPort } +func (np *NetworkPolicy) rulePeersAndPorts(ruleIdx int, isIngress bool) ([]netv1.NetworkPolicyPeer, []netv1.NetworkPolicyPort) { + if isIngress { + return np.Spec.Ingress[ruleIdx].From, np.Spec.Ingress[ruleIdx].Ports + } + return np.Spec.Egress[ruleIdx].To, np.Spec.Egress[ruleIdx].Ports +} + // doesRulePortContain gets protocol and port numbers of a rule and other protocol and port; // returns if other is contained in the rule's port func doesRulePortContain(ruleProtocol, otherProtocol string, ruleStartPort, ruleEndPort, otherPort int64) bool { @@ -131,12 +140,15 @@ func doesRulePortContain(ruleProtocol, otherProtocol string, ruleStartPort, rule return false } -func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, dst Peer) (*common.ConnectionSet, error) { +func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, dst Peer, + ruleIdx int, isIngress bool) (*common.ConnectionSet, error) { if len(rulePorts) == 0 { - return common.MakeConnectionSet(true), nil // If this field is empty or missing, this rule matches all ports + // If this field is empty or missing, this rule matches all ports // (traffic not restricted by port) + return common.MakeAllConnectionSetWithRule(np.ruleName(ruleIdx, isIngress), isIngress), nil } res := common.MakeConnectionSet(false) + ruleName := np.ruleName(ruleIdx, isIngress) for i := range rulePorts { protocol := v1.ProtocolTCP if rulePorts[i].Protocol != nil { @@ -166,10 +178,10 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds // 4- in order to get a connection from any pod to an ip dst (will not get here, as named ports are not defined for ip-blocks) // adding portName string to the portSet - ports.AddPort(intstr.FromString(portName)) + ports.AddPort(intstr.FromString(portName), common.MakeImplyingRulesWithRule(ruleName, isIngress)) } if !isEmptyPortRange(startPort, endPort) { - ports.AddPortRange(startPort, endPort) + ports.AddPortRange(startPort, endPort, true, ruleName, isIngress) } } res.AddConnection(protocol, ports) @@ -355,54 +367,58 @@ func (np *NetworkPolicy) EgressAllowedConn(dst Peer, protocol, port string) (boo return false, nil } -// GetEgressAllowedConns returns the set of allowed connections from any captured pod to the destination peer -func (np *NetworkPolicy) GetEgressAllowedConns(dst Peer) (*common.ConnectionSet, error) { - res := common.MakeConnectionSet(false) - for _, rule := range np.Spec.Egress { - rulePeers := rule.To - rulePorts := rule.Ports - peerSelected, err := np.ruleSelectsPeer(rulePeers, dst) - if err != nil { - return res, err - } - if !peerSelected { - continue - } - ruleConns, err := np.ruleConnections(rulePorts, dst) - if err != nil { - return res, err - } - res.Union(ruleConns) - if res.AllowAll { - return res, nil - } +const ( + NoXgressRulesExpl = "(no %s rules defined)" + CapturedButNotSelectedExpl = "(captured but not selected by any %s rule)" +) + +func (np *NetworkPolicy) nameWithDirectionAndExpl(isIngress bool, expl string) string { + xgress := "Egress" + if isIngress { + xgress = "Ingress" } - return res, nil + return fmt.Sprintf("%s//%s "+expl, np.fullName(), xgress, xgress) } -// GetIngressAllowedConns returns the set of allowed connections to a captured dst pod from the src peer -func (np *NetworkPolicy) GetIngressAllowedConns(src, dst Peer) (*common.ConnectionSet, error) { +// GetXgressAllowedConns returns the set of allowed connections to a captured dst pod from the src peer (for Ingress) +// or from any captured pod to the dst peer (for Egress) +func (np *NetworkPolicy) GetXgressAllowedConns(src, dst Peer, isIngress bool) (*common.ConnectionSet, error) { res := common.MakeConnectionSet(false) - for _, rule := range np.Spec.Ingress { - rulePeers := rule.From - rulePorts := rule.Ports - peerSelected, err := np.ruleSelectsPeer(rulePeers, src) + if (isIngress && len(np.Spec.Ingress) == 0) || (!isIngress && len(np.Spec.Egress) == 0) { + res.AddCommonImplyingRule(np.nameWithDirectionAndExpl(isIngress, NoXgressRulesExpl), isIngress) + return res, nil + } + peerSelectedByAnyRule := false + numOfRules := len(np.Spec.Egress) + if isIngress { + numOfRules = len(np.Spec.Ingress) + } + for idx := 0; idx < numOfRules; idx++ { + rulePeers, rulePorts := np.rulePeersAndPorts(idx, isIngress) + peerToSelect := dst + if isIngress { + peerToSelect = src + } + peerSelected, err := np.ruleSelectsPeer(rulePeers, peerToSelect) if err != nil { return res, err } if !peerSelected { continue } - - ruleConns, err := np.ruleConnections(rulePorts, dst) + peerSelectedByAnyRule = true + ruleConns, err := np.ruleConnections(rulePorts, dst, idx, isIngress) if err != nil { return res, err } - res.Union(ruleConns) + res.Union(ruleConns, false) if res.AllowAll { return res, nil } } + if !peerSelectedByAnyRule { + res.AddCommonImplyingRule(np.nameWithDirectionAndExpl(isIngress, CapturedButNotSelectedExpl), isIngress) + } return res, nil } @@ -510,7 +526,15 @@ func (np *NetworkPolicy) Selects(p *Pod, direction netv1.PolicyType) (bool, erro } func (np *NetworkPolicy) fullName() string { - return types.NamespacedName{Name: np.Name, Namespace: np.Namespace}.String() + return "[NP] " + types.NamespacedName{Name: np.Name, Namespace: np.Namespace}.String() +} + +func (np *NetworkPolicy) ruleName(ruleIdx int, isIngress bool) string { + xgress := egressName + if isIngress { + xgress = ingressName + } + return fmt.Sprintf("%s//%s rule #%d", np.fullName(), xgress, ruleIdx+1) } // ///////////////////////////////////////////////////////////////////////////////////////////// @@ -548,10 +572,10 @@ func (np *NetworkPolicy) GetPolicyRulesSelectorsAndUpdateExposureClusterWideConn // scanIngressRules handles policy's ingress rules (for updating policy's wide conns/ returning specific rules' selectors) func (np *NetworkPolicy) scanIngressRules() ([]SingleRuleSelectors, error) { rulesSelectors := []SingleRuleSelectors{} - for _, rule := range np.Spec.Ingress { + for idx, rule := range np.Spec.Ingress { rulePeers := rule.From rulePorts := rule.Ports - selectors, err := np.getSelectorsAndUpdateExposureClusterWideConns(rulePeers, rulePorts, true) + selectors, err := np.getSelectorsAndUpdateExposureClusterWideConns(rulePeers, rulePorts, idx, true) if err != nil { return nil, err } @@ -563,10 +587,10 @@ func (np *NetworkPolicy) scanIngressRules() ([]SingleRuleSelectors, error) { // scanEgressRules handles policy's egress rules (for updating policy's wide conns/ returning specific rules' selectors) func (np *NetworkPolicy) scanEgressRules() ([]SingleRuleSelectors, error) { rulesSelectors := []SingleRuleSelectors{} - for _, rule := range np.Spec.Egress { + for idx, rule := range np.Spec.Egress { rulePeers := rule.To rulePorts := rule.Ports - selectors, err := np.getSelectorsAndUpdateExposureClusterWideConns(rulePeers, rulePorts, false) + selectors, err := np.getSelectorsAndUpdateExposureClusterWideConns(rulePeers, rulePorts, idx, false) if err != nil { return nil, err } @@ -584,9 +608,9 @@ func (np *NetworkPolicy) scanEgressRules() ([]SingleRuleSelectors, error) { // - if a rule contains at least one defined selector : appends the rule selectors to a selector list which will be returned. // this func assumes rules are legal (rules correctness check occurs later) func (np *NetworkPolicy) getSelectorsAndUpdateExposureClusterWideConns(rules []netv1.NetworkPolicyPeer, rulePorts []netv1.NetworkPolicyPort, - isIngress bool) (rulesSelectors []SingleRuleSelectors, err error) { + ruleIdx int, isIngress bool) (rulesSelectors []SingleRuleSelectors, err error) { if len(rules) == 0 { - err = np.updateNetworkPolicyExposureClusterWideConns(true, true, rulePorts, isIngress) + err = np.updateNetworkPolicyExposureClusterWideConns(true, true, rulePorts, ruleIdx, isIngress) return nil, err } for i := range rules { @@ -601,7 +625,7 @@ func (np *NetworkPolicy) getSelectorsAndUpdateExposureClusterWideConns(rules []n // if podSelector is not nil but namespaceSelector is nil, this is the netpol's namespace if rules[i].NamespaceSelector != nil && rules[i].NamespaceSelector.Size() == 0 && (rules[i].PodSelector == nil || rules[i].PodSelector.Size() == 0) { - err = np.updateNetworkPolicyExposureClusterWideConns(false, true, rulePorts, isIngress) + err = np.updateNetworkPolicyExposureClusterWideConns(false, true, rulePorts, ruleIdx, isIngress) return nil, err } // else selectors' combination specifies workloads by labels (at least one is not nil and not empty) @@ -614,23 +638,23 @@ func (np *NetworkPolicy) getSelectorsAndUpdateExposureClusterWideConns(rules []n // updateNetworkPolicyExposureClusterWideConns updates the cluster-wide exposure connections of the policy func (np *NetworkPolicy) updateNetworkPolicyExposureClusterWideConns(externalExposure, entireCluster bool, - rulePorts []netv1.NetworkPolicyPort, isIngress bool) error { - ruleConns, err := np.ruleConnections(rulePorts, nil) + rulePorts []netv1.NetworkPolicyPort, ruleIdx int, isIngress bool) error { + ruleConns, err := np.ruleConnections(rulePorts, nil, ruleIdx, isIngress) if err != nil { return err } if externalExposure { if isIngress { - np.IngressPolicyExposure.ExternalExposure.Union(ruleConns) + np.IngressPolicyExposure.ExternalExposure.Union(ruleConns, false) } else { - np.EgressPolicyExposure.ExternalExposure.Union(ruleConns) + np.EgressPolicyExposure.ExternalExposure.Union(ruleConns, false) } } if entireCluster { if isIngress { - np.IngressPolicyExposure.ClusterWideExposure.Union(ruleConns) + np.IngressPolicyExposure.ClusterWideExposure.Union(ruleConns, false) } else { - np.EgressPolicyExposure.ClusterWideExposure.Union(ruleConns) + np.EgressPolicyExposure.ClusterWideExposure.Union(ruleConns, false) } } return nil diff --git a/pkg/netpol/eval/internal/k8s/netpol_test.go b/pkg/netpol/eval/internal/k8s/netpol_test.go index e36c0671..333c7822 100644 --- a/pkg/netpol/eval/internal/k8s/netpol_test.go +++ b/pkg/netpol/eval/internal/k8s/netpol_test.go @@ -11,6 +11,7 @@ import ( v1 "k8s.io/api/core/v1" netv1 "k8s.io/api/networking/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" ) @@ -93,8 +94,17 @@ func TestNetworkPolicyPortAnalysis(t *testing.T) { Protocol: &UDP, Port: &PortHello, } - n := &NetworkPolicy{} - res, err := n.ruleConnections([]netv1.NetworkPolicyPort{AllowNamedPortOnProtocol}, &dst) + n := &NetworkPolicy{ + &netv1.NetworkPolicy{ + ObjectMeta: metav1.ObjectMeta{ + Name: "test-name", + Namespace: "test-namespace", + }, + }, + PolicyExposureWithoutSelectors{}, + PolicyExposureWithoutSelectors{}, + } + res, err := n.ruleConnections([]netv1.NetworkPolicyPort{AllowNamedPortOnProtocol}, &dst, 0, false) expectedConnStr := "UDP 22" if res.String() != expectedConnStr { t.Fatalf("mismatch on ruleConnections result: expected %v, got %v", expectedConnStr, res.String()) diff --git a/pkg/netpol/eval/internal/k8s/pod.go b/pkg/netpol/eval/internal/k8s/pod.go index d84d93e0..f02ea3ac 100644 --- a/pkg/netpol/eval/internal/k8s/pod.go +++ b/pkg/netpol/eval/internal/k8s/pod.go @@ -270,7 +270,7 @@ func (pod *Pod) PodExposedTCPConnections() *common.ConnectionSet { protocol := corev1.ProtocolTCP if cPort.Protocol == "" || protocol == corev1.ProtocolTCP { ports := common.MakePortSet(false) - ports.AddPortRange(int64(cPort.ContainerPort), int64(cPort.ContainerPort)) + ports.AddPortRange(int64(cPort.ContainerPort), int64(cPort.ContainerPort), true, "", true) res.AddConnection(protocol, ports) } } @@ -300,12 +300,12 @@ func (pod *Pod) UpdatePodXgressExposureToEntireClusterData(ruleConns *common.Con // matching port number convertedConns := pod.checkAndConvertNamedPortsInConnection(ruleConns) if convertedConns != nil { - pod.IngressExposureData.ClusterWideConnection.Union(convertedConns) + pod.IngressExposureData.ClusterWideConnection.Union(convertedConns, false) } else { - pod.IngressExposureData.ClusterWideConnection.Union(ruleConns) + pod.IngressExposureData.ClusterWideConnection.Union(ruleConns, false) } } else { - pod.EgressExposureData.ClusterWideConnection.Union(ruleConns) + pod.EgressExposureData.ClusterWideConnection.Union(ruleConns, false) } } @@ -319,10 +319,10 @@ func (pod *Pod) checkAndConvertNamedPortsInConnection(conns *common.ConnectionSe connsCopy := conns.Copy() // copying the connectionSet; in order to replace // the named ports with pod's port numbers if possible for protocol, namedPorts := range connNamedPorts { - for _, namedPort := range namedPorts { + for namedPort, implyingRules := range namedPorts { podProtocol, portNum := pod.ConvertPodNamedPort(namedPort) if podProtocol == string(protocol) && portNum != common.NoPort { // matching port and protocol - connsCopy.ReplaceNamedPortWithMatchingPortNum(protocol, namedPort, portNum) + connsCopy.ReplaceNamedPortWithMatchingPortNum(protocol, namedPort, portNum, implyingRules) } } } diff --git a/pkg/netpol/eval/internal/k8s/policy_connections.go b/pkg/netpol/eval/internal/k8s/policy_connections.go index ca7b74b3..dd4e4c6d 100644 --- a/pkg/netpol/eval/internal/k8s/policy_connections.go +++ b/pkg/netpol/eval/internal/k8s/policy_connections.go @@ -49,18 +49,18 @@ func (pc *PolicyConnections) UpdateWithRuleConns(ruleConns *common.ConnectionSet case string(apisv1a.AdminNetworkPolicyRuleActionAllow): ruleConns.Subtract(pc.DeniedConns) ruleConns.Subtract(pc.PassConns) - pc.AllowedConns.Union(ruleConns) + pc.AllowedConns.Union(ruleConns, false) case string(apisv1a.AdminNetworkPolicyRuleActionDeny): ruleConns.Subtract(pc.AllowedConns) ruleConns.Subtract(pc.PassConns) - pc.DeniedConns.Union(ruleConns) + pc.DeniedConns.Union(ruleConns, false) case string(apisv1a.AdminNetworkPolicyRuleActionPass): if banpRules { return fmt.Errorf(netpolerrors.UnknownRuleActionErr) } ruleConns.Subtract(pc.AllowedConns) ruleConns.Subtract(pc.DeniedConns) - pc.PassConns.Union(ruleConns) + pc.PassConns.Union(ruleConns, false) default: return fmt.Errorf(netpolerrors.UnknownRuleActionErr) } @@ -79,9 +79,16 @@ func (pc *PolicyConnections) CollectANPConns(newAdminPolicyConns *PolicyConnecti newAdminPolicyConns.PassConns.Subtract(pc.DeniedConns) newAdminPolicyConns.PassConns.Subtract(pc.AllowedConns) // add the new conns from current policy to the connections from the policies with higher precedence - pc.DeniedConns.Union(newAdminPolicyConns.DeniedConns) - pc.AllowedConns.Union(newAdminPolicyConns.AllowedConns) - pc.PassConns.Union(newAdminPolicyConns.PassConns) + pc.DeniedConns.Union(newAdminPolicyConns.DeniedConns, false) + pc.AllowedConns.Union(newAdminPolicyConns.AllowedConns, false) + pc.PassConns.Union(newAdminPolicyConns.PassConns, false) +} + +// ComplementPassConns complements pass connections to all connections (by adding the absent conections) +func (pc *PolicyConnections) ComplementPassConns() { + defaultPassConn := NewPolicyConnections() + defaultPassConn.PassConns = common.MakeConnectionSet(true) + pc.CollectANPConns(defaultPassConn) } // CollectAllowedConnsFromNetpols updates allowed conns of current PolicyConnections object with allowed connections from @@ -92,14 +99,21 @@ func (pc *PolicyConnections) CollectANPConns(newAdminPolicyConns *PolicyConnecti // and any connection that is not allowed by the netpols is denied. // 2. pass connections in current PolicyConnections object will be determined by the input PolicyConnections parameter. func (pc *PolicyConnections) CollectAllowedConnsFromNetpols(npConns *PolicyConnections) { + // This intersection with PassConn does not have effect the resulting connectios, + // but it updates implying rules, representing the effect of PassConn as well + // We start from PassConn, and intersect it with npConns.AllowedConns, + // because the order of intersection impacts the order of implying rules. + newConn := pc.PassConns.Copy() + newConn.Intersection(npConns.AllowedConns) // collect implying rules from pc.PassConns and npConns.AllowedConns // subtract the denied conns (which are non-overridden) from input conns - npConns.AllowedConns.Subtract(pc.DeniedConns) + newConn.Subtract(pc.DeniedConns) // PASS conns are determined by npConns // currently, npConns.AllowedConns contains: // 1. traffic that was passed by ANPs (if there are such conns) // 2. traffic that had no match in ANPs // so we can update current allowed conns with them - pc.AllowedConns.Union(npConns.AllowedConns) + // 'false' below: we don't add implying rules from NPs if the connections were defined by ANPs + pc.AllowedConns.Union(newConn, false) // now pc.AllowedConns contains all allowed conns by the ANPs and NPs // the content of pc.Denied and pc.Pass is not relevant anymore; // all the connections that are not allowed by the ANPs and NPs are denied. @@ -116,14 +130,22 @@ func (pc *PolicyConnections) CollectAllowedConnsFromNetpols(npConns *PolicyConne // is allowed by default func (pc *PolicyConnections) CollectConnsFromBANP(banpConns *PolicyConnections) { // allowed and denied conns of current pc are non-overridden - banpConns.DeniedConns.Subtract(pc.AllowedConns) - pc.DeniedConns.Union(banpConns.DeniedConns) - // now Pass conns which are denied by BANP were handled automatically; - // Pass Conns which are allowed or not captured by BANP, will be handled now with all other conns. - // pc.PassConns is not relevant anymore. + + // This Union with PassConn does not have effect on the resulting connectios, + // but it updates implying rules, representing the effect of PassConn as well + // We start from PassConn, and union banpConns.DeniedConns with it, + // because the order of Union impacts the order of implying rules. + newDenied := pc.PassConns.Copy() + newDenied.Intersection(banpConns.DeniedConns) // collect implying rules from pc.PassConns and banpConns.DeniedConns + newDenied.Subtract(pc.AllowedConns) + pc.DeniedConns.Union(newDenied, true) // 'true' because denied conns are defined by rules from both sides // the allowed conns are "all conns - the denied conns" - // since all conns that are not determined by the ANP and BANP are allowed by default - pc.AllowedConns = common.MakeConnectionSet(true) + // all conns that are not determined by the ANP and BANP are allowed by default, + // and are kept in banpConns.AllowedConns (were returned by getXgressDefaultConns) + newAllowed := pc.PassConns.Copy() + newAllowed.Intersection(banpConns.AllowedConns) // collect implying rules from pc.PassConns and banpConns.AllowedConns + pc.AllowedConns.Union(newAllowed, false) // 'false' because allowed conns may be already defined by pc.AllowedConns + pc.AllowedConns.Subtract(pc.DeniedConns) } @@ -136,6 +158,6 @@ func (pc *PolicyConnections) IsEmpty() bool { // selects all the connections func (pc *PolicyConnections) DeterminesAllConns() bool { selectedConns := pc.AllowedConns.Copy() - selectedConns.Union(pc.DeniedConns) + selectedConns.Union(pc.DeniedConns, false) return selectedConns.IsAllConnections() } diff --git a/pkg/netpol/eval/resources.go b/pkg/netpol/eval/resources.go index d2b46e95..f8d2ad2d 100644 --- a/pkg/netpol/eval/resources.go +++ b/pkg/netpol/eval/resources.go @@ -22,7 +22,6 @@ import ( apisv1a "sigs.k8s.io/network-policy-api/apis/v1alpha1" "github.com/np-guard/models/pkg/netset" - "github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors" "github.com/np-guard/netpol-analyzer/pkg/manifests/parser" "github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s" @@ -44,6 +43,7 @@ type ( baselineAdminNetpol *k8s.BaselineAdminNetworkPolicy // pointer to BaselineAdminNetworkPolicy which is a cluster singleton object cache *evalCache exposureAnalysisFlag bool + explain bool representativePeersMap map[string]*k8s.WorkloadPeer // map from unique labels string to representative peer object, // used only with exposure analysis (representative peer object is a workloadPeer with kind == "RepresentativePeer") } @@ -68,23 +68,26 @@ func NewPolicyEngine() *PolicyEngine { adminNetpolsMap: make(map[string]bool), cache: newEvalCache(), exposureAnalysisFlag: false, + explain: false, } } -func NewPolicyEngineWithObjects(objects []parser.K8sObject) (*PolicyEngine, error) { +func NewPolicyEngineWithObjects(objects []parser.K8sObject, explain bool) (*PolicyEngine, error) { pe := NewPolicyEngine() + pe.explain = explain err := pe.addObjectsByKind(objects) return pe, err } // NewPolicyEngineWithOptions returns a new policy engine with an empty state but updating the exposure analysis flag // TBD: currently exposure-analysis is the only option supported by policy-engine, so no need for options list param -func NewPolicyEngineWithOptions(exposureFlag bool) *PolicyEngine { +func NewPolicyEngineWithOptions(exposureFlag, explain bool) *PolicyEngine { pe := NewPolicyEngine() pe.exposureAnalysisFlag = exposureFlag if exposureFlag { pe.representativePeersMap = make(map[string]*k8s.WorkloadPeer) } + pe.explain = explain return pe } diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go new file mode 100644 index 00000000..a98c097f --- /dev/null +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -0,0 +1,721 @@ +/* +Copyright 2023- IBM Inc. All Rights Reserved. + +SPDX-License-Identifier: Apache-2.0 +*/ + +package common + +import ( + "fmt" + "log" + "slices" + "sort" + "strings" + + "github.com/np-guard/models/pkg/interval" +) + +type ExplResultType int + +const ( + NoResult ExplResultType = iota + AllowResult + DenyResult +) + +type ImplyingXgressRulesType struct { + Rules map[string]int + // Result will keep the final connectivity decision which follows from the above rules + // (allow, deny or not set) + // It is used for specifying explainability decision per direction (Egress/Ingress) + Result ExplResultType +} + +type ImplyingRulesType struct { + Ingress ImplyingXgressRulesType // an ordered set of ingress rules, used for explainability + Egress ImplyingXgressRulesType // an ordered set of egress rules, used for explainability +} + +func InitImplyingXgressRules() ImplyingXgressRulesType { + return ImplyingXgressRulesType{Rules: map[string]int{}, Result: NoResult} +} + +func MakeImplyingXgressRulesWithRule(rule string) ImplyingXgressRulesType { + res := InitImplyingXgressRules() + res.AddXgressRule(rule) + return res +} + +func InitImplyingRules() ImplyingRulesType { + return ImplyingRulesType{Ingress: InitImplyingXgressRules(), Egress: InitImplyingXgressRules()} +} + +func MakeImplyingRulesWithRule(rule string, isIngress bool) ImplyingRulesType { + res := InitImplyingRules() + if isIngress { + res.Ingress = MakeImplyingXgressRulesWithRule(rule) + } else { + res.Egress = MakeImplyingXgressRulesWithRule(rule) + } + return res +} + +func (rules *ImplyingXgressRulesType) Copy() ImplyingXgressRulesType { + if rules == nil { + return InitImplyingXgressRules() + } + res := ImplyingXgressRulesType{Rules: map[string]int{}, Result: rules.Result} + for k, v := range rules.Rules { + res.Rules[k] = v + } + return res +} + +func (rules *ImplyingRulesType) Copy() ImplyingRulesType { + res := InitImplyingRules() + res.Ingress = rules.Ingress.Copy() + res.Egress = rules.Egress.Copy() + return res +} + +const ( + ExplWithRulesTitle = "due to the following policies//rules:" + IngressDirectionTitle = "\tINGRESS DIRECTION" + EgressDirectionTitle = "\tEGRESS DIRECTION" + NewLine = "\n" + SpaceSeparator = " " + ExplAllowAll = "(Allow all)" + SystemDefaultRule = "the system default " + ExplAllowAll + ExplSystemDefault = "due to " + SystemDefaultRule + PodToItselfRule = "pod to itself " + ExplAllowAll + allowResultStr = "ALLOWED" + denyResultStr = "DENIED" +) + +func (rules *ImplyingXgressRulesType) onlySystemDefaultRule() bool { + if _, ok := rules.Rules[SystemDefaultRule]; ok { + return len(rules.Rules) == 1 + } + return false +} + +func formattedExpl(expl string) string { + return "(" + expl + ")" +} + +func (rules *ImplyingXgressRulesType) resultString() string { + switch rules.Result { + case AllowResult: + return formattedExpl(allowResultStr) + case DenyResult: + return formattedExpl(denyResultStr) + default: + return "" + } +} + +func (rules *ImplyingXgressRulesType) String() string { + if rules.Empty() { + return rules.resultString() + } + // print the rules according to their order + formattedRules := make([]string, 0, len(rules.Rules)) + for name, order := range rules.Rules { + formattedRules = append(formattedRules, fmt.Sprintf("\t\t%d) %s", order+1, name)) + } + sort.Strings(formattedRules) // the rule index begins the string, like "2)" + return rules.resultString() + NewLine + strings.Join(formattedRules, NewLine) +} + +func (rules *ImplyingRulesType) OnlySystemDefaultRule() bool { + return rules.Ingress.onlySystemDefaultRule() && rules.Egress.onlySystemDefaultRule() +} + +func (rules ImplyingRulesType) String() string { + if rules.OnlySystemDefaultRule() { + return SpaceSeparator + SystemDefaultRule + NewLine + } + res := "" + if !rules.Egress.Empty() { + res += EgressDirectionTitle + if rules.Egress.onlySystemDefaultRule() { + res += SpaceSeparator + rules.Egress.resultString() + SpaceSeparator + ExplSystemDefault + NewLine + } else { + res += SpaceSeparator + rules.Egress.String() + NewLine + } + } + if !rules.Ingress.Empty() { + res += IngressDirectionTitle + if rules.Ingress.onlySystemDefaultRule() { + res += SpaceSeparator + rules.Ingress.resultString() + SpaceSeparator + ExplSystemDefault + NewLine + } else { + res += SpaceSeparator + rules.Ingress.String() + NewLine + } + } + if res == "" { + return NewLine + } + return SpaceSeparator + ExplWithRulesTitle + NewLine + res +} + +func (rules *ImplyingXgressRulesType) Empty() bool { + return len(rules.Rules) == 0 +} + +func (rules ImplyingRulesType) Empty(isIngress bool) bool { + if isIngress { + return rules.Ingress.Empty() + } + return rules.Egress.Empty() +} + +func (rules *ImplyingXgressRulesType) AddXgressRule(ruleName string) { + if ruleName != "" { + if _, ok := rules.Rules[ruleName]; !ok { + rules.Rules[ruleName] = len(rules.Rules) // a new rule should be the last + } + } +} + +func (rules *ImplyingRulesType) AddRule(ruleName string, isIngress bool) { + if isIngress { + rules.Ingress.AddXgressRule(ruleName) + } else { + rules.Egress.AddXgressRule(ruleName) + } +} + +func (rules *ImplyingXgressRulesType) SetXgressResult(isAllowed bool) { + if rules.Result != NoResult { + log.Panic(errConflictingExplResult) + } + if isAllowed { + rules.Result = AllowResult + } else { + rules.Result = DenyResult + } +} + +func (rules *ImplyingRulesType) SetResult(isAllowed, isIngress bool) { + if isIngress { + rules.Ingress.SetXgressResult(isAllowed) + } else { + rules.Egress.SetXgressResult(isAllowed) + } +} + +func (rules *ImplyingXgressRulesType) Union(other ImplyingXgressRulesType, collectRules bool) { + if !collectRules { + if rules.Empty() { + *rules = other.Copy() + } + return + } + + // first, count how many rules are common in both sets + common := 0 + for name := range other.Rules { + if _, ok := rules.Rules[name]; ok { + common += 1 + } + } + offset := len(rules.Rules) - common + for name, order := range other.Rules { + if _, ok := rules.Rules[name]; !ok { // for the common rules, keep their original order in the current rules + rules.Rules[name] = order + offset // other rules should be addded after the current rules + } + } + // update Result if set + if other.Result != NoResult { + rules.SetXgressResult(other.Result == AllowResult) + } +} + +func (rules *ImplyingXgressRulesType) mayBeUpdatedBy(other ImplyingXgressRulesType, collectRules bool) bool { + if !collectRules { + return rules.Empty() && !other.Empty() + } + for name := range other.Rules { + if _, ok := rules.Rules[name]; !ok { + return true + } + } + return false +} + +func (rules *ImplyingRulesType) Union(other ImplyingRulesType, collectRules bool) { + rules.Ingress.Union(other.Ingress, collectRules) + rules.Egress.Union(other.Egress, collectRules) +} + +func (rules ImplyingRulesType) mayBeUpdatedBy(other ImplyingRulesType, collectRules bool) bool { + return rules.Ingress.mayBeUpdatedBy(other.Ingress, collectRules) || rules.Egress.mayBeUpdatedBy(other.Egress, collectRules) +} + +const ( + NoIndex = -1 +) + +type AugmentedInterval struct { + interval interval.Interval + inSet bool + implyingRules ImplyingRulesType +} + +func NewAugmentedInterval(start, end int64, inSet bool) AugmentedInterval { + return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, implyingRules: InitImplyingRules()} +} + +func NewAugmentedIntervalWithRule(start, end int64, inSet bool, rule string, isIngress bool) AugmentedInterval { + return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, implyingRules: MakeImplyingRulesWithRule(rule, isIngress)} +} + +func NewAugmentedIntervalWithRules(start, end int64, inSet bool, rules ImplyingRulesType) AugmentedInterval { + return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, implyingRules: rules.Copy()} +} + +// AugmentedCanonicalSet is a set of int64 integers, implemented using an ordered slice of non-overlapping, non-touching intervals. +// The intervals should include both included intervals and holes; +// i.e., start of every interval is the end of a previous interval incremented by 1. +// An AugmentedCanonicalSet is created with an interval/hole covering the whole range for this kind of set. +// The assumption is that further operations on a set will never extend this initial range, +// i.e., the MinValue() and MaxValue() functions will always return the same results. +type AugmentedCanonicalSet struct { + intervalSet []AugmentedInterval +} + +func NewAugmentedCanonicalSet(minValue, maxValue int64, isAll bool) *AugmentedCanonicalSet { + return &AugmentedCanonicalSet{ + intervalSet: []AugmentedInterval{ + NewAugmentedInterval(minValue, maxValue, isAll), // the full range interval (isAll==true) or 'hole' (isAll==false) + }, + } +} + +func NewAugmentedCanonicalSetWithRules(minValue, maxValue int64, isAll bool, rules ImplyingRulesType) *AugmentedCanonicalSet { + return &AugmentedCanonicalSet{ + intervalSet: []AugmentedInterval{ + NewAugmentedIntervalWithRules(minValue, maxValue, isAll, rules), // the full range interval (isAll==true) or 'hole' (isAll==false) + }, + } +} + +func (c *AugmentedCanonicalSet) Intervals() []AugmentedInterval { + return slices.Clone(c.intervalSet) +} + +func (c *AugmentedCanonicalSet) NumIntervals() int { + return len(c.intervalSet) +} + +const ( + errMinFromEmptySet = "cannot take min from empty interval set" + errOutOfRangeInterval = "cannot add interval which is out of scope of AugmentedCanonicalSet" + errConflictingExplResult = "cannot override explanation result that has been already set" +) + +func (c *AugmentedCanonicalSet) MinValue() int64 { + if len(c.intervalSet) == 0 { + log.Panic(errMinFromEmptySet) + } + return c.intervalSet[0].interval.Start() +} + +func (c *AugmentedCanonicalSet) MaxValue() int64 { + size := len(c.intervalSet) + if size == 0 { + log.Panic(errMinFromEmptySet) + } + return c.intervalSet[size-1].interval.End() +} + +func (c *AugmentedCanonicalSet) Min() int64 { + if len(c.intervalSet) == 0 { + log.Panic(errMinFromEmptySet) + } + for _, interval := range c.intervalSet { + if interval.inSet { + return interval.interval.Start() + } + } + log.Panic(errMinFromEmptySet) + return 0 // making linter happy +} + +// IsEmpty returns true if the AugmentedCanonicalSet is semantically empty (i.e., no 'inSet' intervals, but may possibly include holes) +func (c *AugmentedCanonicalSet) IsEmpty() bool { + for _, interval := range c.intervalSet { + if interval.inSet { + return false + } + } + return true +} + +// Unfilled returns true if the AugmentedCanonicalSet is syntactically empty (i.e., none of intervals or holes in the interval set) +func (c *AugmentedCanonicalSet) IsUnfilled() bool { + return len(c.intervalSet) == 0 +} + +func (c *AugmentedCanonicalSet) CalculateSize() int64 { + var res int64 = 0 + for _, r := range c.intervalSet { + if r.inSet { + res += r.interval.Size() + } + } + return res +} + +// func (c *AugmentedCanonicalSet) isConsistent() bool { +// lastInd := len(c.intervalSet) - 1 +// if lastInd < 0 { +// return true // the set is empty +// } +// lastInterval := c.intervalSet[lastInd] +// if lastInterval.inSet || lastInterval.interval.Start() < 0 || lastInterval.interval.End() != MaxValue { +// return false +// } +// return true +// } + +// nextIncludedInterval finds an interval included in set (not hole), starting from fromInd. +// if there are a few continuous in set intervals, it will return the union of all of them. +// it returns the found (potentially extended) interval, and the biggest index contributing to the result +func (c *AugmentedCanonicalSet) nextIncludedInterval(fromInd int) (res interval.Interval, index int) { + start := fromInd + for start < len(c.intervalSet) && !c.intervalSet[start].inSet { + start++ + } + if start >= len(c.intervalSet) { + return interval.New(0, -1), NoIndex + } + end := start + for end < len(c.intervalSet) && c.intervalSet[end].inSet { + end++ + } + return interval.New(c.intervalSet[start].interval.Start(), c.intervalSet[end-1].interval.End()), end - 1 +} + +// Equal returns true if the AugmentedCanonicalSet semantically equals the other AugmentedCanonicalSet; +// only numeric intervals are compared; the implying rules are not compared. +func (c *AugmentedCanonicalSet) Equal(other *AugmentedCanonicalSet) bool { + if c == other { + return true + } + currThisInd := 0 + currOtherInd := 0 + + for currThisInd != NoIndex { + thisInterval, thisInd := c.nextIncludedInterval(currThisInd) + otherInterval, otherInd := other.nextIncludedInterval(currOtherInd) + if (thisInd == NoIndex) != (otherInd == NoIndex) { + return false + } + if thisInd == NoIndex { + break + } + if !(thisInterval.Equal(otherInterval)) { + return false + } + currThisInd = thisInd + 1 + currOtherInd = otherInd + 1 + } + return true +} + +// AddAugmentedInterval adds a new interval/hole to the set, +// and updates the implying rules accordingly +// +//gocyclo:ignore +func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collectRules bool) { + if v.interval.Start() < c.MinValue() || v.interval.End() > c.MaxValue() { + log.Panic(errOutOfRangeInterval) + } + if v.interval.IsEmpty() { + return + } + set := c.intervalSet + left := sort.Search(len(set), func(i int) bool { + return set[i].interval.End() >= v.interval.Start() + }) + right := sort.Search(len(set), func(j int) bool { + return set[j].interval.End() >= v.interval.End() + }) + var result []AugmentedInterval + // copy left-end intervals not impacted by v + result = append(result, slices.Clone(set[0:left])...) + + // handle the left-hand side of the intersection of v with set + if v.interval.Start() > set[left].interval.Start() && + (set[left].inSet != v.inSet || set[left].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRules)) { + // split set[left] into two intervals, while the implying rules of the second interval should get the new value (from v) + new1 := AugmentedInterval{interval: interval.New(set[left].interval.Start(), v.interval.Start()-1), + inSet: set[left].inSet, implyingRules: set[left].implyingRules.Copy()} + var newImplyingRules ImplyingRulesType + if set[left].inSet == v.inSet { + newImplyingRules = set[left].implyingRules.Copy() + newImplyingRules.Union(v.implyingRules, collectRules) + } else { + newImplyingRules = v.implyingRules.Copy() + } + new2 := AugmentedInterval{interval: interval.New(v.interval.Start(), min(set[left].interval.End(), v.interval.End())), + inSet: v.inSet, implyingRules: newImplyingRules} + result = append(result, new1, new2) + left++ + } + for ind := left; ind <= right; ind++ { + if ind == right && v.interval.End() < set[right].interval.End() && + (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRules)) { + break // this is the corner case handled following the loop below + } + var newImplyingRules ImplyingRulesType + if set[ind].inSet == v.inSet { + // this interval is not impacted by v; + // however, its implying rules may be updated by those of v. + newImplyingRules = set[ind].implyingRules.Copy() + newImplyingRules.Union(v.implyingRules, collectRules) + } else { + newImplyingRules = v.implyingRules.Copy() + } + result = append(result, AugmentedInterval{interval: set[ind].interval, inSet: v.inSet, implyingRules: newImplyingRules}) + } + // handle the right-hand side of the intersection of v with set + if v.interval.End() < set[right].interval.End() && + (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRules)) { + // split set[right] into two intervals, while the implying rules of the first interval should get the new value (from v) + if left < right || (left == right && v.interval.Start() == set[left].interval.Start()) { + // a special case when left==right (i.e., v is included in one interval from set) was already handled + // at the left-hand side of the intersection of v with set + var newImplyingRules ImplyingRulesType + if set[right].inSet == v.inSet { + newImplyingRules = set[right].implyingRules.Copy() + newImplyingRules.Union(v.implyingRules, collectRules) + } else { + newImplyingRules = v.implyingRules.Copy() + } + new1 := AugmentedInterval{interval: interval.New(set[right].interval.Start(), v.interval.End()), + inSet: v.inSet, implyingRules: newImplyingRules} + result = append(result, new1) + } + new2 := AugmentedInterval{interval: interval.New(v.interval.End()+1, set[right].interval.End()), + inSet: set[right].inSet, implyingRules: set[right].implyingRules.Copy()} + result = append(result, new2) + } + + // copy right-end intervals not impacted by v + result = append(result, slices.Clone(set[right+1:])...) + c.intervalSet = result +} + +// String returns a string representation of the current CanonicalSet object +func (c *AugmentedCanonicalSet) String() string { + if c.IsEmpty() { + return "" + } + res := "" + canonical := c.GetEquivalentCanonicalAugmentedSet() + for _, interval := range canonical.intervalSet { + if interval.inSet { + res += interval.interval.ShortString() + "," + } + } + return res[:len(res)-1] +} + +// Union returns the union of the two sets +// Note: this function is not symmetrical regarding the update of implying rules: +// it always prefers implying rules of 'c', and adds to it those of 'other' depending if collectRules == true +func (c *AugmentedCanonicalSet) Union(other *AugmentedCanonicalSet, collectRules bool) *AugmentedCanonicalSet { + if c == other { + return c.Copy() + } + // first, we add all 'out of set' intervals from both sets + // then, we add all 'in set' intervals from both sets + // this way we get the effect of union, while preserving all relevant implying rules + res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) + for _, left := range c.intervalSet { + if !left.inSet { + res.AddAugmentedInterval(left, false) + } + } + for _, right := range other.intervalSet { + if !right.inSet { + res.AddAugmentedInterval(right, false) + } + } + for _, left := range c.intervalSet { + if left.inSet { + res.AddAugmentedInterval(left, collectRules) + } + } + for _, right := range other.intervalSet { + if right.inSet { + res.AddAugmentedInterval(right, collectRules) + } + } + return res +} + +// Copy returns a new copy of the CanonicalSet object +func (c *AugmentedCanonicalSet) Copy() *AugmentedCanonicalSet { + return &AugmentedCanonicalSet{intervalSet: slices.Clone(c.intervalSet)} +} + +func (c *AugmentedCanonicalSet) Contains(n int64) bool { + otherSet := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) + otherSet.AddAugmentedInterval(NewAugmentedInterval(n, n, true), false) + return otherSet.ContainedIn(c) +} + +// ContainedIn returns true of the current AugmentedCanonicalSet is contained in the other AugmentedCanonicalSet +func (c *AugmentedCanonicalSet) ContainedIn(other *AugmentedCanonicalSet) bool { + if c == other { + return true + } + currThisInd := 0 + currOtherInd := 0 + for currThisInd != NoIndex { + thisInterval, thisInd := c.nextIncludedInterval(currThisInd) + otherInterval, otherInd := other.nextIncludedInterval(currOtherInd) + if thisInd == NoIndex { + return true // end of this interval set + } + if otherInd == NoIndex { + return false // end of other interval set, but still have uncovered interval in this set + } + if thisInterval.IsSubset(otherInterval) { + // this interval is included in other; move to next intervals + currThisInd = thisInd + 1 + currOtherInd = otherInd + 1 + continue + } + if thisInterval.Overlap(otherInterval) { + // only part of this interval is contained + return false + } + if thisInterval.End() < otherInterval.Start() { + // this interval is not contained here + return false + } + // otherInterval.End() < thisInterval.Start() + // increment currOtherInd + currOtherInd = otherInd + 1 + } + return true +} + +// Intersect returns the intersection of the current set with the input set +func (c *AugmentedCanonicalSet) Intersect(other *AugmentedCanonicalSet) *AugmentedCanonicalSet { + if c == other { + return c.Copy() + } + // first, we add all 'in set' intervals from both sets + // then, we add all 'out of set' intervals from both sets + // this way we get the effect of intersection, while preserving all relevant implying rules + res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) + for _, left := range c.intervalSet { + if left.inSet { + res.AddAugmentedInterval(left, true) // collect implying rules allowed by both sets + } + } + for _, right := range other.intervalSet { + if right.inSet { + res.AddAugmentedInterval(right, true) // collect implying rules allowed by both sets + } + } + for _, left := range c.intervalSet { + if !left.inSet { + res.AddAugmentedInterval(left, false) + } + } + for _, right := range other.intervalSet { + if !right.inSet { + res.AddAugmentedInterval(right, false) + } + } + return res +} + +// Overlap returns true if current AugmentedCanonicalSet overlaps with input AugmentedCanonicalSet +func (c *AugmentedCanonicalSet) Overlap(other *AugmentedCanonicalSet) bool { + if c == other { + return !c.IsEmpty() + } + currThisInd := 0 + currOtherInd := 0 + for currThisInd != NoIndex { + thisInterval, thisInd := c.nextIncludedInterval(currThisInd) + otherInterval, otherInd := other.nextIncludedInterval(currOtherInd) + if thisInd == NoIndex || otherInd == NoIndex { + return false // did not find overlapping interval + } + if thisInterval.Overlap(otherInterval) { + return true + } + if thisInterval.End() < otherInterval.Start() { + // increment currThisInd + currThisInd = thisInd + 1 + } else { // otherInterval.End() < thisInterval.Start() + // increment currOtherInd + currOtherInd = otherInd + 1 + } + } + return false +} + +// Subtract returns the subtraction result of other AugmentedCanonicalSet +func (c *AugmentedCanonicalSet) Subtract(other *AugmentedCanonicalSet) *AugmentedCanonicalSet { + if c == other { + return NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) + } + res := c.Copy() + for _, interval := range other.intervalSet { + if interval.inSet { + hole := interval + hole.inSet = false + res.AddAugmentedInterval(hole, false) + } + } + return res +} + +func (c *AugmentedCanonicalSet) ClearInSet() { + for i := range c.intervalSet { + c.intervalSet[i].inSet = false + } +} + +// Elements returns a slice with all the numbers contained in the set. +// USE WITH CARE. It can easily run out of memory for large sets. +func (c *AugmentedCanonicalSet) Elements() []int64 { + // allocate memory up front, to fail early + res := make([]int64, c.CalculateSize()) + i := 0 + for _, interval := range c.intervalSet { + if interval.inSet { + for v := interval.interval.Start(); v <= interval.interval.End(); v++ { + res[i] = v + i++ + } + } + } + return res +} + +func (c *AugmentedCanonicalSet) GetEquivalentCanonicalAugmentedSet() *AugmentedCanonicalSet { + res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) + interv, index := c.nextIncludedInterval(0) + for index != NoIndex { + res.AddAugmentedInterval(NewAugmentedInterval(interv.Start(), interv.End(), true), false) + interv, index = c.nextIncludedInterval(index + 1) + } + return res +} + +func (c *AugmentedCanonicalSet) SetExplResult(isIngress bool) { + for ind, v := range c.intervalSet { + c.intervalSet[ind].implyingRules.SetResult(v.inSet, isIngress) + } +} diff --git a/pkg/netpol/internal/common/connection.go b/pkg/netpol/internal/common/connection.go index 665a39c2..2e5cac54 100644 --- a/pkg/netpol/internal/common/connection.go +++ b/pkg/netpol/internal/common/connection.go @@ -13,7 +13,7 @@ import ( // Connection represents a set of allowed connections between two peers type Connection interface { // ProtocolsAndPortsMap returns the set of allowed connections - ProtocolsAndPortsMap() map[v1.Protocol][]PortRange + ProtocolsAndPortsMap(includeBlockedPorts bool) map[v1.Protocol][]PortRange // IsAllConnections returns true if all ports are allowed for all protocols IsAllConnections() bool // IsEmpty returns true if no connection is allowed diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go index 63763e44..9146cdfb 100644 --- a/pkg/netpol/internal/common/connectionset.go +++ b/pkg/netpol/internal/common/connectionset.go @@ -8,22 +8,27 @@ package common import ( "fmt" + "log" "sort" "strconv" "strings" - "k8s.io/apimachinery/pkg/util/intstr" - v1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/util/intstr" "github.com/np-guard/models/pkg/interval" ) // ConnectionSet represents a set of allowed connections between two peers on a k8s env // and implements Connection interface +// The explainability information is represented as follows: every PortSet (in AllowedProtocols) +// includes information about implying rules for every range. +// CommonImplyingRules contain implying rules for empty or full ConectionSet (when AllowedProtocols is empty) +// The following variant should hold: CommonImplyingRules not empty <==> AllowedProtocols empty type ConnectionSet struct { - AllowAll bool - AllowedProtocols map[v1.Protocol]*PortSet // map from protocol name to set of allowed ports + AllowAll bool + AllowedProtocols map[v1.Protocol]*PortSet // map from protocol name to set of allowed ports + CommonImplyingRules ImplyingRulesType // used for explainability, when AllowedProtocols is empty (i.e., all allowed or all denied) } var allProtocols = []v1.Protocol{v1.ProtocolTCP, v1.ProtocolUDP, v1.ProtocolSCTP} @@ -31,9 +36,34 @@ var allProtocols = []v1.Protocol{v1.ProtocolTCP, v1.ProtocolUDP, v1.ProtocolSCTP // MakeConnectionSet returns a pointer to ConnectionSet object with all connections or no connections func MakeConnectionSet(all bool) *ConnectionSet { if all { - return &ConnectionSet{AllowAll: true, AllowedProtocols: map[v1.Protocol]*PortSet{}} + return &ConnectionSet{AllowAll: true, AllowedProtocols: map[v1.Protocol]*PortSet{}, CommonImplyingRules: InitImplyingRules()} + } + return &ConnectionSet{AllowedProtocols: map[v1.Protocol]*PortSet{}, CommonImplyingRules: InitImplyingRules()} +} + +func MakeAllConnectionSetWithRule(rule string, isIngress bool) *ConnectionSet { + return &ConnectionSet{AllowAll: true, AllowedProtocols: map[v1.Protocol]*PortSet{}, + CommonImplyingRules: MakeImplyingRulesWithRule(rule, isIngress)} +} + +// Add common implying rule, i.e., a rule that is relevant for the whole ConnectionSet +func (conn *ConnectionSet) AddCommonImplyingRule(implyingRule string, isIngress bool) { + conn.CommonImplyingRules.AddRule(implyingRule, isIngress) +} + +func (conn *ConnectionSet) GetEquivalentCanonicalConnectionSet() *ConnectionSet { + res := MakeConnectionSet(false) + if conn.AllowAll { + res.AllowAll = true + return res } - return &ConnectionSet{AllowedProtocols: map[v1.Protocol]*PortSet{}} + for protocol, ports := range conn.AllowedProtocols { + canonicalPorts := ports.GetEquivalentCanonicalPortSet() + if !canonicalPorts.IsEmpty() { + res.AllowedProtocols[protocol] = canonicalPorts + } + } + return res } // GetAllTCPConnections returns a pointer to ConnectionSet object with all TCP protocol connections @@ -44,116 +74,152 @@ func GetAllTCPConnections() *ConnectionSet { } // Intersection updates ConnectionSet object to be the intersection result with other ConnectionSet +// the implying rules are symmetrically updated by both conn and other, +// i.e., conn does not have a precedence over other func (conn *ConnectionSet) Intersection(other *ConnectionSet) { - if other.AllowAll { - return - } - if conn.AllowAll { - conn.AllowAll = false - for protocol, ports := range other.AllowedProtocols { - conn.AllowedProtocols[protocol] = ports.Copy() + if len(conn.AllowedProtocols) == 0 && len(other.AllowedProtocols) == 0 { + // each one of conn and other is either AllowAll or Empty + if other.IsEmpty() { + conn.AllowAll = false + conn.AllowedProtocols = map[v1.Protocol]*PortSet{} } + // union common implying rules - a symmetrical update + conn.CommonImplyingRules.Union(other.CommonImplyingRules, true) return } + // prepare conn and other for the intersection - we need to seep implying rules info into all protocols/ports + conn.rebuildExplicitly() + other.rebuildExplicitly() + conn.AllowAll = false for protocol := range conn.AllowedProtocols { otherPorts, ok := other.AllowedProtocols[protocol] if !ok { - delete(conn.AllowedProtocols, protocol) + log.Panic("We should not get here") } else { conn.AllowedProtocols[protocol].Intersection(otherPorts) - if conn.AllowedProtocols[protocol].IsEmpty() { - delete(conn.AllowedProtocols, protocol) - } } } + conn.updateIfAllConnections() // the result may be AllowAll if both conn and other were AllowAll } // IsEmpty returns true if the ConnectionSet has no allowed connections func (conn *ConnectionSet) IsEmpty() bool { - return !conn.AllowAll && len(conn.AllowedProtocols) == 0 + if conn.AllowAll { + return false + } + if len(conn.AllowedProtocols) == 0 { + return true + } + // now check semantically + for _, protocol := range allProtocols { + ports, ok := conn.AllowedProtocols[protocol] + if ok && !ports.IsEmpty() { // this is a semantic emptiness check (no included ports, may be holes) + return false + } + } + return true } -func (conn *ConnectionSet) isAllConnectionsWithoutAllowAll() bool { +func (conn *ConnectionSet) updateIfAllConnections() { if conn.AllowAll { - return false + return } for _, protocol := range allProtocols { ports, ok := conn.AllowedProtocols[protocol] if !ok { - return false + return } else if !ports.IsAll() { - return false + return } } + conn.AllowAll = true + // we keep conn.AllowedProtocols data, we might need the ImplyingRules info for explainability +} - return true +func (conn *ConnectionSet) SetExplResult(isIngress bool) { + if len(conn.AllowedProtocols) == 0 { + // no AllowedProtocols --> compute result according to AllowAll + conn.CommonImplyingRules.SetResult(conn.AllowAll, isIngress) + return + } + // compute result for every range in AllowedProtocols + for _, ports := range conn.AllowedProtocols { + ports.Ports.SetExplResult(isIngress) + } } -func (conn *ConnectionSet) checkIfAllConnections() { - if conn.isAllConnectionsWithoutAllowAll() { - conn.AllowAll = true - conn.AllowedProtocols = map[v1.Protocol]*PortSet{} +// rebuildExplicitly : represent All/No connections explicitly (All connections if AllowAll==true, No connections otherwise), +// by building AllowedProtocols and adding the whole range intervals/holes (depending on AllowAll field) +func (conn *ConnectionSet) rebuildExplicitly() { + if len(conn.AllowedProtocols) == len(allProtocols) { + return // if all protocols exist, nothing to add + } + var portSet *PortSet + if conn.AllowAll { + portSet = MakeAllPortSetWithImplyingRules(conn.CommonImplyingRules) + } else { + portSet = MakeEmptyPortSetWithImplyingRules(conn.CommonImplyingRules) + } + for _, protocol := range allProtocols { + if _, ok := conn.AllowedProtocols[protocol]; !ok { + conn.AddConnection(protocol, portSet) + } } + conn.CommonImplyingRules = InitImplyingRules() } // Union updates ConnectionSet object to be the union result with other ConnectionSet -func (conn *ConnectionSet) Union(other *ConnectionSet) { - if conn.AllowAll || other.IsEmpty() { +// the implying rules are updated only if something changes in conn, +// i.e., conn has a precedence over other +func (conn *ConnectionSet) Union(other *ConnectionSet, collectRules bool) { + if conn.IsEmpty() && (other.IsEmpty() || other.AllowAll) && len(conn.AllowedProtocols) == 0 && len(other.AllowedProtocols) == 0 { + if other.IsEmpty() { + // we should union implying rules - both contribute to the result being empty + conn.CommonImplyingRules.Union(other.CommonImplyingRules, collectRules) + } else { + // we should substitute the implying rules by others' rules + conn.CommonImplyingRules = other.CommonImplyingRules.Copy() + } + conn.AllowAll = other.AllowAll return } - if other.AllowAll { - conn.AllowAll = true - conn.AllowedProtocols = map[v1.Protocol]*PortSet{} - return + if other.IsEmpty() { + return // neither connections nor implying rules can be updated } + conn.rebuildExplicitly() + other.rebuildExplicitly() for protocol := range conn.AllowedProtocols { if otherPorts, ok := other.AllowedProtocols[protocol]; ok { - conn.AllowedProtocols[protocol].Union(otherPorts) - } - } - for protocol := range other.AllowedProtocols { - if _, ok := conn.AllowedProtocols[protocol]; !ok { - portsCopy := other.AllowedProtocols[protocol].Copy() - conn.AllowedProtocols[protocol] = portsCopy + conn.AllowedProtocols[protocol].Union(otherPorts, collectRules) } } - conn.checkIfAllConnections() + conn.CommonImplyingRules = InitImplyingRules() // clear common implying rules, since we have implying rules in AllowedProtocols + conn.updateIfAllConnections() } // Subtract : updates current ConnectionSet object with the result of // subtracting other ConnectionSet from current ConnectionSet +// the implying rules are updated by both conn and other func (conn *ConnectionSet) Subtract(other *ConnectionSet) { - if other.IsEmpty() { // nothing to subtract + if /*conn.IsEmpty() ||*/ other.IsEmpty() { // nothing to subtract return } - if other.AllowAll { // subtract everything + if other.AllowAll && len(other.AllowedProtocols) == 0 { + // a special case when we should replace current common implying rules by others' + conn.CommonImplyingRules = other.CommonImplyingRules.Copy() conn.AllowAll = false conn.AllowedProtocols = map[v1.Protocol]*PortSet{} return } - if conn.AllowAll { - conn.AllowAll = false // we are about to subtract something - conn.addAllConns() - } + conn.rebuildExplicitly() + conn.AllowAll = false for protocol, ports := range conn.AllowedProtocols { if otherPorts, ok := other.AllowedProtocols[protocol]; ok { - if ports.ContainedIn(otherPorts) { - delete(conn.AllowedProtocols, protocol) - } else { - ports.subtract(otherPorts) - } + ports.subtract(otherPorts) } } } -// addAllConns : add all possible connections to the current ConnectionSet's allowed protocols -// added explicitly, without using the `AllowAll` field -func (conn *ConnectionSet) addAllConns() { - for _, protocol := range allProtocols { - conn.AddConnection(protocol, MakePortSet(true)) - } -} - // Contains returns true if the input port+protocol is an allowed connection func (conn *ConnectionSet) Contains(port, protocol string) bool { intPort, err := strconv.Atoi(port) @@ -180,6 +246,9 @@ func (conn *ConnectionSet) ContainedIn(other *ConnectionSet) bool { return false } for protocol, ports := range conn.AllowedProtocols { + if ports.IsEmpty() { + continue // empty port set might exist due to preserving data for explainability + } otherPorts, ok := other.AllowedProtocols[protocol] if !ok { return false @@ -193,12 +262,15 @@ func (conn *ConnectionSet) ContainedIn(other *ConnectionSet) bool { // AddConnection updates current ConnectionSet object with new allowed connection func (conn *ConnectionSet) AddConnection(protocol v1.Protocol, ports *PortSet) { - if ports.IsEmpty() { + if ports.IsUnfilled() { + // The return below is only when 'ports' is syntactically empty; + // In the case of a hole (semantically empty set), we do want to add it + // in order to keep the explanation data return } connPorts, ok := conn.AllowedProtocols[protocol] if ok { - connPorts.Union(ports) + connPorts.Union(ports, true) } else { conn.AllowedProtocols[protocol] = ports.Copy() } @@ -213,7 +285,9 @@ func (conn *ConnectionSet) String() string { } resStrings := []string{} for protocol, ports := range conn.AllowedProtocols { - resStrings = append(resStrings, protocolAndPortsStr(protocol, ports.String())) + if portsString := ports.String(); portsString != "" { + resStrings = append(resStrings, protocolAndPortsStr(protocol, portsString)) + } } sort.Strings(resStrings) return strings.Join(resStrings, ",") @@ -224,11 +298,13 @@ func (conn *ConnectionSet) Equal(other *ConnectionSet) bool { if conn.AllowAll != other.AllowAll { return false } - if len(conn.AllowedProtocols) != len(other.AllowedProtocols) { + connCanonical := conn.GetEquivalentCanonicalConnectionSet() + otherCanonical := other.GetEquivalentCanonicalConnectionSet() + if len(connCanonical.AllowedProtocols) != len(otherCanonical.AllowedProtocols) { return false } - for protocol, ports := range conn.AllowedProtocols { - otherPorts, ok := other.AllowedProtocols[protocol] + for protocol, ports := range connCanonical.AllowedProtocols { + otherPorts, ok := otherCanonical.AllowedProtocols[protocol] if !ok { return false } @@ -246,14 +322,15 @@ func (conn *ConnectionSet) Copy() *ConnectionSet { for protocol, portSet := range conn.AllowedProtocols { res.AllowedProtocols[protocol] = portSet.Copy() } + res.CommonImplyingRules = conn.CommonImplyingRules.Copy() return res } -// GetNamedPorts returns map from protocol to list of its allowed named ports -func (conn *ConnectionSet) GetNamedPorts() map[v1.Protocol][]string { - res := make(map[v1.Protocol][]string, 0) +// GetNamedPorts returns map from protocol to its allowed named ports (including ImplyingRules info) +func (conn *ConnectionSet) GetNamedPorts() map[v1.Protocol]NamedPortsType { + res := make(map[v1.Protocol]NamedPortsType, 0) for protocol, portSet := range conn.AllowedProtocols { - if namedPorts := portSet.GetNamedPortsKeys(); len(namedPorts) > 0 { + if namedPorts := portSet.GetNamedPorts(); len(namedPorts) > 0 { res[protocol] = namedPorts } } @@ -262,43 +339,58 @@ func (conn *ConnectionSet) GetNamedPorts() map[v1.Protocol][]string { // ReplaceNamedPortWithMatchingPortNum : replacing given namedPort with the matching given port num in the connection // if port num is -1; just deletes the named port from the protocol's list -func (conn *ConnectionSet) ReplaceNamedPortWithMatchingPortNum(protocol v1.Protocol, namedPort string, portNum int32) { +func (conn *ConnectionSet) ReplaceNamedPortWithMatchingPortNum(protocol v1.Protocol, namedPort string, portNum int32, + implyingRules ImplyingRulesType) { protocolPortSet := conn.AllowedProtocols[protocol] if portNum != NoPort { - protocolPortSet.AddPort(intstr.FromInt32(portNum)) + protocolPortSet.AddPort(intstr.FromInt32(portNum), implyingRules) } // after adding the portNum to the protocol's portSet; remove the port name protocolPortSet.RemovePort(intstr.FromString(namedPort)) } -// portRange implements the PortRange interface -type portRange struct { - Interval interval.Interval +// PortRangeData implements the PortRange interface +type PortRangeData struct { + Interval AugmentedInterval } -func (p *portRange) Start() int64 { - return p.Interval.Start() +func (p *PortRangeData) Start() int64 { + return p.Interval.interval.Start() } -func (p *portRange) End() int64 { - return p.Interval.End() +func (p *PortRangeData) End() int64 { + return p.Interval.interval.End() } -func (p *portRange) String() string { - if p.Interval.End() != p.Interval.Start() { +func (p *PortRangeData) String() string { + if p.End() != p.Start() { return fmt.Sprintf("%d-%d", p.Start(), p.End()) } return fmt.Sprintf("%d", p.Start()) } +func (p *PortRangeData) StringWithExplanation(protocolString string) string { + resultStr := allowResultStr + if !p.InSet() { + resultStr = denyResultStr + } + return resultStr + SpaceSeparator + protocolString + ":" + p.String() + p.Interval.implyingRules.String() +} + +func (p *PortRangeData) InSet() bool { + return p.Interval.inSet +} + // ProtocolsAndPortsMap() returns a map from allowed protocol to list of allowed ports ranges. -func (conn *ConnectionSet) ProtocolsAndPortsMap() map[v1.Protocol][]PortRange { +func (conn *ConnectionSet) ProtocolsAndPortsMap(includeDeniedPorts bool) map[v1.Protocol][]PortRange { res := make(map[v1.Protocol][]PortRange, 0) for protocol, portSet := range conn.AllowedProtocols { res[protocol] = make([]PortRange, 0) // TODO: consider leave the slice of ports empty if portSet covers the full range for _, v := range portSet.Ports.Intervals() { - res[protocol] = append(res[protocol], &portRange{Interval: v}) + if includeDeniedPorts || v.inSet { + res[protocol] = append(res[protocol], &PortRangeData{Interval: v}) + } } } return res @@ -324,11 +416,12 @@ func ConnStrFromConnProperties(allProtocolsAndPorts bool, protocolsAndPorts map[ } var connStr string // connStrings will contain the string of given conns protocols and ports as is - connStrings := make([]string, len(protocolsAndPorts)) - index := 0 + connStrings := make([]string, 0, len(protocolsAndPorts)) for protocol, ports := range protocolsAndPorts { - connStrings[index] = protocolAndPortsStr(protocol, portsString(ports)) - index++ + if thePortsStr := portsString(ports); thePortsStr != "" { + // thePortsStr might be empty if 'ports' does not contain 'InSet' ports + connStrings = append(connStrings, protocolAndPortsStr(protocol, thePortsStr)) + } } sort.Strings(connStrings) connStr = strings.Join(connStrings, connsAndPortRangeSeparator) @@ -336,14 +429,60 @@ func ConnStrFromConnProperties(allProtocolsAndPorts bool, protocolsAndPorts map[ } // get string representation for a list of port ranges +// return a canonical form (longest in-set ranges) func portsString(ports []PortRange) string { - portsStr := make([]string, len(ports)) + portsStr := make([]string, 0, len(ports)) + currInterval := interval.New(0, -1) // an empty interval for i := range ports { - portsStr[i] = ports[i].String() + if ports[i].(*PortRangeData).InSet() { + switch { + case currInterval.IsEmpty(): + currInterval = interval.New(ports[i].Start(), ports[i].End()) + case currInterval.End()+1 == ports[i].Start(): + currInterval = interval.New(currInterval.Start(), ports[i].End()) // extend the interval + default: + portsStr = append(portsStr, currInterval.ShortString()) + currInterval = interval.New(0, -1) + } + } else if !currInterval.IsEmpty() { + portsStr = append(portsStr, currInterval.ShortString()) + currInterval = interval.New(0, -1) + } + } + if !currInterval.IsEmpty() { + portsStr = append(portsStr, currInterval.ShortString()) } return strings.Join(portsStr, connsAndPortRangeSeparator) } +func portsStringWithExplanation(ports []PortRange, protocolString string) string { + portsStr := make([]string, 0, len(ports)) + for i := range ports { + portsStr = append(portsStr, ports[i].(*PortRangeData).StringWithExplanation(protocolString)) + } + return strings.Join(portsStr, NewLine) +} + func protocolAndPortsStr(protocol v1.Protocol, ports string) string { - return string(protocol) + " " + ports + return string(protocol) + SpaceSeparator + ports +} + +func ExplanationFromConnProperties(allProtocolsAndPorts bool, commonImplyingRules ImplyingRulesType, + protocolsAndPorts map[v1.Protocol][]PortRange) string { + if len(protocolsAndPorts) == 0 { + connStr := noConnsStr + if allProtocolsAndPorts { + connStr = allConnsStr + } + return connStr + commonImplyingRules.String() + } + var connStr string + // connStrings will contain the string of given conns protocols and ports as is + connStrings := make([]string, 0, len(protocolsAndPorts)) + for protocol, ports := range protocolsAndPorts { + connStrings = append(connStrings, portsStringWithExplanation(ports, string(protocol))) + } + sort.Strings(connStrings) + connStr = strings.Join(connStrings, NewLine) + return connStr } diff --git a/pkg/netpol/internal/common/portset.go b/pkg/netpol/internal/common/portset.go index fd0b7417..768d7a43 100644 --- a/pkg/netpol/internal/common/portset.go +++ b/pkg/netpol/internal/common/portset.go @@ -12,8 +12,6 @@ import ( "strings" "k8s.io/apimachinery/pkg/util/intstr" - - "github.com/np-guard/models/pkg/interval" ) const ( @@ -22,95 +20,134 @@ const ( maxPort int64 = 65535 ) +type NamedPortsType map[string]ImplyingRulesType + +func portNames(ports NamedPortsType) []string { + res := []string{} + for p := range ports { + res = append(res, p) + } + return res +} + // PortSet: represents set of allowed ports in a connection type PortSet struct { - Ports *interval.CanonicalSet - NamedPorts map[string]bool - ExcludedNamedPorts map[string]bool + Ports *AugmentedCanonicalSet // ports, augmented with implying rules data (used for explainability) + // NamedPorts/ExcludedNamedPorts is a map from a port name to implying rule names (used for explainnability) + // When not running with explainability, existing (excluded)named ports will be represented by a mapping + // from a port name to an empty implying rules holder + NamedPorts NamedPortsType + ExcludedNamedPorts NamedPortsType } // MakePortSet: return a new PortSet object, with all ports or no ports allowed func MakePortSet(all bool) *PortSet { - if all { - return &PortSet{Ports: interval.New(minPort, maxPort).ToSet(), - NamedPorts: map[string]bool{}, - ExcludedNamedPorts: map[string]bool{}, - } + return &PortSet{Ports: NewAugmentedCanonicalSet(minPort, maxPort, all), + NamedPorts: NamedPortsType{}, + ExcludedNamedPorts: NamedPortsType{}, + } +} + +func MakeAllPortSetWithImplyingRules(rules ImplyingRulesType) *PortSet { + return &PortSet{Ports: NewAugmentedCanonicalSetWithRules(minPort, maxPort, true, rules), + NamedPorts: NamedPortsType{}, + ExcludedNamedPorts: NamedPortsType{}, } - return &PortSet{Ports: interval.NewCanonicalSet(), - NamedPorts: map[string]bool{}, - ExcludedNamedPorts: map[string]bool{}, +} + +func MakeEmptyPortSetWithImplyingRules(rules ImplyingRulesType) *PortSet { + return &PortSet{Ports: NewAugmentedCanonicalSetWithRules(minPort, maxPort, false, rules), + NamedPorts: NamedPortsType{}, + ExcludedNamedPorts: NamedPortsType{}, } } // Equal: return true if current object equals another PortSet object func (p *PortSet) Equal(other *PortSet) bool { - return p.Ports.Equal(other.Ports) && reflect.DeepEqual(p.NamedPorts, other.NamedPorts) && - reflect.DeepEqual(p.ExcludedNamedPorts, other.ExcludedNamedPorts) + return p.Ports.Equal(other.Ports) && reflect.DeepEqual(portNames(p.NamedPorts), portNames(other.NamedPorts)) && + reflect.DeepEqual(portNames(p.ExcludedNamedPorts), portNames(other.ExcludedNamedPorts)) } -// IsEmpty: return true if current object is empty (no ports allowed) +// IsEmpty: return true if current PortSet is semantically empty (no ports allowed) func (p *PortSet) IsEmpty() bool { return p.Ports.IsEmpty() && len(p.NamedPorts) == 0 } +// Unfilled: return true if current PortSet is syntactically empty +func (p *PortSet) IsUnfilled() bool { + return p.Ports.IsUnfilled() && len(p.NamedPorts) == 0 +} + // Copy: return a new copy of a PortSet object func (p *PortSet) Copy() *PortSet { res := MakePortSet(false) res.Ports = p.Ports.Copy() for k, v := range p.NamedPorts { - res.NamedPorts[k] = v + res.NamedPorts[k] = v.Copy() } for k, v := range p.ExcludedNamedPorts { - res.ExcludedNamedPorts[k] = v + res.ExcludedNamedPorts[k] = v.Copy() } return res } // AddPort: update current PortSet object with new added port as allowed -func (p *PortSet) AddPort(port intstr.IntOrString) { +func (p *PortSet) AddPort(port intstr.IntOrString, implyingRules ImplyingRulesType) { if port.Type == intstr.String { - p.NamedPorts[port.StrVal] = true + if _, ok := p.NamedPorts[port.StrVal]; !ok { + p.NamedPorts[port.StrVal] = InitImplyingRules() + } + theRules := p.NamedPorts[port.StrVal] + theRules.Union(implyingRules, true) + p.NamedPorts[port.StrVal] = theRules delete(p.ExcludedNamedPorts, port.StrVal) } else { - p.Ports.AddInterval(interval.New(int64(port.IntVal), int64(port.IntVal))) + p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRules(int64(port.IntVal), int64(port.IntVal), true, implyingRules), true) } } // RemovePort: update current PortSet object with removing input port from allowed ports func (p *PortSet) RemovePort(port intstr.IntOrString) { if port.Type == intstr.String { + p.ExcludedNamedPorts[port.StrVal] = p.NamedPorts[port.StrVal] delete(p.NamedPorts, port.StrVal) - p.ExcludedNamedPorts[port.StrVal] = true } else { - p.Ports.AddHole(interval.New(int64(port.IntVal), int64(port.IntVal))) + p.Ports.AddAugmentedInterval(NewAugmentedInterval(int64(port.IntVal), int64(port.IntVal), false), false) } } // AddPortRange: update current PortSet object with new added port range as allowed -func (p *PortSet) AddPortRange(minPort, maxPort int64) { - p.Ports.AddInterval(interval.New(minPort, maxPort)) +func (p *PortSet) AddPortRange(minPort, maxPort int64, inSet bool, fromRule string, isIngress bool) { + p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRule(minPort, maxPort, inSet, fromRule, isIngress), true) } // Union: update current PortSet object with union of input PortSet object -func (p *PortSet) Union(other *PortSet) { - p.Ports = p.Ports.Union(other.Ports) +// Note: this function is not symmetrical regarding the update of implying rules: +// it updates implying rules of 'p' by those of 'other' only for ports that get changed in 'p' +func (p *PortSet) Union(other *PortSet, collectRules bool) { + p.Ports = p.Ports.Union(other.Ports, collectRules) // union current namedPorts with other namedPorts, and delete other namedPorts from current excludedNamedPorts for k, v := range other.NamedPorts { - p.NamedPorts[k] = v + if _, ok := p.NamedPorts[k]; !ok { + // this named port was not in p --> take implying rules from other + p.NamedPorts[k] = v.Copy() + } delete(p.ExcludedNamedPorts, k) } // add excludedNamedPorts from other to current excludedNamedPorts if they are not in united p.NamedPorts for k, v := range other.ExcludedNamedPorts { - if !p.NamedPorts[k] { - p.ExcludedNamedPorts[k] = v + if _, ok := p.NamedPorts[k]; !ok { + if _, ok := p.ExcludedNamedPorts[k]; !ok { + // this exluded named port was not excluded in p --> take implying rules from other + p.ExcludedNamedPorts[k] = v.Copy() + } } } } // ContainedIn: return true if current PortSet object is contained in input PortSet object func (p *PortSet) ContainedIn(other *PortSet) bool { - return p.Ports.IsSubset(other.Ports) + return p.Ports.ContainedIn(other.Ports) } // Intersection: update current PortSet object as intersection with input PortSet object @@ -124,7 +161,6 @@ func (p *PortSet) IsAll() bool { } const comma = "," -const emptyStr = "Empty" // String: return string representation of current PortSet func (p *PortSet) String() string { @@ -132,10 +168,7 @@ func (p *PortSet) String() string { if len(p.NamedPorts) > 0 { sortedNamedPorts := p.GetNamedPortsKeys() sort.Strings(sortedNamedPorts) - // if p.Ports is empty but p.NamedPorts is not: start a new string - if res == emptyStr { - res = "" - } else { + if res != "" { res += comma } res += strings.Join(sortedNamedPorts, comma) @@ -148,7 +181,12 @@ func (p *PortSet) Contains(port int64) bool { return p.Ports.Contains(port) } -// GetNamedPortsKeys returns the named ports of current portSet +// GetNamedPorts returns the named ports of the current PortSet +func (p *PortSet) GetNamedPorts() NamedPortsType { + return p.NamedPorts +} + +// GetNamedPortsKeys returns the named ports names of the current PortSet func (p *PortSet) GetNamedPortsKeys() []string { res := make([]string, len(p.NamedPorts)) index := 0 @@ -162,14 +200,21 @@ func (p *PortSet) GetNamedPortsKeys() []string { // subtract: updates current portSet with the result of subtracting the given portSet from it func (p *PortSet) subtract(other *PortSet) { p.Ports = p.Ports.Subtract(other.Ports) - p.subtractNamedPorts(other.NamedPorts) + // delete other named ports from current portSet's named ports map + // and add the deleted named ports to excluded named ports map + for k, v := range other.NamedPorts { + if _, ok := p.ExcludedNamedPorts[k]; !ok { + p.ExcludedNamedPorts[k] = InitImplyingRules() + } + theRules := p.ExcludedNamedPorts[k] + theRules.Union(v.Copy(), true) + p.ExcludedNamedPorts[k] = theRules + delete(p.NamedPorts, k) + } } -// subtractNamedPorts: deletes given named ports from current portSet's named ports map -// and adds the deleted named ports to excluded named ports map -func (p *PortSet) subtractNamedPorts(otherNamedPorts map[string]bool) { - for namedPort := range otherNamedPorts { - delete(p.NamedPorts, namedPort) - p.ExcludedNamedPorts[namedPort] = true - } +func (p *PortSet) GetEquivalentCanonicalPortSet() *PortSet { + res := p.Copy() + res.Ports = p.Ports.GetEquivalentCanonicalAugmentedSet() + return res } diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt new file mode 100644 index 00000000..fda432e6 --- /dev/null +++ b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt @@ -0,0 +1,126 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => foo/my-foo[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN bar/my-bar[Pod] => foo/my-foo[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN baz/my-baz[Pod] => foo/my-foo[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: + +ALLOWED SCTP:1-65535 the system default (Allow all) + +ALLOWED UDP:1-65535 the system default (Allow all) + +DENIED TCP:1-1233 due to the following policies//rules: + INGRESS DIRECTION (DENIED) + 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) + +ALLOWED TCP:1234 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) + +DENIED TCP:1235-8079 due to the following policies//rules: + INGRESS DIRECTION (DENIED) + 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) + +DENIED TCP:8080 due to the following policies//rules: + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) + 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) + +DENIED TCP:8081-9000 due to the following policies//rules: + INGRESS DIRECTION (DENIED) + 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) + +ALLOWED TCP:9001-65535 the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: + +ALLOWED SCTP:1-65535 the system default (Allow all) + +ALLOWED TCP:1-1233 the system default (Allow all) + +ALLOWED TCP:1234 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) + +ALLOWED TCP:1235-65535 the system default (Allow all) + +ALLOWED UDP:1-65535 the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: + +ALLOWED SCTP:1-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] foo/allow-monitoring//Ingress rule #1 + +ALLOWED TCP:1-1233 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] foo/allow-monitoring//Ingress rule #1 + +ALLOWED TCP:1234 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) + +ALLOWED TCP:1235-8079 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] foo/allow-monitoring//Ingress rule #1 + +ALLOWED TCP:8080 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) + 2) [NP] foo/allow-monitoring//Ingress rule #1 + +ALLOWED TCP:8081-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] foo/allow-monitoring//Ingress rule #1 + +ALLOWED UDP:1-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] foo/allow-monitoring//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default (Allow all): +0.0.0.0-255.255.255.255 => bar/my-bar[Pod] +0.0.0.0-255.255.255.255 => baz/my-baz[Pod] +0.0.0.0-255.255.255.255 => monitoring/my-monitoring[Pod] +bar/my-bar[Pod] => 0.0.0.0-255.255.255.255 +bar/my-bar[Pod] => baz/my-baz[Pod] +bar/my-bar[Pod] => monitoring/my-monitoring[Pod] +baz/my-baz[Pod] => 0.0.0.0-255.255.255.255 +baz/my-baz[Pod] => bar/my-bar[Pod] +baz/my-baz[Pod] => monitoring/my-monitoring[Pod] +foo/my-foo[Pod] => 0.0.0.0-255.255.255.255 +foo/my-foo[Pod] => bar/my-bar[Pod] +foo/my-foo[Pod] => baz/my-baz[Pod] +foo/my-foo[Pod] => monitoring/my-monitoring[Pod] +monitoring/my-monitoring[Pod] => 0.0.0.0-255.255.255.255 diff --git a/test_outputs/connlist/anp_banp_blog_demo_focus_workload_my-monitoring_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_focus_workload_my-monitoring_explain_output.txt new file mode 100644 index 00000000..d661b490 --- /dev/null +++ b/test_outputs/connlist/anp_banp_blog_demo_focus_workload_my-monitoring_explain_output.txt @@ -0,0 +1,33 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) + 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) + 2) [NP] foo/allow-monitoring//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default (Allow all): +0.0.0.0-255.255.255.255 => monitoring/my-monitoring[Pod] +bar/my-bar[Pod] => monitoring/my-monitoring[Pod] +baz/my-baz[Pod] => monitoring/my-monitoring[Pod] +foo/my-foo[Pod] => monitoring/my-monitoring[Pod] +monitoring/my-monitoring[Pod] => 0.0.0.0-255.255.255.255 diff --git a/tests/anp_banp_blog_demo_2/ns.yaml b/tests/anp_banp_blog_demo_2/ns.yaml new file mode 100644 index 00000000..c9b2481e --- /dev/null +++ b/tests/anp_banp_blog_demo_2/ns.yaml @@ -0,0 +1,35 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: foo + labels: + security: internal + kubernetes.io/metadata.name: foo +--- + +apiVersion: v1 +kind: Namespace +metadata: + name: bar + labels: + security: internal + kubernetes.io/metadata.name: bar + +--- + +apiVersion: v1 +kind: Namespace +metadata: + name: baz + labels: + kubernetes.io/metadata.name: baz + +--- + + +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring + labels: + kubernetes.io/metadata.name: monitoring \ No newline at end of file diff --git a/tests/anp_banp_blog_demo_2/policies.yaml b/tests/anp_banp_blog_demo_2/policies.yaml new file mode 100644 index 00000000..08f61ca7 --- /dev/null +++ b/tests/anp_banp_blog_demo_2/policies.yaml @@ -0,0 +1,87 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-monitoring + namespace: foo +spec: + podSelector: + policyTypes: + - Ingress + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: monitoring + +--- + +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: + matchLabels: + security: internal + ingress: + - name: "deny-ingress-from-all-namespaces" + action: "Deny" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: monitoring + ports: + - portRange: + protocol: TCP + start: 1 + end: 9000 + +--- + +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: allow-monitoring +spec: + priority: 9 + subject: + namespaces: {} + ingress: + - name: "allow-ingress-from-monitoring" + action: "Allow" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: monitoring + ports: + - portNumber: + protocol: TCP + port: 1234 + + + +--- + +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: pass-monitoring +spec: + priority: 7 + subject: + namespaces: + matchLabels: + security: internal + ingress: + - name: "pass-ingress-from-monitoring" + action: "Pass" + from: + - namespaces: + matchLabels: + kubernetes.io/metadata.name: monitoring + ports: + - portNumber: + protocol: TCP + port: 8080 + diff --git a/tests/anp_banp_blog_demo_2/workloads.yaml b/tests/anp_banp_blog_demo_2/workloads.yaml new file mode 100644 index 00000000..00b070ff --- /dev/null +++ b/tests/anp_banp_blog_demo_2/workloads.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: Pod +metadata: + namespace: foo + name: my-foo + labels: + security: internal +spec: + containers: + - name: myfirstContainer + image: fooimage + +--- + +apiVersion: v1 +kind: Pod +metadata: + namespace: bar + name: my-bar + labels: + security: internal +spec: + containers: + - name: myfirstContainer + image: barimage + +--- + +apiVersion: v1 +kind: Pod +metadata: + namespace: baz + name: my-baz + labels: + security: none +spec: + containers: + - name: myfirstContainer + image: bazimage + +--- + +apiVersion: v1 +kind: Pod +metadata: + namespace: monitoring + name: my-monitoring + labels: + security: monitoring +spec: + containers: + - name: myfirstContainer + image: monitoringimage + +--- + + From 8217a4bcd3cabcdb2c59ab755b2182505deaee05 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 10 Dec 2024 14:55:39 +0200 Subject: [PATCH 02/20] More delicate handling of intersection of ingress and egress connections (to preserve explainability data from both directions). Updating testing data accordingly. --- pkg/netpol/connlist/explanation_test.go | 4 +- .../internal/common/augmented_intervalset.go | 49 +++++++++--- .../anp_banp_blog_demo_2_explain_output.txt | 4 + .../anp_banp_blog_demo_explain_output.txt | 80 +++++++++++++++++++ ..._workload_my-monitoring_explain_output.txt | 33 -------- 5 files changed, 121 insertions(+), 49 deletions(-) create mode 100644 test_outputs/connlist/anp_banp_blog_demo_explain_output.txt delete mode 100644 test_outputs/connlist/anp_banp_blog_demo_focus_workload_my-monitoring_explain_output.txt diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index a308e941..da3db836 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -52,12 +52,10 @@ var explainTests = []struct { // testDirName: "anp_test_10", // }, { - testDirName: "anp_banp_blog_demo", - focusWorkload: "my-monitoring", + testDirName: "anp_banp_blog_demo", }, { testDirName: "anp_banp_blog_demo_2", - // focusWorkload: "my-monitoring", }, // { // testDirName: "ipblockstest", diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index a98c097f..7e10c4d7 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -249,6 +249,32 @@ func (rules *ImplyingRulesType) Union(other ImplyingRulesType, collectRules bool rules.Egress.Union(other.Egress, collectRules) } +func (rules *ImplyingRulesType) onlyIngressDirection() bool { + return !rules.Ingress.Empty() && rules.Egress.Empty() +} + +func (rules *ImplyingRulesType) onlyEgressDirection() bool { + return rules.Ingress.Empty() && !rules.Egress.Empty() +} + +// OverrideUnlessOppositeDirections checks whether rules and other contain only rules of opposite directions +// (one of them only Ingress and another only Egress). +// This happens when performing intersection between ingress and egress connections. +// In this case the function preserves implying rules of both directions (for detailed explainability report). +// If this is not the case of 'opposite durections' scenario, the function overrides current implying rules by others'. +func (rules *ImplyingRulesType) OverrideUnlessOppositeDirections(other ImplyingRulesType) { + if rules.onlyIngressDirection() && other.onlyEgressDirection() { + // opposite directions (Ingress in rules and Egress in other) -> keep Ingress, copy Egress + rules.Egress = other.Egress.Copy() + } else if rules.onlyEgressDirection() && other.onlyIngressDirection() { + // opposite directions (Egress in rules and Ingress in other) -> keep Egress, copy Ingress + rules.Ingress = other.Ingress.Copy() + } else { + // this is not the case of opposite directions -> override everything + *rules = other.Copy() + } +} + func (rules ImplyingRulesType) mayBeUpdatedBy(other ImplyingRulesType, collectRules bool) bool { return rules.Ingress.mayBeUpdatedBy(other.Ingress, collectRules) || rules.Egress.mayBeUpdatedBy(other.Egress, collectRules) } @@ -453,12 +479,11 @@ func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collec // split set[left] into two intervals, while the implying rules of the second interval should get the new value (from v) new1 := AugmentedInterval{interval: interval.New(set[left].interval.Start(), v.interval.Start()-1), inSet: set[left].inSet, implyingRules: set[left].implyingRules.Copy()} - var newImplyingRules ImplyingRulesType + newImplyingRules := set[left].implyingRules.Copy() if set[left].inSet == v.inSet { - newImplyingRules = set[left].implyingRules.Copy() newImplyingRules.Union(v.implyingRules, collectRules) } else { - newImplyingRules = v.implyingRules.Copy() + newImplyingRules.OverrideUnlessOppositeDirections(v.implyingRules) } new2 := AugmentedInterval{interval: interval.New(v.interval.Start(), min(set[left].interval.End(), v.interval.End())), inSet: v.inSet, implyingRules: newImplyingRules} @@ -470,14 +495,13 @@ func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collec (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRules)) { break // this is the corner case handled following the loop below } - var newImplyingRules ImplyingRulesType + newImplyingRules := set[ind].implyingRules.Copy() if set[ind].inSet == v.inSet { // this interval is not impacted by v; // however, its implying rules may be updated by those of v. - newImplyingRules = set[ind].implyingRules.Copy() newImplyingRules.Union(v.implyingRules, collectRules) } else { - newImplyingRules = v.implyingRules.Copy() + newImplyingRules.OverrideUnlessOppositeDirections(v.implyingRules) } result = append(result, AugmentedInterval{interval: set[ind].interval, inSet: v.inSet, implyingRules: newImplyingRules}) } @@ -488,12 +512,11 @@ func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collec if left < right || (left == right && v.interval.Start() == set[left].interval.Start()) { // a special case when left==right (i.e., v is included in one interval from set) was already handled // at the left-hand side of the intersection of v with set - var newImplyingRules ImplyingRulesType + newImplyingRules := set[right].implyingRules.Copy() if set[right].inSet == v.inSet { - newImplyingRules = set[right].implyingRules.Copy() newImplyingRules.Union(v.implyingRules, collectRules) } else { - newImplyingRules = v.implyingRules.Copy() + newImplyingRules.OverrideUnlessOppositeDirections(v.implyingRules) } new1 := AugmentedInterval{interval: interval.New(set[right].interval.Start(), v.interval.End()), inSet: v.inSet, implyingRules: newImplyingRules} @@ -537,12 +560,12 @@ func (c *AugmentedCanonicalSet) Union(other *AugmentedCanonicalSet, collectRules res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) for _, left := range c.intervalSet { if !left.inSet { - res.AddAugmentedInterval(left, false) + res.AddAugmentedInterval(left, collectRules) } } for _, right := range other.intervalSet { if !right.inSet { - res.AddAugmentedInterval(right, false) + res.AddAugmentedInterval(right, collectRules) } } for _, left := range c.intervalSet { @@ -627,12 +650,12 @@ func (c *AugmentedCanonicalSet) Intersect(other *AugmentedCanonicalSet) *Augment } for _, left := range c.intervalSet { if !left.inSet { - res.AddAugmentedInterval(left, false) + res.AddAugmentedInterval(left, true) // collect implying rules allowed by both sets } } for _, right := range other.intervalSet { if !right.inSet { - res.AddAugmentedInterval(right, false) + res.AddAugmentedInterval(right, true) // collect implying rules allowed by both sets } } return res diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt index fda432e6..26318e51 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt @@ -30,6 +30,7 @@ ALLOWED SCTP:1-65535 the system default (Allow all) ALLOWED UDP:1-65535 the system default (Allow all) DENIED TCP:1-1233 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) @@ -39,15 +40,18 @@ ALLOWED TCP:1234 due to the following policies//rules: 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) DENIED TCP:1235-8079 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) DENIED TCP:8080 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) DENIED TCP:8081-9000 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) diff --git a/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt new file mode 100644 index 00000000..f723b5a5 --- /dev/null +++ b/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt @@ -0,0 +1,80 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => foo/my-foo[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN bar/my-bar[Pod] => foo/my-foo[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN baz/my-baz[Pod] => bar/my-bar[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN baz/my-baz[Pod] => foo/my-foo[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN foo/my-foo[Pod] => bar/my-bar[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) + 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) + 2) [NP] foo/allow-monitoring//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default (Allow all): +0.0.0.0-255.255.255.255 => bar/my-bar[Pod] +0.0.0.0-255.255.255.255 => baz/my-baz[Pod] +0.0.0.0-255.255.255.255 => monitoring/my-monitoring[Pod] +bar/my-bar[Pod] => 0.0.0.0-255.255.255.255 +bar/my-bar[Pod] => baz/my-baz[Pod] +bar/my-bar[Pod] => monitoring/my-monitoring[Pod] +baz/my-baz[Pod] => 0.0.0.0-255.255.255.255 +baz/my-baz[Pod] => monitoring/my-monitoring[Pod] +foo/my-foo[Pod] => 0.0.0.0-255.255.255.255 +foo/my-foo[Pod] => baz/my-baz[Pod] +foo/my-foo[Pod] => monitoring/my-monitoring[Pod] +monitoring/my-monitoring[Pod] => 0.0.0.0-255.255.255.255 diff --git a/test_outputs/connlist/anp_banp_blog_demo_focus_workload_my-monitoring_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_focus_workload_my-monitoring_explain_output.txt deleted file mode 100644 index d661b490..00000000 --- a/test_outputs/connlist/anp_banp_blog_demo_focus_workload_my-monitoring_explain_output.txt +++ /dev/null @@ -1,33 +0,0 @@ ----------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: - -No Connections due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (DENIED) - 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) - 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) - ----------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: - -All Connections due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (ALLOWED) - 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) - ----------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: - -All Connections due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (ALLOWED) - 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) - 2) [NP] foo/allow-monitoring//Ingress rule #1 - ----------------------------------------------------------------------------------------------------------------------------------------------------------------- -The following nodes are connected due to the system default (Allow all): -0.0.0.0-255.255.255.255 => monitoring/my-monitoring[Pod] -bar/my-bar[Pod] => monitoring/my-monitoring[Pod] -baz/my-baz[Pod] => monitoring/my-monitoring[Pod] -foo/my-foo[Pod] => monitoring/my-monitoring[Pod] -monitoring/my-monitoring[Pod] => 0.0.0.0-255.255.255.255 From 1e7cbb93e99f2bb2136e17972781272be4870eb0 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 23 Dec 2024 10:11:49 +0200 Subject: [PATCH 03/20] make linter happy --- pkg/netpol/connlist/explanation_test.go | 6 +++--- pkg/netpol/internal/common/augmented_intervalset.go | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index da3db836..657d21c9 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -48,6 +48,9 @@ var explainTests = []struct { testDirName string focusWorkload string }{ + { + testDirName: "netpol_named_port_test", + }, // { // testDirName: "anp_test_10", // }, @@ -64,9 +67,6 @@ var explainTests = []struct { // testDirName: "onlineboutique", // }, // { - // testDirName: "anp_banp_blog_demo", - // }, - // { // testDirName: "acs-security-demos", // }, // { diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index 7e10c4d7..eda3106d 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -263,13 +263,14 @@ func (rules *ImplyingRulesType) onlyEgressDirection() bool { // In this case the function preserves implying rules of both directions (for detailed explainability report). // If this is not the case of 'opposite durections' scenario, the function overrides current implying rules by others'. func (rules *ImplyingRulesType) OverrideUnlessOppositeDirections(other ImplyingRulesType) { - if rules.onlyIngressDirection() && other.onlyEgressDirection() { + switch { + case rules.onlyIngressDirection() && other.onlyEgressDirection(): // opposite directions (Ingress in rules and Egress in other) -> keep Ingress, copy Egress rules.Egress = other.Egress.Copy() - } else if rules.onlyEgressDirection() && other.onlyIngressDirection() { + case rules.onlyEgressDirection() && other.onlyIngressDirection(): // opposite directions (Egress in rules and Ingress in other) -> keep Egress, copy Ingress rules.Ingress = other.Ingress.Copy() - } else { + default: // this is not the case of opposite directions -> override everything *rules = other.Copy() } From 181b9acadd3d17978b32c11698a2dca1326dd2fe Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 23 Dec 2024 12:03:47 +0200 Subject: [PATCH 04/20] fixing lint errors --- pkg/netpol/connlist/connlist.go | 6 ++++-- pkg/netpol/eval/internal/k8s/netpol_test.go | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/netpol/connlist/connlist.go b/pkg/netpol/connlist/connlist.go index a2df9fe0..3a19e16d 100644 --- a/pkg/netpol/connlist/connlist.go +++ b/pkg/netpol/connlist/connlist.go @@ -209,10 +209,12 @@ func (ca *ConnlistAnalyzer) hasFatalError() error { // getPolicyEngine returns a new policy engine considering the exposure analysis option func (ca *ConnlistAnalyzer) getPolicyEngine(objectsList []parser.K8sObject) (*eval.PolicyEngine, error) { if !ca.exposureAnalysis { - return eval.NewPolicyEngineWithOptionsList(eval.WithExplanation(ca.explain), eval.WithLogger(ca.logger), eval.WithObjectsList(objectsList)) + return eval.NewPolicyEngineWithOptionsList(eval.WithExplanation(ca.explain), + eval.WithLogger(ca.logger), eval.WithObjectsList(objectsList)) } // else build new policy engine with exposure analysis option - return eval.NewPolicyEngineWithOptionsList(eval.WithExposureAnalysis(), eval.WithExplanation(ca.explain), eval.WithLogger(ca.logger), eval.WithObjectsList(objectsList)) + return eval.NewPolicyEngineWithOptionsList(eval.WithExposureAnalysis(), eval.WithExplanation(ca.explain), + eval.WithLogger(ca.logger), eval.WithObjectsList(objectsList)) } func (ca *ConnlistAnalyzer) connsListFromParsedResources(objectsList []parser.K8sObject) ([]Peer2PeerConnection, []Peer, error) { diff --git a/pkg/netpol/eval/internal/k8s/netpol_test.go b/pkg/netpol/eval/internal/k8s/netpol_test.go index df3a943e..11e3d4be 100644 --- a/pkg/netpol/eval/internal/k8s/netpol_test.go +++ b/pkg/netpol/eval/internal/k8s/netpol_test.go @@ -9,11 +9,12 @@ package k8s import ( "testing" - "github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common" v1 "k8s.io/api/core/v1" netv1 "k8s.io/api/networking/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/intstr" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common" ) /*func TestCreatePod(t *testing.T) { From d50485be2b4aaf9a7c955013f22bb9c611585bc1 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 23 Dec 2024 17:42:44 +0200 Subject: [PATCH 05/20] More delicate handlinng of IPblock default connections explanation; Added no connection explanation for non-matching named ports case Added more explanation tests --- pkg/netpol/connlist/connlist.go | 4 +- pkg/netpol/connlist/conns_formatter_txt.go | 18 +++--- pkg/netpol/connlist/explanation_test.go | 6 +- pkg/netpol/eval/check.go | 52 ++++++++-------- pkg/netpol/eval/internal/k8s/adminnetpol.go | 2 +- pkg/netpol/eval/internal/k8s/netpol.go | 13 +++- .../eval/internal/k8s/policy_connections.go | 6 +- .../internal/common/augmented_intervalset.go | 60 +++++++++++-------- pkg/netpol/internal/common/connectionset.go | 4 +- .../anp_banp_blog_demo_2_explain_output.txt | 4 +- .../anp_banp_blog_demo_explain_output.txt | 4 +- .../netpol_named_port_test_explain_output.txt | 36 +++++++++++ 12 files changed, 136 insertions(+), 73 deletions(-) create mode 100644 test_outputs/connlist/netpol_named_port_test_explain_output.txt diff --git a/pkg/netpol/connlist/connlist.go b/pkg/netpol/connlist/connlist.go index 3a19e16d..2c601b96 100644 --- a/pkg/netpol/connlist/connlist.go +++ b/pkg/netpol/connlist/connlist.go @@ -353,8 +353,8 @@ func (c *connection) ProtocolsAndPorts() map[v1.Protocol][]common.PortRange { return c.protocolsAndPorts } -func (c *connection) OnlySystemDefaultRule() bool { - return c.allConnections && len(c.protocolsAndPorts) == 0 && c.commonImplyingRules.OnlySystemDefaultRule() +func (c *connection) OnlyDefaultRule() bool { + return c.allConnections && len(c.protocolsAndPorts) == 0 && c.commonImplyingRules.OnlyDefaultRule() } // returns a *common.ConnectionSet from Peer2PeerConnection data diff --git a/pkg/netpol/connlist/conns_formatter_txt.go b/pkg/netpol/connlist/conns_formatter_txt.go index cee00c6f..7141792d 100644 --- a/pkg/netpol/connlist/conns_formatter_txt.go +++ b/pkg/netpol/connlist/conns_formatter_txt.go @@ -36,14 +36,14 @@ func (t *formatText) writeOutput(conns []Peer2PeerConnection, exposureConns []Ex // writeConnlistOutput writes the section of the connlist result of the output func (t *formatText) writeConnlistOutput(conns []Peer2PeerConnection, saveIPConns, explain bool) string { connLines := make([]singleConnFields, 0, len(conns)) - systemDefaultConnLines := make([]singleConnFields, 0, len(conns)) + defaultConnLines := make([]singleConnFields, 0, len(conns)) t.ipMaps = createIPMaps(saveIPConns) for i := range conns { p2pConn := formSingleP2PConn(conns[i], explain) if explain { // when running with explanation, we print system default connections at the end - if conns[i].(*connection).OnlySystemDefaultRule() { - systemDefaultConnLines = append(systemDefaultConnLines, p2pConn) + if conns[i].(*connection).OnlyDefaultRule() { + defaultConnLines = append(defaultConnLines, p2pConn) } else { connLines = append(connLines, p2pConn) } @@ -57,11 +57,11 @@ func (t *formatText) writeConnlistOutput(conns []Peer2PeerConnection, saveIPConn } sortConnFields(connLines, true) if explain { - sortConnFields(systemDefaultConnLines, true) + sortConnFields(defaultConnLines, true) } result := "" if explain { - result = writeExplanationOutput(connLines, systemDefaultConnLines) + result = writeExplanationOutput(connLines, defaultConnLines) } else { for _, p2pConn := range connLines { result += p2pConn.string() + newLineChar @@ -70,15 +70,15 @@ func (t *formatText) writeConnlistOutput(conns []Peer2PeerConnection, saveIPConn return result } -func writeExplanationOutput(connLines, systemDefaultConnLines []singleConnFields) string { +func writeExplanationOutput(connLines, defaultConnLines []singleConnFields) string { result := "" for _, p2pConn := range connLines { result += nodePairSeparationLine result += p2pConn.stringWithExplanation() + newLineChar } - if len(systemDefaultConnLines) > 0 { + if len(defaultConnLines) > 0 { result += nodePairSeparationLine + systemDefaultPairsHeader - for _, p2pConn := range systemDefaultConnLines { + for _, p2pConn := range defaultConnLines { result += p2pConn.nodePairString() + newLineChar } } @@ -89,7 +89,7 @@ const ( unprotectedHeader = "\nWorkloads not protected by network policies:\n" separationLine80 = "--------------------------------------------------------------------------------" nodePairSeparationLine = separationLine80 + separationLine80 + common.NewLine - systemDefaultPairsHeader = "The following nodes are connected due to " + common.SystemDefaultRule + ":\n" + systemDefaultPairsHeader = "The following nodes are connected due to " + common.SystemOrIPDefaultRule + ":\n" ) // writeExposureOutput writes the section of the exposure-analysis result diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index d0a272e0..657d21c9 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -48,9 +48,9 @@ var explainTests = []struct { testDirName string focusWorkload string }{ - // { - // testDirName: "netpol_named_port_test", - // }, + { + testDirName: "netpol_named_port_test", + }, // { // testDirName: "anp_test_10", // }, diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go index f7568ced..a98654f8 100644 --- a/pkg/netpol/eval/check.go +++ b/pkg/netpol/eval/check.go @@ -259,7 +259,7 @@ func (pe *PolicyEngine) allAllowedConnectionsBetweenPeers(srcPeer, dstPeer Peer) return nil, err } res.SetExplResult(false) - if res.IsEmpty() { + if res.IsEmpty() && !pe.explain { return res, nil } // ingress: get ingress allowed connections between the src and dst by @@ -514,38 +514,40 @@ func (pe *PolicyEngine) getAllAllowedXgressConnectionsFromANPs(src, dst k8s.Peer // - note that the result may contain allowed / denied connections. func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool) (*k8s.PolicyConnections, error) { res := k8s.NewPolicyConnections() - if pe.baselineAdminNetpol == nil { - res.AllowedConns = common.MakeAllConnectionSetWithRule(common.SystemDefaultRule, isIngress) - return res, nil - } - if isIngress { // ingress - selectsDst, err := pe.baselineAdminNetpol.Selects(dst, true) - if err != nil { - return nil, err - } - // if the banp selects the dst on ingress, get ingress conns - if selectsDst { - res, err = pe.baselineAdminNetpol.GetIngressPolicyConns(src, dst) + if pe.baselineAdminNetpol != nil { + if isIngress { // ingress + selectsDst, err := pe.baselineAdminNetpol.Selects(dst, true) if err != nil { return nil, err } - } - } else { // egress (!isIngress) - selectsSrc, err := pe.baselineAdminNetpol.Selects(src, false) - if err != nil { - return nil, err - } - // if the banp selects the src on egress, get egress conns - if selectsSrc { - res, err = pe.baselineAdminNetpol.GetEgressPolicyConns(dst) + // if the banp selects the dst on ingress, get ingress conns + if selectsDst { + res, err = pe.baselineAdminNetpol.GetIngressPolicyConns(src, dst) + if err != nil { + return nil, err + } + } + } else { // egress (!isIngress) + selectsSrc, err := pe.baselineAdminNetpol.Selects(src, false) if err != nil { return nil, err } + // if the banp selects the src on egress, get egress conns + if selectsSrc { + res, err = pe.baselineAdminNetpol.GetEgressPolicyConns(dst) + if err != nil { + return nil, err + } + } } } - // if banp rules didn't capture xgress conn between src and dst, return system-default: allow-all; + // if no banp or banp rules didn't capture xgress conn between src and dst, return system-default: allow-all; // if banp rule captured xgress conn, only DeniedConns should be impacted by banp rule, - // whenever AllowedConns should anyway be system-default: allow-all - res.AllowedConns = common.MakeAllConnectionSetWithRule(common.SystemDefaultRule, isIngress) + // whenever AllowedConns should anyway be system-default: allow-all (or assumed allow-all for IP-blocks) + if (isIngress && dst.PeerType() == k8s.IPBlockType) || (!isIngress && src.PeerType() == k8s.IPBlockType) { + res.AllowedConns = common.MakeConnectionSetWithRule(true, common.IPDefaultRule, isIngress) + } else { + res.AllowedConns = common.MakeConnectionSetWithRule(true, common.SystemDefaultRule, isIngress) + } return res, nil } diff --git a/pkg/netpol/eval/internal/k8s/adminnetpol.go b/pkg/netpol/eval/internal/k8s/adminnetpol.go index 5340c0cd..b4623f2b 100644 --- a/pkg/netpol/eval/internal/k8s/adminnetpol.go +++ b/pkg/netpol/eval/internal/k8s/adminnetpol.go @@ -398,7 +398,7 @@ func updatePolicyConns(rulePorts *[]apisv1a.AdminNetworkPolicyPort, ruleName str // ruleConnections returns the connectionSet from the current rule.Ports func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, ruleName string, dst Peer, isIngress bool) (*common.ConnectionSet, error) { if ports == nil { // If Ports is not set then the rule does not filter traffic via port. - return common.MakeAllConnectionSetWithRule(ruleName, isIngress), nil + return common.MakeConnectionSetWithRule(true, ruleName, isIngress), nil } res := common.MakeConnectionSet(false) for _, anpPort := range *ports { diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index 2f4ec6f6..5a48dd6f 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -157,7 +157,7 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds if len(rulePorts) == 0 { // If this field is empty or missing, this rule matches all ports // (traffic not restricted by port) - return common.MakeAllConnectionSetWithRule(np.ruleName(ruleIdx, isIngress), isIngress), nil + return common.MakeConnectionSetWithRule(true, np.ruleName(ruleIdx, isIngress), isIngress), nil } res := common.MakeConnectionSet(false) ruleName := np.ruleName(ruleIdx, isIngress) @@ -168,7 +168,7 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds } ports := common.MakePortSet(false) if rulePorts[i].Port == nil { - ports = common.MakePortSet(true) + ports = common.MakeAllPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, isIngress)) } else { startPort, endPort, portName, err := np.getPortsRange(rulePorts[i], dst) if err != nil { @@ -207,6 +207,11 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds } res.AddConnection(protocol, ports) } + if res.IsEmpty() { + // no connections found --> "named ports" of the rule had no match in the pod config + // remove empty protocols if any + res = common.MakeConnectionSetWithRule(false, explNoMatchOfNamesPortsToDst(ruleName), isIngress) + } return res, nil } @@ -412,6 +417,10 @@ func (np *NetworkPolicy) nameWithDirectionAndExpl(isIngress bool, expl string) s return fmt.Sprintf("%s//%s "+expl, np.fullName(), xgress, xgress) } +func explNoMatchOfNamesPortsToDst(ruleName string) string { + return fmt.Sprintf("%s (named ports of the rule have no match in the configuration of the dst peer)", ruleName) +} + // GetXgressAllowedConns returns the set of allowed connections to a captured dst pod from the src peer (for Ingress) // or from any captured pod to the dst peer (for Egress) func (np *NetworkPolicy) GetXgressAllowedConns(src, dst Peer, isIngress bool) (*common.ConnectionSet, error) { diff --git a/pkg/netpol/eval/internal/k8s/policy_connections.go b/pkg/netpol/eval/internal/k8s/policy_connections.go index dd4e4c6d..edf449c0 100644 --- a/pkg/netpol/eval/internal/k8s/policy_connections.go +++ b/pkg/netpol/eval/internal/k8s/policy_connections.go @@ -45,6 +45,8 @@ func (pc *PolicyConnections) UpdateWithRuleConns(ruleConns *common.ConnectionSet // banpRules indicates if the rules are coming from BANP; flag used to check the rule Actions are valid since: // Unlike AdminNetworkPolicies that enable: "Pass, Deny or Allow" as the action of each rule. // BaselineAdminNetworkPolicies allows only "Allow and Deny" as the action of each rule. + // 'false' in the Union calls below indicates to not collect explainability rules, since in the ANP/BANP level + // rule order defines their precedence, and so each connection may ve defined by at most one rule. switch ruleAction { case string(apisv1a.AdminNetworkPolicyRuleActionAllow): ruleConns.Subtract(pc.DeniedConns) @@ -79,6 +81,8 @@ func (pc *PolicyConnections) CollectANPConns(newAdminPolicyConns *PolicyConnecti newAdminPolicyConns.PassConns.Subtract(pc.DeniedConns) newAdminPolicyConns.PassConns.Subtract(pc.AllowedConns) // add the new conns from current policy to the connections from the policies with higher precedence + // 'false' in the Union calls below indicates to not collect explainability rules, since in the ANP level + // each connection may ve defined by at most one ANP (according to the precedence). pc.DeniedConns.Union(newAdminPolicyConns.DeniedConns, false) pc.AllowedConns.Union(newAdminPolicyConns.AllowedConns, false) pc.PassConns.Union(newAdminPolicyConns.PassConns, false) @@ -138,7 +142,7 @@ func (pc *PolicyConnections) CollectConnsFromBANP(banpConns *PolicyConnections) newDenied := pc.PassConns.Copy() newDenied.Intersection(banpConns.DeniedConns) // collect implying rules from pc.PassConns and banpConns.DeniedConns newDenied.Subtract(pc.AllowedConns) - pc.DeniedConns.Union(newDenied, true) // 'true' because denied conns are defined by rules from both sides + pc.DeniedConns.Union(newDenied, false) // 'false' because denied conns may be already defined by pc.DeniedConns // the allowed conns are "all conns - the denied conns" // all conns that are not determined by the ANP and BANP are allowed by default, // and are kept in banpConns.AllowedConns (were returned by getXgressDefaultConns) diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index eda3106d..88205025 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -80,22 +80,32 @@ func (rules *ImplyingRulesType) Copy() ImplyingRulesType { } const ( - ExplWithRulesTitle = "due to the following policies//rules:" + ExplString = "due to " + ExplWithRulesTitle = ExplString + "the following policies//rules:" IngressDirectionTitle = "\tINGRESS DIRECTION" EgressDirectionTitle = "\tEGRESS DIRECTION" NewLine = "\n" SpaceSeparator = " " - ExplAllowAll = "(Allow all)" - SystemDefaultRule = "the system default " + ExplAllowAll - ExplSystemDefault = "due to " + SystemDefaultRule + ExplAllowAll = " (Allow all)" + SystemDefaultString = "the system default" + SystemDefaultRule = SystemDefaultString + ExplAllowAll + IPDefaultString = "the assumed default for IPblock" + IPDefaultRule = IPDefaultString + ExplAllowAll + SystemOrIPDefaultRule = SystemDefaultString + " or " + IPDefaultString + ExplAllowAll + ExplSystemDefault = ExplString + SystemDefaultRule PodToItselfRule = "pod to itself " + ExplAllowAll allowResultStr = "ALLOWED" denyResultStr = "DENIED" ) -func (rules *ImplyingXgressRulesType) onlySystemDefaultRule() bool { - if _, ok := rules.Rules[SystemDefaultRule]; ok { - return len(rules.Rules) == 1 +func (rules *ImplyingXgressRulesType) onlyDefaultRule() bool { + if len(rules.Rules) == 1 { + if _, ok := rules.Rules[SystemDefaultRule]; ok { + return true + } + if _, ok := rules.Rules[IPDefaultRule]; ok { + return true + } } return false } @@ -119,39 +129,41 @@ func (rules *ImplyingXgressRulesType) String() string { if rules.Empty() { return rules.resultString() } + onlyDefaultRule := rules.onlyDefaultRule() + // print the rules according to their order formattedRules := make([]string, 0, len(rules.Rules)) for name, order := range rules.Rules { - formattedRules = append(formattedRules, fmt.Sprintf("\t\t%d) %s", order+1, name)) + if onlyDefaultRule { + formattedRules = append(formattedRules, name) + } else { + formattedRules = append(formattedRules, fmt.Sprintf("\t\t%d) %s", order+1, name)) + } } sort.Strings(formattedRules) // the rule index begins the string, like "2)" - return rules.resultString() + NewLine + strings.Join(formattedRules, NewLine) + result := rules.resultString() + if onlyDefaultRule { + result += SpaceSeparator + ExplString + } else { + result += NewLine + } + return result + strings.Join(formattedRules, NewLine) } -func (rules *ImplyingRulesType) OnlySystemDefaultRule() bool { - return rules.Ingress.onlySystemDefaultRule() && rules.Egress.onlySystemDefaultRule() +func (rules *ImplyingRulesType) OnlyDefaultRule() bool { + return rules.Ingress.onlyDefaultRule() && rules.Egress.onlyDefaultRule() } func (rules ImplyingRulesType) String() string { - if rules.OnlySystemDefaultRule() { + if rules.OnlyDefaultRule() { return SpaceSeparator + SystemDefaultRule + NewLine } res := "" if !rules.Egress.Empty() { - res += EgressDirectionTitle - if rules.Egress.onlySystemDefaultRule() { - res += SpaceSeparator + rules.Egress.resultString() + SpaceSeparator + ExplSystemDefault + NewLine - } else { - res += SpaceSeparator + rules.Egress.String() + NewLine - } + res += EgressDirectionTitle + SpaceSeparator + rules.Egress.String() + NewLine } if !rules.Ingress.Empty() { - res += IngressDirectionTitle - if rules.Ingress.onlySystemDefaultRule() { - res += SpaceSeparator + rules.Ingress.resultString() + SpaceSeparator + ExplSystemDefault + NewLine - } else { - res += SpaceSeparator + rules.Ingress.String() + NewLine - } + res += IngressDirectionTitle + SpaceSeparator + rules.Ingress.String() + NewLine } if res == "" { return NewLine diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go index 9146cdfb..4d77c533 100644 --- a/pkg/netpol/internal/common/connectionset.go +++ b/pkg/netpol/internal/common/connectionset.go @@ -41,8 +41,8 @@ func MakeConnectionSet(all bool) *ConnectionSet { return &ConnectionSet{AllowedProtocols: map[v1.Protocol]*PortSet{}, CommonImplyingRules: InitImplyingRules()} } -func MakeAllConnectionSetWithRule(rule string, isIngress bool) *ConnectionSet { - return &ConnectionSet{AllowAll: true, AllowedProtocols: map[v1.Protocol]*PortSet{}, +func MakeConnectionSetWithRule(all bool, rule string, isIngress bool) *ConnectionSet { + return &ConnectionSet{AllowAll: all, AllowedProtocols: map[v1.Protocol]*PortSet{}, CommonImplyingRules: MakeImplyingRulesWithRule(rule, isIngress)} } diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt index 26318e51..4143e293 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt @@ -2,7 +2,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => foo/my-foo[Pod]: No Connections due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) @@ -113,7 +113,7 @@ ALLOWED UDP:1-65535 due to the following policies//rules: 1) [NP] foo/allow-monitoring//Ingress rule #1 ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -The following nodes are connected due to the system default (Allow all): +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): 0.0.0.0-255.255.255.255 => bar/my-bar[Pod] 0.0.0.0-255.255.255.255 => baz/my-baz[Pod] 0.0.0.0-255.255.255.255 => monitoring/my-monitoring[Pod] diff --git a/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt index f723b5a5..b89b9f0b 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt @@ -2,7 +2,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => foo/my-foo[Pod]: No Connections due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) @@ -65,7 +65,7 @@ All Connections due to the following policies//rules: 2) [NP] foo/allow-monitoring//Ingress rule #1 ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -The following nodes are connected due to the system default (Allow all): +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): 0.0.0.0-255.255.255.255 => bar/my-bar[Pod] 0.0.0.0-255.255.255.255 => baz/my-baz[Pod] 0.0.0.0-255.255.255.255 => monitoring/my-monitoring[Pod] diff --git a/test_outputs/connlist/netpol_named_port_test_explain_output.txt b/test_outputs/connlist/netpol_named_port_test_explain_output.txt new file mode 100644 index 00000000..a4fdd6b6 --- /dev/null +++ b/test_outputs/connlist/netpol_named_port_test_explain_output.txt @@ -0,0 +1,36 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => helloworld/pod-a[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] helloworld/enable-ingress-from-named-port//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN helloworld/new-pod[Deployment] => helloworld/pod-a[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] helloworld/enable-ingress-from-named-port//Ingress rule #1 (named ports of the rule have no match in the configuration of the dst peer) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN helloworld/pod-a[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] helloworld/enable-ingress-from-named-port//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN helloworld/pod-a[Deployment] => helloworld/new-pod[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] helloworld/enable-ingress-from-named-port//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => helloworld/new-pod[Deployment] +helloworld/new-pod[Deployment] => 0.0.0.0-255.255.255.255 From cd17f644a636486ef4a6adc7e75cf69dd853366e Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 6 Jan 2025 15:57:41 +0200 Subject: [PATCH 06/20] More compact explainability print --- pkg/netpol/connlist/explanation_test.go | 6 +- pkg/netpol/eval/internal/k8s/netpol.go | 6 +- .../internal/common/augmented_intervalset.go | 12 + pkg/netpol/internal/common/connectionset.go | 33 + .../anp_banp_blog_demo_2_explain_output.txt | 15 +- .../connlist/ipblockstest_explain_output.txt | 2432 +++++++++++++++++ 6 files changed, 2487 insertions(+), 17 deletions(-) create mode 100644 test_outputs/connlist/ipblockstest_explain_output.txt diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index 657d21c9..171ac63f 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -48,6 +48,9 @@ var explainTests = []struct { testDirName string focusWorkload string }{ + { + testDirName: "ipblockstest", + }, { testDirName: "netpol_named_port_test", }, @@ -61,9 +64,6 @@ var explainTests = []struct { testDirName: "anp_banp_blog_demo_2", }, // { - // testDirName: "ipblockstest", - // }, - // { // testDirName: "onlineboutique", // }, // { diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index 5a48dd6f..a16e5c52 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -159,14 +159,16 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds // (traffic not restricted by port) return common.MakeConnectionSetWithRule(true, np.ruleName(ruleIdx, isIngress), isIngress), nil } - res := common.MakeConnectionSet(false) ruleName := np.ruleName(ruleIdx, isIngress) + // all protocols are affected by the rule + res := common.MakeConnectionSetWithRule(false, ruleName, isIngress) for i := range rulePorts { protocol := v1.ProtocolTCP if rulePorts[i].Protocol != nil { protocol = *rulePorts[i].Protocol } - ports := common.MakePortSet(false) + // the whole port range is affected by the rule (not only ports mentioned in the rule) + ports := common.MakeEmptyPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, isIngress)) if rulePorts[i].Port == nil { ports = common.MakeAllPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, isIngress)) } else { diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index 88205025..16346ecb 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -61,6 +61,14 @@ func MakeImplyingRulesWithRule(rule string, isIngress bool) ImplyingRulesType { return res } +func (rules *ImplyingXgressRulesType) Equal(other *ImplyingXgressRulesType) bool { + return fmt.Sprint(rules) == fmt.Sprint(other) +} + +func (rules *ImplyingRulesType) Equal(other *ImplyingRulesType) bool { + return rules.Ingress.Equal(&other.Ingress) && rules.Egress.Equal(&other.Egress) +} + func (rules *ImplyingXgressRulesType) Copy() ImplyingXgressRulesType { if rules == nil { return InitImplyingXgressRules() @@ -314,6 +322,10 @@ func NewAugmentedIntervalWithRules(start, end int64, inSet bool, rules ImplyingR return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, implyingRules: rules.Copy()} } +func (augInt AugmentedInterval) Equal(other AugmentedInterval) bool { + return augInt.inSet == other.inSet && augInt.interval.Equal(other.interval) && augInt.implyingRules.Equal(&other.implyingRules) +} + // AugmentedCanonicalSet is a set of int64 integers, implemented using an ordered slice of non-overlapping, non-touching intervals. // The intervals should include both included intervals and holes; // i.e., start of every interval is the end of a previous interval incremented by 1. diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go index 4d77c533..2d25be9b 100644 --- a/pkg/netpol/internal/common/connectionset.go +++ b/pkg/netpol/internal/common/connectionset.go @@ -362,7 +362,18 @@ func (p *PortRangeData) End() int64 { return p.Interval.interval.End() } +func (p *PortRangeData) isWholeRange() bool { + return p.Start() == MinPort && p.End() == MaxPort +} + +func (p PortRangeData) Equal(other PortRangeData) bool { + return p.Interval.Equal(other.Interval) +} + func (p *PortRangeData) String() string { + if p.isWholeRange() { + return allPortsStr + } if p.End() != p.Start() { return fmt.Sprintf("%d-%d", p.Start(), p.End()) } @@ -405,6 +416,7 @@ const ( connsAndPortRangeSeparator = "," allConnsStr = "All Connections" noConnsStr = "No Connections" + allPortsStr = "[ALL PORTS]" ) func ConnStrFromConnProperties(allProtocolsAndPorts bool, protocolsAndPorts map[v1.Protocol][]PortRange) string { @@ -467,6 +479,10 @@ func protocolAndPortsStr(protocol v1.Protocol, ports string) string { return string(protocol) + SpaceSeparator + ports } +func isWholeRange(ports []PortRange) bool { + return len(ports) == 1 && ports[0].(*PortRangeData).isWholeRange() +} + func ExplanationFromConnProperties(allProtocolsAndPorts bool, commonImplyingRules ImplyingRulesType, protocolsAndPorts map[v1.Protocol][]PortRange) string { if len(protocolsAndPorts) == 0 { @@ -479,9 +495,26 @@ func ExplanationFromConnProperties(allProtocolsAndPorts bool, commonImplyingRule var connStr string // connStrings will contain the string of given conns protocols and ports as is connStrings := make([]string, 0, len(protocolsAndPorts)) + // for compact explanation: pick all protocols containing the whole port range + wholeCommonRange := PortRangeData{} + wholeRangeProtocols := make([]string, 0, len(protocolsAndPorts)) for protocol, ports := range protocolsAndPorts { + if isWholeRange(ports) { + if len(wholeRangeProtocols) == 0 { + wholeCommonRange = *ports[0].(*PortRangeData) + wholeRangeProtocols = append(wholeRangeProtocols, string(protocol)) + continue + } else if ports[0].(*PortRangeData).Equal(wholeCommonRange) { + wholeRangeProtocols = append(wholeRangeProtocols, string(protocol)) + continue + } + } connStrings = append(connStrings, portsStringWithExplanation(ports, string(protocol))) } + if len(wholeRangeProtocols) > 0 { + sort.Strings(wholeRangeProtocols) + connStrings = append(connStrings, wholeCommonRange.StringWithExplanation("{"+strings.Join(wholeRangeProtocols, ",")+"}")) + } sort.Strings(connStrings) connStr = strings.Join(connStrings, NewLine) return connStr diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt index 4143e293..f099a052 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt @@ -25,9 +25,7 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: -ALLOWED SCTP:1-65535 the system default (Allow all) - -ALLOWED UDP:1-65535 the system default (Allow all) +ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) DENIED TCP:1-1233 due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -60,8 +58,6 @@ ALLOWED TCP:9001-65535 the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: -ALLOWED SCTP:1-65535 the system default (Allow all) - ALLOWED TCP:1-1233 the system default (Allow all) ALLOWED TCP:1234 due to the following policies//rules: @@ -71,16 +67,11 @@ ALLOWED TCP:1234 due to the following policies//rules: ALLOWED TCP:1235-65535 the system default (Allow all) -ALLOWED UDP:1-65535 the system default (Allow all) +ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: -ALLOWED SCTP:1-65535 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (ALLOWED) - 1) [NP] foo/allow-monitoring//Ingress rule #1 - ALLOWED TCP:1-1233 due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) @@ -107,7 +98,7 @@ ALLOWED TCP:8081-65535 due to the following policies//rules: INGRESS DIRECTION (ALLOWED) 1) [NP] foo/allow-monitoring//Ingress rule #1 -ALLOWED UDP:1-65535 due to the following policies//rules: +ALLOWED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] foo/allow-monitoring//Ingress rule #1 diff --git a/test_outputs/connlist/ipblockstest_explain_output.txt b/test_outputs/connlist/ipblockstest_explain_output.txt new file mode 100644 index 00000000..36480105 --- /dev/null +++ b/test_outputs/connlist/ipblockstest_explain_output.txt @@ -0,0 +1,2432 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/calico-node-tier[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 10.0.0.0-10.255.255.255 => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 10.0.0.0-10.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 10.0.0.0-10.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 10.0.0.0-10.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 10.0.0.0-10.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 10.0.0.0-10.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 10.0.0.0-10.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/calico-node-tier[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.21.0.0-172.21.255.255 => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.21.0.0-172.21.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.21.0.0-172.21.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.21.0.0-172.21.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.21.0.0-172.21.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.21.0.0-172.21.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.21.0.0-172.21.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/calico-node-tier[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.30.0.0-172.30.255.255 => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.30.0.0-172.30.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.30.0.0-172.30.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.30.0.0-172.30.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.30.0.0-172.30.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.30.0.0-172.30.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.30.0.0-172.30.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/calico-node-tier[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: + +DENIED UDP:1-52 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +ALLOWED UDP:53 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED UDP:54-65535 due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-agent[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-agent[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-analyzer[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-analyzer[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents-analyzer[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents[DaemonSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents[DaemonSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-agents[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node-tier[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node-tier[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node[DaemonSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node[DaemonSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/calico-node[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/vpn-858f6d9777[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/calico-node-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-keepalived-watcher[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-9.255.255.255 => default/cognetive-agents-agent[DaemonSet] +0.0.0.0-9.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] +0.0.0.0-9.255.255.255 => default/cognetive-agents[DaemonSet] +0.0.0.0-9.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +0.0.0.0-9.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +0.0.0.0-9.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +0.0.0.0-9.255.255.255 => kube-system/calico-node[DaemonSet] +0.0.0.0-9.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] +0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] +10.0.0.0-10.255.255.255 => default/cognetive-agents-agent[DaemonSet] +10.0.0.0-10.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] +10.0.0.0-10.255.255.255 => default/cognetive-agents[DaemonSet] +10.0.0.0-10.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +10.0.0.0-10.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +10.0.0.0-10.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +10.0.0.0-10.255.255.255 => kube-system/calico-node[DaemonSet] +10.0.0.0-10.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] +10.0.0.0-10.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +10.0.0.0-10.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] +11.0.0.0-172.20.255.255 => default/cognetive-agents-agent[DaemonSet] +11.0.0.0-172.20.255.255 => default/cognetive-agents-analyzer[DaemonSet] +11.0.0.0-172.20.255.255 => default/cognetive-agents[DaemonSet] +11.0.0.0-172.20.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +11.0.0.0-172.20.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +11.0.0.0-172.20.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +11.0.0.0-172.20.255.255 => kube-system/calico-node[DaemonSet] +11.0.0.0-172.20.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] +11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] +172.21.0.0-172.21.255.255 => default/cognetive-agents-agent[DaemonSet] +172.21.0.0-172.21.255.255 => default/cognetive-agents-analyzer[DaemonSet] +172.21.0.0-172.21.255.255 => default/cognetive-agents[DaemonSet] +172.21.0.0-172.21.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +172.21.0.0-172.21.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +172.21.0.0-172.21.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +172.21.0.0-172.21.255.255 => kube-system/calico-node[DaemonSet] +172.21.0.0-172.21.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] +172.21.0.0-172.21.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +172.21.0.0-172.21.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] +172.22.0.0-172.29.255.255 => default/cognetive-agents-agent[DaemonSet] +172.22.0.0-172.29.255.255 => default/cognetive-agents-analyzer[DaemonSet] +172.22.0.0-172.29.255.255 => default/cognetive-agents[DaemonSet] +172.22.0.0-172.29.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +172.22.0.0-172.29.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +172.22.0.0-172.29.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +172.22.0.0-172.29.255.255 => kube-system/calico-node[DaemonSet] +172.22.0.0-172.29.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] +172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] +172.30.0.0-172.30.255.255 => default/cognetive-agents-agent[DaemonSet] +172.30.0.0-172.30.255.255 => default/cognetive-agents-analyzer[DaemonSet] +172.30.0.0-172.30.255.255 => default/cognetive-agents[DaemonSet] +172.30.0.0-172.30.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +172.30.0.0-172.30.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +172.30.0.0-172.30.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +172.30.0.0-172.30.255.255 => kube-system/calico-node[DaemonSet] +172.30.0.0-172.30.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] +172.30.0.0-172.30.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +172.30.0.0-172.30.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] +172.31.0.0-255.255.255.255 => default/cognetive-agents-agent[DaemonSet] +172.31.0.0-255.255.255.255 => default/cognetive-agents-analyzer[DaemonSet] +172.31.0.0-255.255.255.255 => default/cognetive-agents[DaemonSet] +172.31.0.0-255.255.255.255 => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +172.31.0.0-255.255.255.255 => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +172.31.0.0-255.255.255.255 => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +172.31.0.0-255.255.255.255 => kube-system/calico-node[DaemonSet] +172.31.0.0-255.255.255.255 => kube-system/heapster-7df8cb8c66[ReplicaSet] +172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd[DaemonSet] +default/cognetive-agents-agent[DaemonSet] => 0.0.0.0-255.255.255.255 +default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] +default/cognetive-agents-agent[DaemonSet] => default/cognetive-agents[DaemonSet] +default/cognetive-agents-agent[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node[DaemonSet] +default/cognetive-agents-agent[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +default/cognetive-agents-agent[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] +default/cognetive-agents-analyzer[DaemonSet] => 0.0.0.0-255.255.255.255 +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents-agent[DaemonSet] +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-agents[DaemonSet] +default/cognetive-agents-analyzer[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system/calico-node[DaemonSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +default/cognetive-agents-analyzer[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] +default/cognetive-agents[DaemonSet] => 0.0.0.0-255.255.255.255 +default/cognetive-agents[DaemonSet] => default/cognetive-agents-agent[DaemonSet] +default/cognetive-agents[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] +default/cognetive-agents[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +default/cognetive-agents[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +default/cognetive-agents[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +default/cognetive-agents[DaemonSet] => kube-system/calico-node[DaemonSet] +default/cognetive-agents[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +default/cognetive-agents[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +default/cognetive-agents[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => 0.0.0.0-255.255.255.255 +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => default/cognetive-agents[DaemonSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/calico-node[DaemonSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => 0.0.0.0-255.255.255.255 +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-agents[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/calico-node[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => 0.0.0.0-255.255.255.255 +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-agents[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/calico-node[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/calico-node-tier[DaemonSet] => 0.0.0.0-255.255.255.255 +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/calico-node-tier[DaemonSet] => default/cognetive-agents[DaemonSet] +kube-system/calico-node-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => kube-system/calico-node[DaemonSet] +kube-system/calico-node-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/calico-node-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/calico-node[DaemonSet] => 0.0.0.0-255.255.255.255 +kube-system/calico-node[DaemonSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/calico-node[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/calico-node[DaemonSet] => default/cognetive-agents[DaemonSet] +kube-system/calico-node[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/calico-node[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/calico-node[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/calico-node[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/calico-node[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/calico-node[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/heapster-7df8cb8c66[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => 0.0.0.0-255.255.255.255 +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-agents[DaemonSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/calico-node[DaemonSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => 0.0.0.0-255.255.255.255 +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-agents[DaemonSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/calico-node[DaemonSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/ibm-keepalived-watcher[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => 0.0.0.0-255.255.255.255 +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-agents[DaemonSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/calico-node[DaemonSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/ibm-kube-fluentd-with-tier[DaemonSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/ibm-kube-fluentd[DaemonSet] => 0.0.0.0-255.255.255.255 +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-agents[DaemonSet] +kube-system/ibm-kube-fluentd[DaemonSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/calico-node[DaemonSet] +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/ibm-kube-fluentd[DaemonSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/tiller-deploy-5c45c9966b[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] +kube-system/vpn-858f6d9777[ReplicaSet] => 0.0.0.0-255.255.255.255 +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-agent[DaemonSet] +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents-analyzer[DaemonSet] +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-agents[DaemonSet] +kube-system/vpn-858f6d9777[ReplicaSet] => default/cognetive-local-analyzer-7d77fb55cc[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-10-5c9dd7c9c[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => ibm-system/ibm-cloud-provider-ip-169-60-164-14-6d448884df[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/calico-kube-controllers-7694668c77[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-amd64-d66bf76db[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kube-dns-autoscaler-78f5fdbd46[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/kubernetes-dashboard-5b5f985bcf[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system-dummy-to-ignore/public-cre08b89c167414305a1afb205d0bd346f-alb1-8489b8458f[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/calico-node[DaemonSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/heapster-7df8cb8c66[ReplicaSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-keepalived-watcher-for-demo[DaemonSet] +kube-system/vpn-858f6d9777[ReplicaSet] => kube-system/ibm-kube-fluentd[DaemonSet] From 326a88e829f8ad21ad545b4e112feaac218758df Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 6 Jan 2025 16:02:13 +0200 Subject: [PATCH 07/20] Fixed lint error --- pkg/netpol/internal/common/augmented_intervalset.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index 16346ecb..e8c1bdf1 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -62,7 +62,7 @@ func MakeImplyingRulesWithRule(rule string, isIngress bool) ImplyingRulesType { } func (rules *ImplyingXgressRulesType) Equal(other *ImplyingXgressRulesType) bool { - return fmt.Sprint(rules) == fmt.Sprint(other) + return rules.String() == other.String() } func (rules *ImplyingRulesType) Equal(other *ImplyingRulesType) bool { From 929c75de031e32f257689b2fc6cd0705cf71d1dc Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 6 Jan 2025 17:06:46 +0200 Subject: [PATCH 08/20] More compact explanation printing. --- .../internal/common/augmented_intervalset.go | 4 + pkg/netpol/internal/common/connectionset.go | 40 ++- .../anp_banp_blog_demo_2_explain_output.txt | 44 +-- .../connlist/ipblockstest_explain_output.txt | 252 ++++-------------- 4 files changed, 105 insertions(+), 235 deletions(-) diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index e8c1bdf1..f313bc87 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -326,6 +326,10 @@ func (augInt AugmentedInterval) Equal(other AugmentedInterval) bool { return augInt.inSet == other.inSet && augInt.interval.Equal(other.interval) && augInt.implyingRules.Equal(&other.implyingRules) } +func (augInt AugmentedInterval) EqualInSetAndRules(other AugmentedInterval) bool { + return augInt.inSet == other.inSet && augInt.implyingRules.Equal(&other.implyingRules) +} + // AugmentedCanonicalSet is a set of int64 integers, implemented using an ordered slice of non-overlapping, non-touching intervals. // The intervals should include both included intervals and holes; // i.e., start of every interval is the end of a previous interval incremented by 1. diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go index 2d25be9b..9a8dba0c 100644 --- a/pkg/netpol/internal/common/connectionset.go +++ b/pkg/netpol/internal/common/connectionset.go @@ -370,6 +370,10 @@ func (p PortRangeData) Equal(other PortRangeData) bool { return p.Interval.Equal(other.Interval) } +func (p PortRangeData) EqualInSetAndRules(other PortRangeData) bool { + return p.Interval.EqualInSetAndRules(other.Interval) +} + func (p *PortRangeData) String() string { if p.isWholeRange() { return allPortsStr @@ -380,12 +384,16 @@ func (p *PortRangeData) String() string { return fmt.Sprintf("%d", p.Start()) } -func (p *PortRangeData) StringWithExplanation(protocolString string) string { +func explOfInSetProtocolPortsAndRules(inSet bool, protocolString, portsString, rulesString string) string { resultStr := allowResultStr - if !p.InSet() { + if !inSet { resultStr = denyResultStr } - return resultStr + SpaceSeparator + protocolString + ":" + p.String() + p.Interval.implyingRules.String() + return resultStr + SpaceSeparator + protocolString + ":" + "[" + portsString + "]" + rulesString +} + +func (p *PortRangeData) StringWithExplanation(protocolString string) string { + return explOfInSetProtocolPortsAndRules(p.InSet(), protocolString, p.String(), p.Interval.implyingRules.String()) } func (p *PortRangeData) InSet() bool { @@ -416,7 +424,7 @@ const ( connsAndPortRangeSeparator = "," allConnsStr = "All Connections" noConnsStr = "No Connections" - allPortsStr = "[ALL PORTS]" + allPortsStr = "ALL PORTS" ) func ConnStrFromConnProperties(allProtocolsAndPorts bool, protocolsAndPorts map[v1.Protocol][]PortRange) string { @@ -467,11 +475,31 @@ func portsString(ports []PortRange) string { return strings.Join(portsStr, connsAndPortRangeSeparator) } +type InSetAndRulesStr struct { + inSet bool + rulesString string +} + func portsStringWithExplanation(ports []PortRange, protocolString string) string { - portsStr := make([]string, 0, len(ports)) + // for compact explanation: collect together ranges with the same 'inSet' and impying rules + portRangeClasses := map[InSetAndRulesStr]*interval.CanonicalSet{} for i := range ports { - portsStr = append(portsStr, ports[i].(*PortRangeData).StringWithExplanation(protocolString)) + portRangeData := ports[i].(*PortRangeData) + thisInSetAndRulesStr := InSetAndRulesStr{portRangeData.Interval.inSet, portRangeData.Interval.implyingRules.String()} + _, ok := portRangeClasses[thisInSetAndRulesStr] + if !ok { + portRangeClasses[thisInSetAndRulesStr] = interval.NewCanonicalSet() + } + portRangeClasses[thisInSetAndRulesStr].AddInterval(portRangeData.Interval.interval) + } + portsStr := make([]string, len(portRangeClasses)) + ind := 0 + for inSetAndRulesStr, intervals := range portRangeClasses { + portsStr[ind] = explOfInSetProtocolPortsAndRules(inSetAndRulesStr.inSet, protocolString, + intervals.String(), inSetAndRulesStr.rulesString) + ind++ } + sort.Strings(portsStr) return strings.Join(portsStr, NewLine) } diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt index f099a052..8b48f5a4 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt @@ -25,79 +25,57 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: -ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) - -DENIED TCP:1-1233 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (DENIED) - 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) - -ALLOWED TCP:1234 due to the following policies//rules: +ALLOWED TCP:[1234] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) -DENIED TCP:1235-8079 due to the following policies//rules: +ALLOWED TCP:[9001-65535] the system default (Allow all) + +DENIED TCP:[1-1233,1235-8079,8081-9000] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) -DENIED TCP:8080 due to the following policies//rules: +DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) -DENIED TCP:8081-9000 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (DENIED) - 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) - -ALLOWED TCP:9001-65535 the system default (Allow all) +ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: -ALLOWED TCP:1-1233 the system default (Allow all) +ALLOWED TCP:[1-1233,1235-65535] the system default (Allow all) -ALLOWED TCP:1234 due to the following policies//rules: +ALLOWED TCP:[1234] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) -ALLOWED TCP:1235-65535 the system default (Allow all) - ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: -ALLOWED TCP:1-1233 due to the following policies//rules: +ALLOWED TCP:[1-1233,1235-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] foo/allow-monitoring//Ingress rule #1 -ALLOWED TCP:1234 due to the following policies//rules: +ALLOWED TCP:[1234] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) -ALLOWED TCP:1235-8079 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (ALLOWED) - 1) [NP] foo/allow-monitoring//Ingress rule #1 - -ALLOWED TCP:8080 due to the following policies//rules: +ALLOWED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) 2) [NP] foo/allow-monitoring//Ingress rule #1 -ALLOWED TCP:8081-65535 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (ALLOWED) - 1) [NP] foo/allow-monitoring//Ingress rule #1 - ALLOWED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) diff --git a/test_outputs/connlist/ipblockstest_explain_output.txt b/test_outputs/connlist/ipblockstest_explain_output.txt index 36480105..0947c377 100644 --- a/test_outputs/connlist/ipblockstest_explain_output.txt +++ b/test_outputs/connlist/ipblockstest_explain_output.txt @@ -1,17 +1,12 @@ ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/calico-node-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -24,17 +19,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -47,17 +37,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -70,17 +55,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -93,17 +73,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -116,17 +91,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -139,17 +109,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -218,17 +183,12 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/calico-node-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -241,17 +201,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -264,17 +219,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -287,17 +237,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -310,17 +255,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -333,17 +273,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -356,17 +291,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -435,17 +365,12 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/calico-node-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -458,17 +383,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -481,17 +401,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -504,17 +419,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -527,17 +437,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -550,17 +455,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -573,17 +473,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -652,17 +547,12 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/calico-node-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -675,17 +565,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -698,17 +583,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -721,17 +601,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -744,17 +619,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -767,17 +637,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -790,17 +655,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 From ffe247cd711e9c2b5602538e84444848828be391 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 6 Jan 2025 17:46:04 +0200 Subject: [PATCH 09/20] Added more explainability tests. More refined explanation of protocols/ports denied by NPs --- pkg/netpol/connlist/explanation_test.go | 12 +- pkg/netpol/eval/internal/k8s/netpol.go | 16 +- .../connlist/anp_test_10_explain_output.txt | 57 + .../connlist/ipblockstest_explain_output.txt | 112 +- .../onlineboutique_explain_output.txt | 1526 +++++++++++++++++ 5 files changed, 1657 insertions(+), 66 deletions(-) create mode 100644 test_outputs/connlist/anp_test_10_explain_output.txt create mode 100644 test_outputs/connlist/onlineboutique_explain_output.txt diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index 171ac63f..6aa24547 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -48,15 +48,18 @@ var explainTests = []struct { testDirName string focusWorkload string }{ + { + testDirName: "onlineboutique", + }, + { + testDirName: "anp_test_10", + }, { testDirName: "ipblockstest", }, { testDirName: "netpol_named_port_test", }, - // { - // testDirName: "anp_test_10", - // }, { testDirName: "anp_banp_blog_demo", }, @@ -64,9 +67,6 @@ var explainTests = []struct { testDirName: "anp_banp_blog_demo_2", }, // { - // testDirName: "onlineboutique", - // }, - // { // testDirName: "acs-security-demos", // }, // { diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index a16e5c52..55c4912d 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -161,14 +161,14 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds } ruleName := np.ruleName(ruleIdx, isIngress) // all protocols are affected by the rule - res := common.MakeConnectionSetWithRule(false, ruleName, isIngress) + res := common.MakeConnectionSetWithRule(false, explNotReferencedProtocols(ruleName), isIngress) for i := range rulePorts { protocol := v1.ProtocolTCP if rulePorts[i].Protocol != nil { protocol = *rulePorts[i].Protocol } // the whole port range is affected by the rule (not only ports mentioned in the rule) - ports := common.MakeEmptyPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, isIngress)) + ports := common.MakeEmptyPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(explNotReferencedPorts(ruleName), isIngress)) if rulePorts[i].Port == nil { ports = common.MakeAllPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, isIngress)) } else { @@ -212,7 +212,7 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds if res.IsEmpty() { // no connections found --> "named ports" of the rule had no match in the pod config // remove empty protocols if any - res = common.MakeConnectionSetWithRule(false, explNoMatchOfNamesPortsToDst(ruleName), isIngress) + res = common.MakeConnectionSetWithRule(false, explNoMatchOfNamedPortsToDst(ruleName), isIngress) } return res, nil } @@ -419,10 +419,18 @@ func (np *NetworkPolicy) nameWithDirectionAndExpl(isIngress bool, expl string) s return fmt.Sprintf("%s//%s "+expl, np.fullName(), xgress, xgress) } -func explNoMatchOfNamesPortsToDst(ruleName string) string { +func explNoMatchOfNamedPortsToDst(ruleName string) string { return fmt.Sprintf("%s (named ports of the rule have no match in the configuration of the dst peer)", ruleName) } +func explNotReferencedPorts(ruleName string) string { + return fmt.Sprintf("%s (ports not referenced by the rule)", ruleName) +} + +func explNotReferencedProtocols(ruleName string) string { + return fmt.Sprintf("%s (protocols not referenced by the rule)", ruleName) +} + // GetXgressAllowedConns returns the set of allowed connections to a captured dst pod from the src peer (for Ingress) // or from any captured pod to the dst peer (for Egress) func (np *NetworkPolicy) GetXgressAllowedConns(src, dst Peer, isIngress bool) (*common.ConnectionSet, error) { diff --git a/test_outputs/connlist/anp_test_10_explain_output.txt b/test_outputs/connlist/anp_test_10_explain_output.txt new file mode 100644 index 00000000..1e7e6f2b --- /dev/null +++ b/test_outputs/connlist/anp_test_10_explain_output.txt @@ -0,0 +1,57 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet]: + +ALLOWED UDP:[53] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] egress-udp//Egress rule allow-to-gryffindor-at-port-53 (Allow) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +DENIED UDP:[1-52,54-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] egress-udp//Egress rule deny-to-gryffindor-everything-else (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] egress-udp//Egress rule deny-to-gryffindor-everything-else (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] egress-udp//Egress rule allow-to-ravenclaw-everything (Allow) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]: + +ALLOWED UDP:[1-5352,5354-65535] the system default (Allow all) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] egress-udp//Egress rule deny-to-slytherin-at-port-5353 (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +ALLOWED {SCTP,TCP}:[ALL PORTS] the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => network-policy-conformance-gryffindor/harry-potter[StatefulSet] +0.0.0.0-255.255.255.255 => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] +0.0.0.0-255.255.255.255 => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] +0.0.0.0-255.255.255.255 => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] +network-policy-conformance-gryffindor/harry-potter[StatefulSet] => 0.0.0.0-255.255.255.255 +network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] +network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] +network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] +network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => 0.0.0.0-255.255.255.255 +network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => 0.0.0.0-255.255.255.255 +network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet] +network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] +network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255 +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet] +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] diff --git a/test_outputs/connlist/ipblockstest_explain_output.txt b/test_outputs/connlist/ipblockstest_explain_output.txt index 0947c377..36ecbe2a 100644 --- a/test_outputs/connlist/ipblockstest_explain_output.txt +++ b/test_outputs/connlist/ipblockstest_explain_output.txt @@ -9,12 +9,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: @@ -27,12 +27,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: @@ -45,12 +45,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: @@ -63,12 +63,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: @@ -81,12 +81,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: @@ -99,12 +99,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: @@ -117,12 +117,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 10.0.0.0-10.255.255.255 => kube-system/calico-node-tier[DaemonSet]: @@ -191,12 +191,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: @@ -209,12 +209,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: @@ -227,12 +227,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: @@ -245,12 +245,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: @@ -263,12 +263,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: @@ -281,12 +281,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: @@ -299,12 +299,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.21.0.0-172.21.255.255 => kube-system/calico-node-tier[DaemonSet]: @@ -373,12 +373,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: @@ -391,12 +391,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: @@ -409,12 +409,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: @@ -427,12 +427,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: @@ -445,12 +445,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: @@ -463,12 +463,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: @@ -481,12 +481,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.30.0.0-172.30.255.255 => kube-system/calico-node-tier[DaemonSet]: @@ -555,12 +555,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: @@ -573,12 +573,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: @@ -591,12 +591,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: @@ -609,12 +609,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: @@ -627,12 +627,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: @@ -645,12 +645,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: @@ -663,12 +663,12 @@ ALLOWED UDP:[53] due to the following policies//rules: DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 + 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/cognetive-agents-agent[DaemonSet] => kube-system/calico-node-tier[DaemonSet]: diff --git a/test_outputs/connlist/onlineboutique_explain_output.txt b/test_outputs/connlist/onlineboutique_explain_output.txt new file mode 100644 index 00000000..2887d4a3 --- /dev/null +++ b/test_outputs/connlist/onlineboutique_explain_output.txt @@ -0,0 +1,1526 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +ALLOWED TCP:[7070] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/checkoutservice-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/cartservice-netpol//Ingress rule #1 + +DENIED TCP:[1-7069,7071-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +ALLOWED TCP:[7000] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/checkoutservice-netpol//Egress rule #2 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/currencyservice-netpol//Ingress rule #1 + +DENIED TCP:[1-6999,7001-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/checkoutservice-netpol//Egress rule #3 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/emailservice-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +ALLOWED TCP:[50051] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/checkoutservice-netpol//Egress rule #4 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/paymentservice-netpol//Ingress rule #1 + +DENIED TCP:[1-50050,50052-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +ALLOWED TCP:[3550] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/checkoutservice-netpol//Egress rule #5 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #1 + +DENIED TCP:[1-3549,3551-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #5 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +ALLOWED TCP:[50051] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/checkoutservice-netpol//Egress rule #6 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/shippingservice-netpol//Ingress rule #1 + +DENIED TCP:[1-50050,50052-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #6 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Egress rule #6 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +ALLOWED TCP:[9555] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/frontend-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/adservice-netpol//Ingress rule #1 + +DENIED TCP:[1-9554,9556-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +ALLOWED TCP:[7070] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/frontend-netpol//Egress rule #2 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/cartservice-netpol//Ingress rule #2 + +DENIED TCP:[1-7069,7071-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress rule #2 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress rule #2 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +ALLOWED TCP:[5050] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/frontend-netpol//Egress rule #3 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/checkoutservice-netpol//Ingress rule #1 + +DENIED TCP:[1-5049,5051-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +ALLOWED TCP:[7000] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/frontend-netpol//Egress rule #4 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/currencyservice-netpol//Ingress rule #2 + +DENIED TCP:[1-6999,7001-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress rule #2 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress rule #2 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +ALLOWED TCP:[3550] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/frontend-netpol//Egress rule #5 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #2 + +DENIED TCP:[1-3549,3551-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #5 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #2 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #2 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/frontend-netpol//Egress rule #6 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/recommendationservice-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #6 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #6 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +ALLOWED TCP:[50051] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/frontend-netpol//Egress rule #7 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/shippingservice-netpol//Ingress rule #2 + +DENIED TCP:[1-50050,50052-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #7 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress rule #2 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Egress rule #7 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress rule #2 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/loadgenerator-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/frontend-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/loadgenerator-555fbdc87d[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +ALLOWED TCP:[3550] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] default/recommendationservice-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #3 + +DENIED TCP:[1-3549,3551-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #3 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress rule #3 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/shippingservice-5bd985c46d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/adservice-77d5cd745d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/cartservice-74f56fd4b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/checkoutservice-69c8ff664b[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/currencyservice-77654bbbdd[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/emailservice-54c7c5d9d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/frontend-99684f7f8[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/loadgenerator-555fbdc87d[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/recommendationservice-5f8c456796[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/redis-cart-78746d49dc[ReplicaSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => default/redis-cart-78746d49dc[ReplicaSet] +default/redis-cart-78746d49dc[ReplicaSet] => 0.0.0.0-255.255.255.255 From 520ef120923bbfd5fd186dc14b01993a572a7d71 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 7 Jan 2025 11:27:15 +0200 Subject: [PATCH 10/20] Added more explainability tests. Sorting the order of NPs in explainability output --- pkg/netpol/connlist/explanation_test.go | 10 +- pkg/netpol/eval/check.go | 6 + pkg/netpol/eval/internal/k8s/netpol.go | 10 +- .../acs-security-demos_explain_output.txt | 2597 +++++++++++++++++ 4 files changed, 2611 insertions(+), 12 deletions(-) create mode 100644 test_outputs/connlist/acs-security-demos_explain_output.txt diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index 6aa24547..d065f638 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -48,6 +48,9 @@ var explainTests = []struct { testDirName string focusWorkload string }{ + { + testDirName: "acs-security-demos", + }, { testDirName: "onlineboutique", }, @@ -66,11 +69,4 @@ var explainTests = []struct { { testDirName: "anp_banp_blog_demo_2", }, - // { - // testDirName: "acs-security-demos", - // }, - // { - // testDirName: "acs-security-demos", - // focusWorkload: "ingress-controller", - // }, } diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go index a98654f8..c7fe392f 100644 --- a/pkg/netpol/eval/check.go +++ b/pkg/netpol/eval/check.go @@ -9,6 +9,7 @@ package eval import ( "errors" "net" + "sort" "strings" netv1 "k8s.io/api/networking/v1" @@ -103,6 +104,11 @@ func (pe *PolicyEngine) getPoliciesSelectingPod(peer k8s.Peer, direction netv1.P if pe.exposureAnalysisFlag && len(res) > 0 { p.UpdatePodXgressProtectedFlag(direction == netv1.PolicyTypeIngress) } + if pe.explain && len(res) > 0 { + sort.Slice(res, func(i, j int) bool { + return res[i].FullName() < res[j].FullName() + }) + } return res, nil } diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index 55c4912d..1e77d7fa 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -416,7 +416,7 @@ func (np *NetworkPolicy) nameWithDirectionAndExpl(isIngress bool, expl string) s if isIngress { xgress = "Ingress" } - return fmt.Sprintf("%s//%s "+expl, np.fullName(), xgress, xgress) + return fmt.Sprintf("%s//%s "+expl, np.FullName(), xgress, xgress) } func explNoMatchOfNamedPortsToDst(ruleName string) string { @@ -474,11 +474,11 @@ func (np *NetworkPolicy) GetXgressAllowedConns(src, dst Peer, isIngress bool) (* } func (np *NetworkPolicy) netpolWarning(description string) string { - return fmt.Sprintf("network policy %q: %s", np.fullName(), description) + return fmt.Sprintf("network policy %q: %s", np.FullName(), description) } func (np *NetworkPolicy) netpolErr(title, description string) error { - return fmt.Errorf("network policy %s %s: %s", np.fullName(), title, description) + return fmt.Errorf("network policy %s %s: %s", np.FullName(), title, description) } func (np *NetworkPolicy) parseNetpolCIDR(cidr string, except []string) (*netset.IPBlock, error) { @@ -579,7 +579,7 @@ func (np *NetworkPolicy) Selects(p *Pod, direction netv1.PolicyType) (bool, erro return selector.Matches(labels.Set(p.Labels)), nil } -func (np *NetworkPolicy) fullName() string { +func (np *NetworkPolicy) FullName() string { return "[NP] " + types.NamespacedName{Name: np.Name, Namespace: np.Namespace}.String() } @@ -588,7 +588,7 @@ func (np *NetworkPolicy) ruleName(ruleIdx int, isIngress bool) string { if isIngress { xgress = ingressName } - return fmt.Sprintf("%s//%s rule #%d", np.fullName(), xgress, ruleIdx+1) + return fmt.Sprintf("%s//%s rule #%d", np.FullName(), xgress, ruleIdx+1) } func (np *NetworkPolicy) LogWarnings(l logger.Logger) { diff --git a/test_outputs/connlist/acs-security-demos_explain_output.txt b/test_outputs/connlist/acs-security-demos_explain_output.txt new file mode 100644 index 00000000..1e9c26ea --- /dev/null +++ b/test_outputs/connlist/acs-security-demos_explain_output.txt @@ -0,0 +1,2597 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/catalog[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/checkout[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/notification[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/recommendation[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/reports[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/shipping[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => frontend/asset-cache[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => frontend/webapp[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => payments/gateway[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => payments/mastercard-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => payments/visa-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/checkout[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/notification[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/recommendation[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/reports[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/shipping[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => payments/gateway[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => payments/mastercard-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/catalog[Deployment] => payments/visa-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress (captured but not selected by any Egress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => backend/catalog[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => backend/notification[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/notification-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => backend/recommendation[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #2 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => backend/reports[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => backend/shipping[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => payments/gateway[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #3 + INGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => payments/mastercard-processor[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/checkout[Deployment] => payments/visa-processor[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Egress rule #4 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => backend/catalog[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => backend/checkout[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => backend/recommendation[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => backend/reports[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => backend/shipping[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => payments/gateway[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => payments/mastercard-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/notification[Deployment] => payments/visa-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/catalog[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/catalog-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/checkout[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/notification[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/reports[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/shipping[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => payments/gateway[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => payments/mastercard-processor[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/recommendation[Deployment] => payments/visa-processor[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Egress rule #2 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => backend/catalog[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/catalog-netpol//Ingress rule #2 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress rule #2 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress rule #2 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress rule #2 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress rule #2 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => backend/checkout[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => backend/notification[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => backend/recommendation[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #2 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Ingress rule #2 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #2 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #2 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #2 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #2 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => backend/shipping[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => payments/gateway[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => payments/mastercard-processor[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/reports[Deployment] => payments/visa-processor[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/catalog[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/checkout[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/notification[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/recommendation[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/reports[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => payments/gateway[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => payments/mastercard-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN backend/shipping[Deployment] => payments/visa-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/catalog[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/checkout[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/notification[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/recommendation[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/reports[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/shipping[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => payments/gateway[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => payments/mastercard-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => payments/visa-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/catalog[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/checkout[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/checkout-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/notification[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/recommendation[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #2 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/recommendation-netpol//Ingress rule #3 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #3 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #3 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #3 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress rule #3 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/reports[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #3 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/reports-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/shipping[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #4 + INGRESS DIRECTION (ALLOWED) + 1) [NP] backend/shipping-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #4 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #4 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => payments/gateway[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => payments/mastercard-processor[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN frontend/webapp[Deployment] => payments/visa-processor[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Egress rule #5 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress (captured but not selected by any Egress rule) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/catalog[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/checkout[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/notification[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/recommendation[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/reports[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/shipping[Deployment]: + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => payments/mastercard-processor[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #1 + INGRESS DIRECTION (ALLOWED) + 1) [NP] payments/mastercard-processor-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #1 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #1 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/gateway[Deployment] => payments/visa-processor[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #2 + INGRESS DIRECTION (ALLOWED) + 1) [NP] payments/visa-processor-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #2 (ports not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [NP] payments/gateway-netpol//Egress rule #3 + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) + +DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/gateway-netpol//Egress rule #2 (protocols not referenced by the rule) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/catalog[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/checkout[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/notification[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/recommendation[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/reports[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/shipping[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => payments/gateway[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => payments/visa-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/catalog[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/checkout[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/notification[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/recommendation[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/reports[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/shipping[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => frontend/asset-cache[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => frontend/webapp[Deployment]: + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => payments/gateway[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN payments/visa-processor[Deployment] => payments/mastercard-processor[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + INGRESS DIRECTION (DENIED) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN {ingress-controller} => frontend/asset-cache[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [Route] frontend/asset-cache//service asset-cache-service + 2) [NP] frontend/asset-cache-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN {ingress-controller} => frontend/webapp[Deployment]: + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [Route] frontend/webapp//service webapp-service + 2) [NP] frontend/webapp-netpol//Ingress rule #1 + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) + From 409629a3320b79a9f4632828245c5d1f2255223e Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 7 Jan 2025 13:56:55 +0200 Subject: [PATCH 11/20] Added a comment --- pkg/netpol/eval/check.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go index c7fe392f..21afe84f 100644 --- a/pkg/netpol/eval/check.go +++ b/pkg/netpol/eval/check.go @@ -301,6 +301,7 @@ func (pe *PolicyEngine) allAllowedXgressConnections(src, dst k8s.Peer, isIngress } // optimization: if all the conns between src and dst were determined by the ANPs : return the allowed conns if anpCaptured && anpConns.DeterminesAllConns() { + // since NPs/BANPs are not relevant here, perform the subtract below anpConns.AllowedConns.Subtract(anpConns.DeniedConns) // update explainabiliy data return anpConns.AllowedConns, nil } From 48ceb56d55d9054e624f883ca7f1b7f91c0d2c45 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 7 Jan 2025 15:08:00 +0200 Subject: [PATCH 12/20] Sorting together explanations for specific ports and for all ports in a protocol --- pkg/netpol/internal/common/connectionset.go | 6 +++--- .../connlist/anp_banp_blog_demo_2_explain_output.txt | 4 ++-- test_outputs/connlist/anp_test_10_explain_output.txt | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go index 9a8dba0c..2dcf68ef 100644 --- a/pkg/netpol/internal/common/connectionset.go +++ b/pkg/netpol/internal/common/connectionset.go @@ -480,7 +480,7 @@ type InSetAndRulesStr struct { rulesString string } -func portsStringWithExplanation(ports []PortRange, protocolString string) string { +func portsStringWithExplanation(ports []PortRange, protocolString string) []string { // for compact explanation: collect together ranges with the same 'inSet' and impying rules portRangeClasses := map[InSetAndRulesStr]*interval.CanonicalSet{} for i := range ports { @@ -500,7 +500,7 @@ func portsStringWithExplanation(ports []PortRange, protocolString string) string ind++ } sort.Strings(portsStr) - return strings.Join(portsStr, NewLine) + return portsStr } func protocolAndPortsStr(protocol v1.Protocol, ports string) string { @@ -537,7 +537,7 @@ func ExplanationFromConnProperties(allProtocolsAndPorts bool, commonImplyingRule continue } } - connStrings = append(connStrings, portsStringWithExplanation(ports, string(protocol))) + connStrings = append(connStrings, portsStringWithExplanation(ports, string(protocol))...) } if len(wholeRangeProtocols) > 0 { sort.Strings(wholeRangeProtocols) diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt index 8b48f5a4..df3a5b0c 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt @@ -32,6 +32,8 @@ ALLOWED TCP:[1234] due to the following policies//rules: ALLOWED TCP:[9001-65535] the system default (Allow all) +ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) + DENIED TCP:[1-1233,1235-8079,8081-9000] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) @@ -43,8 +45,6 @@ DENIED TCP:[8080] due to the following policies//rules: 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) -ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) - ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: diff --git a/test_outputs/connlist/anp_test_10_explain_output.txt b/test_outputs/connlist/anp_test_10_explain_output.txt index 1e7e6f2b..663587a2 100644 --- a/test_outputs/connlist/anp_test_10_explain_output.txt +++ b/test_outputs/connlist/anp_test_10_explain_output.txt @@ -29,13 +29,13 @@ CONNECTIONS BETWEEN network-policy-conformance-hufflepuff/cedric-diggory[Statefu ALLOWED UDP:[1-5352,5354-65535] the system default (Allow all) +ALLOWED {SCTP,TCP}:[ALL PORTS] the system default (Allow all) + DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [ANP] egress-udp//Egress rule deny-to-slytherin-at-port-5353 (Deny) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) -ALLOWED {SCTP,TCP}:[ALL PORTS] the system default (Allow all) - ---------------------------------------------------------------------------------------------------------------------------------------------------------------- The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): 0.0.0.0-255.255.255.255 => network-policy-conformance-gryffindor/harry-potter[StatefulSet] From 4686e3ea45de08301626cfef2587c7811df29759 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 7 Jan 2025 15:27:51 +0200 Subject: [PATCH 13/20] Added more tests --- pkg/netpol/connlist/explanation_test.go | 9 ++++ ...networks_and_nodes_test_explain_output.txt | 54 +++++++++++++++++++ ...with_named_port_matched_explain_output.txt | 35 ++++++++++++ ...th_named_port_unmatched_explain_output.txt | 24 +++++++++ 4 files changed, 122 insertions(+) create mode 100644 test_outputs/connlist/anp_and_banp_using_networks_and_nodes_test_explain_output.txt create mode 100644 test_outputs/connlist/anp_banp_test_with_named_port_matched_explain_output.txt create mode 100644 test_outputs/connlist/anp_banp_test_with_named_port_unmatched_explain_output.txt diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index d065f638..a890794f 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -69,4 +69,13 @@ var explainTests = []struct { { testDirName: "anp_banp_blog_demo_2", }, + { + testDirName: "anp_and_banp_using_networks_and_nodes_test", + }, + { + testDirName: "anp_banp_test_with_named_port_matched", + }, + { + testDirName: "anp_banp_test_with_named_port_unmatched", + }, } diff --git a/test_outputs/connlist/anp_and_banp_using_networks_and_nodes_test_explain_output.txt b/test_outputs/connlist/anp_and_banp_using_networks_and_nodes_test_explain_output.txt new file mode 100644 index 00000000..127ae912 --- /dev/null +++ b/test_outputs/connlist/anp_and_banp_using_networks_and_nodes_test_explain_output.txt @@ -0,0 +1,54 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ns1/pod1[Deployment] => 104.154.164.160-104.154.164.160: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] egress-peer-1//Egress rule deny-egress (Deny) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ns1/pod1[Deployment] => 104.154.164.170-104.154.164.170: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] egress-peer-1//Egress rule allow-egress (Allow) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ns1/pod1[Deployment] => ns2/pod1[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] egress-peer-1//Egress rule deny-egress (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ns1/pod1[Deployment] => ns3/pod1[Deployment]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] egress-peer-1//Egress rule allow-egress (Allow) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => ns1/pod1[Deployment] +0.0.0.0-255.255.255.255 => ns2/pod1[Deployment] +0.0.0.0-255.255.255.255 => ns3/pod1[Deployment] +ns1/pod1[Deployment] => 0.0.0.0-104.154.164.159 +ns1/pod1[Deployment] => 104.154.164.161-104.154.164.169 +ns1/pod1[Deployment] => 104.154.164.171-255.255.255.255 +ns2/pod1[Deployment] => 0.0.0.0-104.154.164.159 +ns2/pod1[Deployment] => 104.154.164.160-104.154.164.160 +ns2/pod1[Deployment] => 104.154.164.161-104.154.164.169 +ns2/pod1[Deployment] => 104.154.164.170-104.154.164.170 +ns2/pod1[Deployment] => 104.154.164.171-255.255.255.255 +ns2/pod1[Deployment] => ns1/pod1[Deployment] +ns2/pod1[Deployment] => ns3/pod1[Deployment] +ns3/pod1[Deployment] => 0.0.0.0-104.154.164.159 +ns3/pod1[Deployment] => 104.154.164.160-104.154.164.160 +ns3/pod1[Deployment] => 104.154.164.161-104.154.164.169 +ns3/pod1[Deployment] => 104.154.164.170-104.154.164.170 +ns3/pod1[Deployment] => 104.154.164.171-255.255.255.255 +ns3/pod1[Deployment] => ns1/pod1[Deployment] +ns3/pod1[Deployment] => ns2/pod1[Deployment] diff --git a/test_outputs/connlist/anp_banp_test_with_named_port_matched_explain_output.txt b/test_outputs/connlist/anp_banp_test_with_named_port_matched_explain_output.txt new file mode 100644 index 00000000..376e591a --- /dev/null +++ b/test_outputs/connlist/anp_banp_test_with_named_port_matched_explain_output.txt @@ -0,0 +1,35 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Egress rule pass-all-egress-to-slytherin (Pass) + 2) [BANP] default//Egress rule deny-all-egress-to-slytherin (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet]: + +ALLOWED TCP:[80] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] pass-example//Ingress rule allow-ingress-from-slytherin-on-named-port (Allow) + +DENIED TCP:[1-79,81-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Ingress rule pass-all-ingress-from-slytherin (Pass) + 2) [BANP] default//Ingress rule deny-all-ingress-from-slytherin (Deny) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Ingress rule pass-all-ingress-from-slytherin (Pass) + 2) [BANP] default//Ingress rule deny-all-ingress-from-slytherin (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => network-policy-conformance-gryffindor/harry-potter[StatefulSet] +0.0.0.0-255.255.255.255 => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] +network-policy-conformance-gryffindor/harry-potter[StatefulSet] => 0.0.0.0-255.255.255.255 +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255 diff --git a/test_outputs/connlist/anp_banp_test_with_named_port_unmatched_explain_output.txt b/test_outputs/connlist/anp_banp_test_with_named_port_unmatched_explain_output.txt new file mode 100644 index 00000000..cbb02942 --- /dev/null +++ b/test_outputs/connlist/anp_banp_test_with_named_port_unmatched_explain_output.txt @@ -0,0 +1,24 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Egress rule pass-all-egress-to-slytherin (Pass) + 2) [BANP] default//Egress rule deny-all-egress-to-slytherin (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Ingress rule pass-all-ingress-from-slytherin (Pass) + 2) [BANP] default//Ingress rule deny-all-ingress-from-slytherin (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => network-policy-conformance-gryffindor/harry-potter[StatefulSet] +0.0.0.0-255.255.255.255 => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] +network-policy-conformance-gryffindor/harry-potter[StatefulSet] => 0.0.0.0-255.255.255.255 +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255 From 710077a3a13c9a6870458d31b4fbdf8dba929d24 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 13 Jan 2025 18:07:19 +0200 Subject: [PATCH 14/20] Added more delicate collect/override implying rules mechanism (considering also rules layer) Added new explaination test. --- pkg/netpol/connlist/connlist.go | 2 +- pkg/netpol/connlist/explanation_test.go | 3 + .../ingressanalyzer/ingress_analyzer.go | 2 +- pkg/netpol/eval/check.go | 8 +- pkg/netpol/eval/internal/k8s/adminnetpol.go | 19 +- pkg/netpol/eval/internal/k8s/netpol.go | 18 +- pkg/netpol/eval/internal/k8s/pod.go | 2 +- .../eval/internal/k8s/policy_connections.go | 9 +- .../internal/common/augmented_intervalset.go | 185 +++++++------- pkg/netpol/internal/common/connectionset.go | 12 +- pkg/netpol/internal/common/portset.go | 8 +- .../connlist/anp_demo_explain_output.txt | 225 ++++++++++++++++++ 12 files changed, 366 insertions(+), 127 deletions(-) create mode 100644 test_outputs/connlist/anp_demo_explain_output.txt diff --git a/pkg/netpol/connlist/connlist.go b/pkg/netpol/connlist/connlist.go index 2c601b96..14f0219b 100644 --- a/pkg/netpol/connlist/connlist.go +++ b/pkg/netpol/connlist/connlist.go @@ -365,7 +365,7 @@ func GetConnectionSetFromP2PConnection(c Peer2PeerConnection) *common.Connection for _, p := range portRangeArr { augmentedRange := p.(*common.PortRangeData) // we cannot fill explainability data here, so we pass an empty rule name and an arbitrary direction (isIngress being true) - protocolsToPortSetMap[protocol].AddPortRange(augmentedRange.Start(), augmentedRange.End(), augmentedRange.InSet(), "", true) + protocolsToPortSetMap[protocol].AddPortRange(augmentedRange.Start(), augmentedRange.End(), augmentedRange.InSet(), "", common.DefaultLayer, true) } } connectionSet := &common.ConnectionSet{AllowAll: c.AllProtocolsAndPorts(), AllowedProtocols: protocolsToPortSetMap} diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index a890794f..9565e751 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -48,6 +48,9 @@ var explainTests = []struct { testDirName string focusWorkload string }{ + { + testDirName: "anp_demo", + }, { testDirName: "acs-security-demos", }, diff --git a/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go b/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go index c6c488b2..e2557181 100644 --- a/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go +++ b/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go @@ -376,7 +376,7 @@ func (ia *IngressAnalyzer) getIngressPeerConnection(peer eval.Peer, actualServic if peerTCPConn.Contains(strconv.Itoa(portNum), string(corev1.ProtocolTCP)) { permittedPort := common.MakePortSet(false) - permittedPort.AddPort(intstr.FromInt(portNum), common.MakeImplyingRulesWithRule(ruleName, true)) + permittedPort.AddPort(intstr.FromInt(portNum), common.MakeImplyingRulesWithRule(ruleName, common.NPLayer, true)) res.AddConnection(corev1.ProtocolTCP, permittedPort) } } diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go index 21afe84f..2b2feabd 100644 --- a/pkg/netpol/eval/check.go +++ b/pkg/netpol/eval/check.go @@ -253,8 +253,8 @@ func (pe *PolicyEngine) allAllowedConnectionsBetweenPeers(srcPeer, dstPeer Peer) // cases where any connection is always allowed if isPodToItself(srcK8sPeer, dstK8sPeer) || isPeerNodeIP(srcK8sPeer, dstK8sPeer) || isPeerNodeIP(dstK8sPeer, srcK8sPeer) { res = common.MakeConnectionSet(true) - res.AddCommonImplyingRule(common.PodToItselfRule, true) - res.AddCommonImplyingRule(common.PodToItselfRule, false) + res.AddCommonImplyingRule(common.PodToItselfRule, common.DefaultLayer, true) + res.AddCommonImplyingRule(common.PodToItselfRule, common.DefaultLayer, false) return res, nil } // egress: get egress allowed connections between the src and dst by @@ -552,9 +552,9 @@ func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool) // if banp rule captured xgress conn, only DeniedConns should be impacted by banp rule, // whenever AllowedConns should anyway be system-default: allow-all (or assumed allow-all for IP-blocks) if (isIngress && dst.PeerType() == k8s.IPBlockType) || (!isIngress && src.PeerType() == k8s.IPBlockType) { - res.AllowedConns = common.MakeConnectionSetWithRule(true, common.IPDefaultRule, isIngress) + res.AllowedConns = common.MakeConnectionSetWithRule(true, common.IPDefaultRule, common.DefaultLayer, isIngress) } else { - res.AllowedConns = common.MakeConnectionSetWithRule(true, common.SystemDefaultRule, isIngress) + res.AllowedConns = common.MakeConnectionSetWithRule(true, common.SystemDefaultRule, common.DefaultLayer, isIngress) } return res, nil } diff --git a/pkg/netpol/eval/internal/k8s/adminnetpol.go b/pkg/netpol/eval/internal/k8s/adminnetpol.go index b4623f2b..f8526c85 100644 --- a/pkg/netpol/eval/internal/k8s/adminnetpol.go +++ b/pkg/netpol/eval/internal/k8s/adminnetpol.go @@ -386,7 +386,7 @@ func updateConnsIfIngressRuleSelectsPeer(rulePeers []apisv1a.AdminNetworkPolicyI func updatePolicyConns(rulePorts *[]apisv1a.AdminNetworkPolicyPort, ruleName string, policyConns *PolicyConnections, dst Peer, action string, isBANPrule, isIngress bool) error { // get rule connections from rulePorts - ruleConns, err := ruleConnections(rulePorts, ruleName, dst, isIngress) + ruleConns, err := ruleConnections(rulePorts, ruleName, isBANPrule, dst, isIngress) if err != nil { return err } @@ -396,9 +396,16 @@ func updatePolicyConns(rulePorts *[]apisv1a.AdminNetworkPolicyPort, ruleName str } // ruleConnections returns the connectionSet from the current rule.Ports -func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, ruleName string, dst Peer, isIngress bool) (*common.ConnectionSet, error) { +func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, ruleName string, + isBANPrule bool, dst Peer, isIngress bool) (*common.ConnectionSet, error) { + var layer common.LayerType + if isBANPrule { + layer = common.BANPLayer + } else { + layer = common.ANPLayer + } if ports == nil { // If Ports is not set then the rule does not filter traffic via port. - return common.MakeConnectionSetWithRule(true, ruleName, isIngress), nil + return common.MakeConnectionSetWithRule(true, ruleName, layer, isIngress), nil } res := common.MakeConnectionSet(false) for _, anpPort := range *ports { @@ -412,7 +419,7 @@ func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, ruleName string, d if anpPort.PortNumber.Protocol != "" { protocol = anpPort.PortNumber.Protocol } - portSet.AddPort(intstr.FromInt32(anpPort.PortNumber.Port), common.MakeImplyingRulesWithRule(ruleName, isIngress)) + portSet.AddPort(intstr.FromInt32(anpPort.PortNumber.Port), common.MakeImplyingRulesWithRule(ruleName, layer, isIngress)) case anpPort.NamedPort != nil: if dst.PeerType() == IPBlockType { // IPblock does not have named-ports defined, warn and continue @@ -427,7 +434,7 @@ func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, ruleName string, d if podProtocol != "" { protocol = v1.Protocol(podProtocol) } - portSet.AddPort(intstr.FromInt32(podPort), common.MakeImplyingRulesWithRule(ruleName, isIngress)) + portSet.AddPort(intstr.FromInt32(podPort), common.MakeImplyingRulesWithRule(ruleName, layer, isIngress)) case anpPort.PortRange != nil: if anpPort.PortRange.Protocol != "" { protocol = anpPort.PortRange.Protocol @@ -436,7 +443,7 @@ func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, ruleName string, d // illegal: rule with empty range; (start/ end not in the legal range or end < start) return nil, errors.New(alerts.IllegalPortRangeError(int64(anpPort.PortRange.Start), int64(anpPort.PortRange.End))) } - portSet.AddPortRange(int64(anpPort.PortRange.Start), int64(anpPort.PortRange.End), true, ruleName, isIngress) + portSet.AddPortRange(int64(anpPort.PortRange.Start), int64(anpPort.PortRange.End), true, ruleName, layer, isIngress) } res.AddConnection(protocol, portSet) } diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index 1e77d7fa..14888deb 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -157,20 +157,20 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds if len(rulePorts) == 0 { // If this field is empty or missing, this rule matches all ports // (traffic not restricted by port) - return common.MakeConnectionSetWithRule(true, np.ruleName(ruleIdx, isIngress), isIngress), nil + return common.MakeConnectionSetWithRule(true, np.ruleName(ruleIdx, isIngress), common.NPLayer, isIngress), nil } ruleName := np.ruleName(ruleIdx, isIngress) // all protocols are affected by the rule - res := common.MakeConnectionSetWithRule(false, explNotReferencedProtocols(ruleName), isIngress) + res := common.MakeConnectionSetWithRule(false, explNotReferencedProtocols(ruleName), common.NPLayer, isIngress) for i := range rulePorts { protocol := v1.ProtocolTCP if rulePorts[i].Protocol != nil { protocol = *rulePorts[i].Protocol } // the whole port range is affected by the rule (not only ports mentioned in the rule) - ports := common.MakeEmptyPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(explNotReferencedPorts(ruleName), isIngress)) + ports := common.MakeEmptyPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(explNotReferencedPorts(ruleName), common.NPLayer, isIngress)) if rulePorts[i].Port == nil { - ports = common.MakeAllPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, isIngress)) + ports = common.MakeAllPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, common.NPLayer, isIngress)) } else { startPort, endPort, portName, err := np.getPortsRange(rulePorts[i], dst) if err != nil { @@ -194,7 +194,7 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds // 4- in order to get a connection from any pod to an ip dst (will not get here, as named ports are not defined for ip-blocks) if dst == nil || isPeerRepresentative(dst) { // (1 & 2) // adding portName string to the portSet - ports.AddPort(intstr.FromString(portName), common.MakeImplyingRulesWithRule(ruleName, isIngress)) + ports.AddPort(intstr.FromString(portName), common.MakeImplyingRulesWithRule(ruleName, common.NPLayer, isIngress)) } else { // dst is a real pod (3) // add a warning that the "named port" of the rule is ignored, since it has no match in the pod config. np.saveNetpolWarning(np.netpolWarning(alerts.WarnUnmatchedNamedPort(portName, dst.String()))) @@ -204,7 +204,7 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds } } else { // if !isEmptyPortRange(startPort, endPort) (the other valid result) - ports.AddPortRange(startPort, endPort, true, ruleName, isIngress) + ports.AddPortRange(startPort, endPort, true, ruleName, common.NPLayer, isIngress) } } res.AddConnection(protocol, ports) @@ -212,7 +212,7 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds if res.IsEmpty() { // no connections found --> "named ports" of the rule had no match in the pod config // remove empty protocols if any - res = common.MakeConnectionSetWithRule(false, explNoMatchOfNamedPortsToDst(ruleName), isIngress) + res = common.MakeConnectionSetWithRule(false, explNoMatchOfNamedPortsToDst(ruleName), common.NPLayer, isIngress) } return res, nil } @@ -436,7 +436,7 @@ func explNotReferencedProtocols(ruleName string) string { func (np *NetworkPolicy) GetXgressAllowedConns(src, dst Peer, isIngress bool) (*common.ConnectionSet, error) { res := common.MakeConnectionSet(false) if (isIngress && len(np.Spec.Ingress) == 0) || (!isIngress && len(np.Spec.Egress) == 0) { - res.AddCommonImplyingRule(np.nameWithDirectionAndExpl(isIngress, NoXgressRulesExpl), isIngress) + res.AddCommonImplyingRule(np.nameWithDirectionAndExpl(isIngress, NoXgressRulesExpl), common.NPLayer, isIngress) return res, nil } peerSelectedByAnyRule := false @@ -468,7 +468,7 @@ func (np *NetworkPolicy) GetXgressAllowedConns(src, dst Peer, isIngress bool) (* } } if !peerSelectedByAnyRule { - res.AddCommonImplyingRule(np.nameWithDirectionAndExpl(isIngress, CapturedButNotSelectedExpl), isIngress) + res.AddCommonImplyingRule(np.nameWithDirectionAndExpl(isIngress, CapturedButNotSelectedExpl), common.NPLayer, isIngress) } return res, nil } diff --git a/pkg/netpol/eval/internal/k8s/pod.go b/pkg/netpol/eval/internal/k8s/pod.go index f02ea3ac..344ffee2 100644 --- a/pkg/netpol/eval/internal/k8s/pod.go +++ b/pkg/netpol/eval/internal/k8s/pod.go @@ -270,7 +270,7 @@ func (pod *Pod) PodExposedTCPConnections() *common.ConnectionSet { protocol := corev1.ProtocolTCP if cPort.Protocol == "" || protocol == corev1.ProtocolTCP { ports := common.MakePortSet(false) - ports.AddPortRange(int64(cPort.ContainerPort), int64(cPort.ContainerPort), true, "", true) + ports.AddPortRange(int64(cPort.ContainerPort), int64(cPort.ContainerPort), true, "", common.DefaultLayer, true) res.AddConnection(protocol, ports) } } diff --git a/pkg/netpol/eval/internal/k8s/policy_connections.go b/pkg/netpol/eval/internal/k8s/policy_connections.go index edf449c0..1d7f7647 100644 --- a/pkg/netpol/eval/internal/k8s/policy_connections.go +++ b/pkg/netpol/eval/internal/k8s/policy_connections.go @@ -90,9 +90,12 @@ func (pc *PolicyConnections) CollectANPConns(newAdminPolicyConns *PolicyConnecti // ComplementPassConns complements pass connections to all connections (by adding the absent conections) func (pc *PolicyConnections) ComplementPassConns() { - defaultPassConn := NewPolicyConnections() - defaultPassConn.PassConns = common.MakeConnectionSet(true) - pc.CollectANPConns(defaultPassConn) + defaultPassConn := common.MakeConnectionSet(true) + defaultPassConn.Subtract(pc.AllowedConns) + defaultPassConn.Subtract(pc.DeniedConns) + // 'GetEquivalentCanonicalConnectionSet' below removes implying rules + // (we don't collect implying rules for default pass connections) + pc.PassConns.Union(defaultPassConn.GetEquivalentCanonicalConnectionSet(), false) } // CollectAllowedConnsFromNetpols updates allowed conns of current PolicyConnections object with allowed connections from diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index f313bc87..946d2672 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -16,6 +16,15 @@ import ( "github.com/np-guard/models/pkg/interval" ) +type LayerType int + +const ( + DefaultLayer = iota + BANPLayer + NPLayer + ANPLayer +) + type ExplResultType int const ( @@ -26,7 +35,10 @@ const ( type ImplyingXgressRulesType struct { Rules map[string]int - // Result will keep the final connectivity decision which follows from the above rules + // DominantLayer keeps the highest priority layer among the current rules; + // used in combination with collectRulesType flag (on 'DontCollect' value) in updateImplyingRules + DominantLayer LayerType + // Result keeps the final connectivity decision which follows from the above rules // (allow, deny or not set) // It is used for specifying explainability decision per direction (Egress/Ingress) Result ExplResultType @@ -38,12 +50,12 @@ type ImplyingRulesType struct { } func InitImplyingXgressRules() ImplyingXgressRulesType { - return ImplyingXgressRulesType{Rules: map[string]int{}, Result: NoResult} + return ImplyingXgressRulesType{Rules: map[string]int{}, DominantLayer: DefaultLayer, Result: NoResult} } -func MakeImplyingXgressRulesWithRule(rule string) ImplyingXgressRulesType { +func MakeImplyingXgressRulesWithRule(rule string, layer LayerType) ImplyingXgressRulesType { res := InitImplyingXgressRules() - res.AddXgressRule(rule) + res.AddXgressRule(rule, layer) return res } @@ -51,12 +63,12 @@ func InitImplyingRules() ImplyingRulesType { return ImplyingRulesType{Ingress: InitImplyingXgressRules(), Egress: InitImplyingXgressRules()} } -func MakeImplyingRulesWithRule(rule string, isIngress bool) ImplyingRulesType { +func MakeImplyingRulesWithRule(rule string, layer LayerType, isIngress bool) ImplyingRulesType { res := InitImplyingRules() if isIngress { - res.Ingress = MakeImplyingXgressRulesWithRule(rule) + res.Ingress = MakeImplyingXgressRulesWithRule(rule, layer) } else { - res.Egress = MakeImplyingXgressRulesWithRule(rule) + res.Egress = MakeImplyingXgressRulesWithRule(rule, layer) } return res } @@ -73,7 +85,7 @@ func (rules *ImplyingXgressRulesType) Copy() ImplyingXgressRulesType { if rules == nil { return InitImplyingXgressRules() } - res := ImplyingXgressRulesType{Rules: map[string]int{}, Result: rules.Result} + res := ImplyingXgressRulesType{Rules: map[string]int{}, DominantLayer: rules.DominantLayer, Result: rules.Result} for k, v := range rules.Rules { res.Rules[k] = v } @@ -107,15 +119,7 @@ const ( ) func (rules *ImplyingXgressRulesType) onlyDefaultRule() bool { - if len(rules.Rules) == 1 { - if _, ok := rules.Rules[SystemDefaultRule]; ok { - return true - } - if _, ok := rules.Rules[IPDefaultRule]; ok { - return true - } - } - return false + return len(rules.Rules) == 1 && rules.DominantLayer == DefaultLayer } func formattedExpl(expl string) string { @@ -190,19 +194,20 @@ func (rules ImplyingRulesType) Empty(isIngress bool) bool { return rules.Egress.Empty() } -func (rules *ImplyingXgressRulesType) AddXgressRule(ruleName string) { +func (rules *ImplyingXgressRulesType) AddXgressRule(ruleName string, ruleLayer LayerType) { if ruleName != "" { if _, ok := rules.Rules[ruleName]; !ok { rules.Rules[ruleName] = len(rules.Rules) // a new rule should be the last } + rules.DominantLayer = max(rules.DominantLayer, ruleLayer) } } -func (rules *ImplyingRulesType) AddRule(ruleName string, isIngress bool) { +func (rules *ImplyingRulesType) AddRule(ruleName string, ruleLayer LayerType, isIngress bool) { if isIngress { - rules.Ingress.AddXgressRule(ruleName) + rules.Ingress.AddXgressRule(ruleName, ruleLayer) } else { - rules.Egress.AddXgressRule(ruleName) + rules.Egress.AddXgressRule(ruleName, ruleLayer) } } @@ -225,10 +230,18 @@ func (rules *ImplyingRulesType) SetResult(isAllowed, isIngress bool) { } } +// Union collects others' implying rules into the current ones if 'collectRules' flag if true; +// otherwise, it keeps the current rules or overrides them by others', depending on DominantLayer (or when empty). +// The DominantLayer special case is used in order to preserve higher-priority rules. func (rules *ImplyingXgressRulesType) Union(other ImplyingXgressRulesType, collectRules bool) { + if other.Empty() { + return + } if !collectRules { - if rules.Empty() { + if rules.Empty() || rules.DominantLayer < other.DominantLayer { + // current rules are empty or lower priority --> override by other *rules = other.Copy() + rules.DominantLayer = other.DominantLayer } return } @@ -246,6 +259,7 @@ func (rules *ImplyingXgressRulesType) Union(other ImplyingXgressRulesType, colle rules.Rules[name] = order + offset // other rules should be addded after the current rules } } + rules.DominantLayer = max(rules.DominantLayer, other.DominantLayer) // update Result if set if other.Result != NoResult { rules.SetXgressResult(other.Result == AllowResult) @@ -254,7 +268,7 @@ func (rules *ImplyingXgressRulesType) Union(other ImplyingXgressRulesType, colle func (rules *ImplyingXgressRulesType) mayBeUpdatedBy(other ImplyingXgressRulesType, collectRules bool) bool { if !collectRules { - return rules.Empty() && !other.Empty() + return (rules.Empty() && !other.Empty()) || rules.DominantLayer < other.DominantLayer } for name := range other.Rules { if _, ok := rules.Rules[name]; !ok { @@ -269,30 +283,16 @@ func (rules *ImplyingRulesType) Union(other ImplyingRulesType, collectRules bool rules.Egress.Union(other.Egress, collectRules) } -func (rules *ImplyingRulesType) onlyIngressDirection() bool { - return !rules.Ingress.Empty() && rules.Egress.Empty() -} - -func (rules *ImplyingRulesType) onlyEgressDirection() bool { - return rules.Ingress.Empty() && !rules.Egress.Empty() -} - -// OverrideUnlessOppositeDirections checks whether rules and other contain only rules of opposite directions -// (one of them only Ingress and another only Egress). -// This happens when performing intersection between ingress and egress connections. -// In this case the function preserves implying rules of both directions (for detailed explainability report). -// If this is not the case of 'opposite durections' scenario, the function overrides current implying rules by others'. -func (rules *ImplyingRulesType) OverrideUnlessOppositeDirections(other ImplyingRulesType) { - switch { - case rules.onlyIngressDirection() && other.onlyEgressDirection(): - // opposite directions (Ingress in rules and Egress in other) -> keep Ingress, copy Egress - rules.Egress = other.Egress.Copy() - case rules.onlyEgressDirection() && other.onlyIngressDirection(): - // opposite directions (Egress in rules and Ingress in other) -> keep Egress, copy Ingress - rules.Ingress = other.Ingress.Copy() - default: - // this is not the case of opposite directions -> override everything +// OverrideOrCollectOtherwise overrides current implying rules by others' if 'overrideRules' flag if true; +// otherwise, it collects others' implying rules into the current ones. +// It is used when updating implying rules (updateImplyingRules()) while adding a new interval (AddAugmentedInterval()), +// in the case that 'inSet' changes. +// A special case of collect is used when AddAugmentedInterval() is called with AlwaysCollect flag from Intersect(). +func (rules *ImplyingRulesType) OverrideOrCollectOtherwise(other ImplyingRulesType, overrideRules bool) { + if overrideRules { *rules = other.Copy() + } else { + rules.Union(other, true) } } @@ -314,8 +314,8 @@ func NewAugmentedInterval(start, end int64, inSet bool) AugmentedInterval { return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, implyingRules: InitImplyingRules()} } -func NewAugmentedIntervalWithRule(start, end int64, inSet bool, rule string, isIngress bool) AugmentedInterval { - return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, implyingRules: MakeImplyingRulesWithRule(rule, isIngress)} +func NewAugmentedIntervalWithRule(start, end int64, inSet bool, rule string, layer LayerType, isIngress bool) AugmentedInterval { + return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, implyingRules: MakeImplyingRulesWithRule(rule, layer, isIngress)} } func NewAugmentedIntervalWithRules(start, end int64, inSet bool, rules ImplyingRulesType) AugmentedInterval { @@ -326,10 +326,6 @@ func (augInt AugmentedInterval) Equal(other AugmentedInterval) bool { return augInt.inSet == other.inSet && augInt.interval.Equal(other.interval) && augInt.implyingRules.Equal(&other.implyingRules) } -func (augInt AugmentedInterval) EqualInSetAndRules(other AugmentedInterval) bool { - return augInt.inSet == other.inSet && augInt.implyingRules.Equal(&other.implyingRules) -} - // AugmentedCanonicalSet is a set of int64 integers, implemented using an ordered slice of non-overlapping, non-touching intervals. // The intervals should include both included intervals and holes; // i.e., start of every interval is the end of a previous interval incremented by 1. @@ -480,11 +476,35 @@ func (c *AugmentedCanonicalSet) Equal(other *AugmentedCanonicalSet) bool { return true } +type CollectRulesType int + +const ( + // DontCollect: when adding a new interval, never collect impying rules for intervals in which 'inSet' status persists; + // instead, keep current rules or substutute them by new ones, according to a higher DominantLayer + DontCollect CollectRulesType = iota + // SimpleCollect: when adding a new interval, collect impying rules for intervals in which 'inSet' status persists + SimpleCollect + // AlwaysCollect: when adding a new interval, always collect impying rules (even if 'inSet' status changes); used in Intersect() + AlwaysCollect +) + +func updateImplyingRules(currInterval, newInterval AugmentedInterval, collectRulesType CollectRulesType) ImplyingRulesType { + newImplyingRules := currInterval.implyingRules.Copy() + if currInterval.inSet == newInterval.inSet { + // 'inSet' persists --> collect rules if not specified otherwise by DontCollect + newImplyingRules.Union(newInterval.implyingRules, collectRulesType != DontCollect) + } else { + // 'inSet' changes --> override rules if not specified otherwise by AlwaysCollect + newImplyingRules.OverrideOrCollectOtherwise(newInterval.implyingRules, collectRulesType != AlwaysCollect) + } + return newImplyingRules +} + // AddAugmentedInterval adds a new interval/hole to the set, // and updates the implying rules accordingly // //gocyclo:ignore -func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collectRules bool) { +func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collectRulesType CollectRulesType) { if v.interval.Start() < c.MinValue() || v.interval.End() > c.MaxValue() { log.Panic(errOutOfRangeInterval) } @@ -504,51 +524,32 @@ func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collec // handle the left-hand side of the intersection of v with set if v.interval.Start() > set[left].interval.Start() && - (set[left].inSet != v.inSet || set[left].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRules)) { + (set[left].inSet != v.inSet || set[left].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRulesType != DontCollect)) { // split set[left] into two intervals, while the implying rules of the second interval should get the new value (from v) new1 := AugmentedInterval{interval: interval.New(set[left].interval.Start(), v.interval.Start()-1), inSet: set[left].inSet, implyingRules: set[left].implyingRules.Copy()} - newImplyingRules := set[left].implyingRules.Copy() - if set[left].inSet == v.inSet { - newImplyingRules.Union(v.implyingRules, collectRules) - } else { - newImplyingRules.OverrideUnlessOppositeDirections(v.implyingRules) - } new2 := AugmentedInterval{interval: interval.New(v.interval.Start(), min(set[left].interval.End(), v.interval.End())), - inSet: v.inSet, implyingRules: newImplyingRules} + inSet: v.inSet, implyingRules: updateImplyingRules(set[left], v, collectRulesType)} result = append(result, new1, new2) left++ } for ind := left; ind <= right; ind++ { if ind == right && v.interval.End() < set[right].interval.End() && - (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRules)) { + (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRulesType != DontCollect)) { break // this is the corner case handled following the loop below } - newImplyingRules := set[ind].implyingRules.Copy() - if set[ind].inSet == v.inSet { - // this interval is not impacted by v; - // however, its implying rules may be updated by those of v. - newImplyingRules.Union(v.implyingRules, collectRules) - } else { - newImplyingRules.OverrideUnlessOppositeDirections(v.implyingRules) - } - result = append(result, AugmentedInterval{interval: set[ind].interval, inSet: v.inSet, implyingRules: newImplyingRules}) + result = append(result, AugmentedInterval{interval: set[ind].interval, inSet: v.inSet, + implyingRules: updateImplyingRules(set[ind], v, collectRulesType)}) } // handle the right-hand side of the intersection of v with set if v.interval.End() < set[right].interval.End() && - (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRules)) { + (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRulesType != DontCollect)) { // split set[right] into two intervals, while the implying rules of the first interval should get the new value (from v) if left < right || (left == right && v.interval.Start() == set[left].interval.Start()) { // a special case when left==right (i.e., v is included in one interval from set) was already handled // at the left-hand side of the intersection of v with set - newImplyingRules := set[right].implyingRules.Copy() - if set[right].inSet == v.inSet { - newImplyingRules.Union(v.implyingRules, collectRules) - } else { - newImplyingRules.OverrideUnlessOppositeDirections(v.implyingRules) - } new1 := AugmentedInterval{interval: interval.New(set[right].interval.Start(), v.interval.End()), - inSet: v.inSet, implyingRules: newImplyingRules} + inSet: v.inSet, implyingRules: updateImplyingRules(set[right], v, collectRulesType)} result = append(result, new1) } new2 := AugmentedInterval{interval: interval.New(v.interval.End()+1, set[right].interval.End()), @@ -583,28 +584,32 @@ func (c *AugmentedCanonicalSet) Union(other *AugmentedCanonicalSet, collectRules if c == other { return c.Copy() } + collectRulesType := DontCollect + if collectRules { + collectRulesType = SimpleCollect + } // first, we add all 'out of set' intervals from both sets // then, we add all 'in set' intervals from both sets // this way we get the effect of union, while preserving all relevant implying rules res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) for _, left := range c.intervalSet { if !left.inSet { - res.AddAugmentedInterval(left, collectRules) + res.AddAugmentedInterval(left, collectRulesType) } } for _, right := range other.intervalSet { if !right.inSet { - res.AddAugmentedInterval(right, collectRules) + res.AddAugmentedInterval(right, collectRulesType) } } for _, left := range c.intervalSet { if left.inSet { - res.AddAugmentedInterval(left, collectRules) + res.AddAugmentedInterval(left, collectRulesType) } } for _, right := range other.intervalSet { if right.inSet { - res.AddAugmentedInterval(right, collectRules) + res.AddAugmentedInterval(right, collectRulesType) } } return res @@ -617,7 +622,7 @@ func (c *AugmentedCanonicalSet) Copy() *AugmentedCanonicalSet { func (c *AugmentedCanonicalSet) Contains(n int64) bool { otherSet := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) - otherSet.AddAugmentedInterval(NewAugmentedInterval(n, n, true), false) + otherSet.AddAugmentedInterval(NewAugmentedInterval(n, n, true), DontCollect) return otherSet.ContainedIn(c) } @@ -669,22 +674,22 @@ func (c *AugmentedCanonicalSet) Intersect(other *AugmentedCanonicalSet) *Augment res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) for _, left := range c.intervalSet { if left.inSet { - res.AddAugmentedInterval(left, true) // collect implying rules allowed by both sets + res.AddAugmentedInterval(left, AlwaysCollect) // collect implying rules allowed by both sets } } for _, right := range other.intervalSet { if right.inSet { - res.AddAugmentedInterval(right, true) // collect implying rules allowed by both sets + res.AddAugmentedInterval(right, AlwaysCollect) // collect implying rules allowed by both sets } } for _, left := range c.intervalSet { if !left.inSet { - res.AddAugmentedInterval(left, true) // collect implying rules allowed by both sets + res.AddAugmentedInterval(left, AlwaysCollect) // collect implying rules allowed by both sets } } for _, right := range other.intervalSet { if !right.inSet { - res.AddAugmentedInterval(right, true) // collect implying rules allowed by both sets + res.AddAugmentedInterval(right, AlwaysCollect) // collect implying rules allowed by both sets } } return res @@ -727,7 +732,7 @@ func (c *AugmentedCanonicalSet) Subtract(other *AugmentedCanonicalSet) *Augmente if interval.inSet { hole := interval hole.inSet = false - res.AddAugmentedInterval(hole, false) + res.AddAugmentedInterval(hole, DontCollect) } } return res @@ -760,7 +765,7 @@ func (c *AugmentedCanonicalSet) GetEquivalentCanonicalAugmentedSet() *AugmentedC res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) interv, index := c.nextIncludedInterval(0) for index != NoIndex { - res.AddAugmentedInterval(NewAugmentedInterval(interv.Start(), interv.End(), true), false) + res.AddAugmentedInterval(NewAugmentedInterval(interv.Start(), interv.End(), true), DontCollect) interv, index = c.nextIncludedInterval(index + 1) } return res diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go index 2dcf68ef..051681a9 100644 --- a/pkg/netpol/internal/common/connectionset.go +++ b/pkg/netpol/internal/common/connectionset.go @@ -41,14 +41,14 @@ func MakeConnectionSet(all bool) *ConnectionSet { return &ConnectionSet{AllowedProtocols: map[v1.Protocol]*PortSet{}, CommonImplyingRules: InitImplyingRules()} } -func MakeConnectionSetWithRule(all bool, rule string, isIngress bool) *ConnectionSet { +func MakeConnectionSetWithRule(all bool, rule string, layer LayerType, isIngress bool) *ConnectionSet { return &ConnectionSet{AllowAll: all, AllowedProtocols: map[v1.Protocol]*PortSet{}, - CommonImplyingRules: MakeImplyingRulesWithRule(rule, isIngress)} + CommonImplyingRules: MakeImplyingRulesWithRule(rule, layer, isIngress)} } // Add common implying rule, i.e., a rule that is relevant for the whole ConnectionSet -func (conn *ConnectionSet) AddCommonImplyingRule(implyingRule string, isIngress bool) { - conn.CommonImplyingRules.AddRule(implyingRule, isIngress) +func (conn *ConnectionSet) AddCommonImplyingRule(implyingRule string, layer LayerType, isIngress bool) { + conn.CommonImplyingRules.AddRule(implyingRule, layer, isIngress) } func (conn *ConnectionSet) GetEquivalentCanonicalConnectionSet() *ConnectionSet { @@ -370,10 +370,6 @@ func (p PortRangeData) Equal(other PortRangeData) bool { return p.Interval.Equal(other.Interval) } -func (p PortRangeData) EqualInSetAndRules(other PortRangeData) bool { - return p.Interval.EqualInSetAndRules(other.Interval) -} - func (p *PortRangeData) String() string { if p.isWholeRange() { return allPortsStr diff --git a/pkg/netpol/internal/common/portset.go b/pkg/netpol/internal/common/portset.go index 11d57c88..a517a5e0 100644 --- a/pkg/netpol/internal/common/portset.go +++ b/pkg/netpol/internal/common/portset.go @@ -102,7 +102,7 @@ func (p *PortSet) AddPort(port intstr.IntOrString, implyingRules ImplyingRulesTy p.NamedPorts[port.StrVal] = theRules delete(p.ExcludedNamedPorts, port.StrVal) } else { - p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRules(int64(port.IntVal), int64(port.IntVal), true, implyingRules), true) + p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRules(int64(port.IntVal), int64(port.IntVal), true, implyingRules), SimpleCollect) } } @@ -112,13 +112,13 @@ func (p *PortSet) RemovePort(port intstr.IntOrString) { p.ExcludedNamedPorts[port.StrVal] = p.NamedPorts[port.StrVal] delete(p.NamedPorts, port.StrVal) } else { - p.Ports.AddAugmentedInterval(NewAugmentedInterval(int64(port.IntVal), int64(port.IntVal), false), false) + p.Ports.AddAugmentedInterval(NewAugmentedInterval(int64(port.IntVal), int64(port.IntVal), false), DontCollect) } } // AddPortRange: update current PortSet object with new added port range as allowed -func (p *PortSet) AddPortRange(minPort, maxPort int64, inSet bool, fromRule string, isIngress bool) { - p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRule(minPort, maxPort, inSet, fromRule, isIngress), true) +func (p *PortSet) AddPortRange(minPort, maxPort int64, inSet bool, fromRule string, layer LayerType, isIngress bool) { + p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRule(minPort, maxPort, inSet, fromRule, layer, isIngress), SimpleCollect) } // Union: update current PortSet object with union of input PortSet object diff --git a/test_outputs/connlist/anp_demo_explain_output.txt b/test_outputs/connlist/anp_demo_explain_output.txt new file mode 100644 index 00000000..079e1e32 --- /dev/null +++ b/test_outputs/connlist/anp_demo_explain_output.txt @@ -0,0 +1,225 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => gryffindor/harry-potter[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] gryffindor/allow-some-ingress-from-to-slytherin-to-gryffindor//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => ravenclaw/luna-lovegood[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN gryffindor/harry-potter[StatefulSet] => hufflepuff/cedric-diggory[StatefulSet]: + +ALLOWED SCTP:[9003] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] gress-rules-gryffindor//Egress rule allow-to-hufflepuff-at-ports-8080-5353 (Allow) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +ALLOWED TCP:[8080] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] gress-rules-gryffindor//Egress rule allow-to-hufflepuff-at-ports-8080-5353 (Allow) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +ALLOWED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] gress-rules-gryffindor//Egress rule allow-to-hufflepuff-at-ports-8080-5353 (Allow) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +DENIED SCTP:[1-9002,9004-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Egress rule deny-to-hufflepuff-everything-else (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Egress rule deny-to-hufflepuff-everything-else (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +DENIED UDP:[1-52,54-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Egress rule deny-to-hufflepuff-everything-else (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +DENIED UDP:[53] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Egress rule deny-to-hufflepuff-everything-else (Deny) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] ingress-to-hufflepuff//Ingress rule allow-from-gryffindor-at-port-53 (Allow) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN gryffindor/harry-potter[StatefulSet] => ravenclaw/luna-lovegood[StatefulSet]: + +ALLOWED UDP:[52] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] ingress-to-ravenclaw//Ingress rule pass-from-gryffindor-everything (Pass) + 2) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Ingress rule #2 + +DENIED UDP:[1-51,53-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] ingress-to-ravenclaw//Ingress rule pass-from-gryffindor-everything (Pass) + 2) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Ingress rule #2 (ports not referenced by the rule) + +DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] ingress-to-ravenclaw//Ingress rule pass-from-gryffindor-everything (Pass) + 2) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Ingress rule #2 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN gryffindor/harry-potter[StatefulSet] => slytherin/draco-malfoy[StatefulSet]: + +ALLOWED SCTP:[1-9002,9004-65535] the system default (Allow all) + +ALLOWED TCP:[1-79,81-65535] the system default (Allow all) + +ALLOWED UDP:[1-52,54-65535] the system default (Allow all) + +DENIED SCTP:[9003] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Egress rule deny-to-slytherin-at-ports-80-53-9003 (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +DENIED TCP:[80] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Egress rule deny-to-slytherin-at-ports-80-53-9003 (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +DENIED UDP:[53] due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Egress rule deny-to-slytherin-at-ports-80-53-9003 (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN hufflepuff/cedric-diggory[StatefulSet] => gryffindor/harry-potter[StatefulSet]: + +ALLOWED SCTP:[9003] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] gress-rules-gryffindor//Ingress rule allow-from-hufflepuff-at-port-80-5353-9003 (Allow) + +ALLOWED TCP:[80] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] gress-rules-gryffindor//Ingress rule allow-from-hufflepuff-at-port-80-5353-9003 (Allow) + +ALLOWED UDP:[5353] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] gress-rules-gryffindor//Ingress rule allow-from-hufflepuff-at-port-80-5353-9003 (Allow) + +DENIED SCTP:[1-9002,9004-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Ingress rule deny-from-hufflepuff-everything-else (Deny) + +DENIED TCP:[1-79,81-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Ingress rule deny-from-hufflepuff-everything-else (Deny) + +DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] gress-rules-gryffindor//Ingress rule deny-from-hufflepuff-everything-else (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN hufflepuff/cedric-diggory[StatefulSet] => ravenclaw/luna-lovegood[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Ingress (captured but not selected by any Ingress rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN hufflepuff/cedric-diggory[StatefulSet] => slytherin/draco-malfoy[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [BANP] default//Ingress rule deny-all-ingress-from-hufflepuff (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ravenclaw/luna-lovegood[StatefulSet] => 0.0.0.0-255.255.255.255: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ravenclaw/luna-lovegood[StatefulSet] => gryffindor/harry-potter[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] gress-rules-gryffindor//Ingress rule allow-from-ravenclaw-everything (Allow) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ravenclaw/luna-lovegood[StatefulSet] => hufflepuff/cedric-diggory[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ravenclaw/luna-lovegood[StatefulSet] => slytherin/draco-malfoy[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (no Egress rules defined) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN slytherin/draco-malfoy[StatefulSet] => gryffindor/harry-potter[StatefulSet]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] anp-priority-10//Ingress rule pass-all-ingress-from-slytherin (Pass) + 2) [NP] gryffindor/allow-some-ingress-from-to-slytherin-to-gryffindor//Ingress rule #1 + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN slytherin/draco-malfoy[StatefulSet] => hufflepuff/cedric-diggory[StatefulSet]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] ingress-to-hufflepuff//Ingress rule pass-from-slytherin (Pass) + 2) the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN slytherin/draco-malfoy[StatefulSet] => ravenclaw/luna-lovegood[StatefulSet]: + +ALLOWED TCP:[1-79,81-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Ingress rule #1 + +DENIED TCP:[80] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] ingress-to-ravenclaw//Ingress rule deny-from-slytherin-at-port-80 (Deny) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Ingress rule #1 (protocols not referenced by the rule) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => hufflepuff/cedric-diggory[StatefulSet] +0.0.0.0-255.255.255.255 => slytherin/draco-malfoy[StatefulSet] +gryffindor/harry-potter[StatefulSet] => 0.0.0.0-255.255.255.255 +hufflepuff/cedric-diggory[StatefulSet] => 0.0.0.0-255.255.255.255 +slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255 From 49050df1ab102276dc1fa9dffc3edd4fcd6af203 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 13 Jan 2025 18:12:39 +0200 Subject: [PATCH 15/20] Make linter happy --- pkg/netpol/connlist/connlist.go | 3 ++- pkg/netpol/eval/internal/k8s/netpol.go | 3 ++- pkg/netpol/internal/common/augmented_intervalset.go | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/pkg/netpol/connlist/connlist.go b/pkg/netpol/connlist/connlist.go index 14f0219b..e191f43f 100644 --- a/pkg/netpol/connlist/connlist.go +++ b/pkg/netpol/connlist/connlist.go @@ -365,7 +365,8 @@ func GetConnectionSetFromP2PConnection(c Peer2PeerConnection) *common.Connection for _, p := range portRangeArr { augmentedRange := p.(*common.PortRangeData) // we cannot fill explainability data here, so we pass an empty rule name and an arbitrary direction (isIngress being true) - protocolsToPortSetMap[protocol].AddPortRange(augmentedRange.Start(), augmentedRange.End(), augmentedRange.InSet(), "", common.DefaultLayer, true) + protocolsToPortSetMap[protocol].AddPortRange(augmentedRange.Start(), augmentedRange.End(), + augmentedRange.InSet(), "", common.DefaultLayer, true) } } connectionSet := &common.ConnectionSet{AllowAll: c.AllProtocolsAndPorts(), AllowedProtocols: protocolsToPortSetMap} diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index 14888deb..7b01b3aa 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -168,7 +168,8 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds protocol = *rulePorts[i].Protocol } // the whole port range is affected by the rule (not only ports mentioned in the rule) - ports := common.MakeEmptyPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(explNotReferencedPorts(ruleName), common.NPLayer, isIngress)) + ports := common.MakeEmptyPortSetWithImplyingRules( + common.MakeImplyingRulesWithRule(explNotReferencedPorts(ruleName), common.NPLayer, isIngress)) if rulePorts[i].Port == nil { ports = common.MakeAllPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, common.NPLayer, isIngress)) } else { diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index 946d2672..36f6a288 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -315,7 +315,8 @@ func NewAugmentedInterval(start, end int64, inSet bool) AugmentedInterval { } func NewAugmentedIntervalWithRule(start, end int64, inSet bool, rule string, layer LayerType, isIngress bool) AugmentedInterval { - return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, implyingRules: MakeImplyingRulesWithRule(rule, layer, isIngress)} + return AugmentedInterval{interval: interval.New(start, end), inSet: inSet, + implyingRules: MakeImplyingRulesWithRule(rule, layer, isIngress)} } func NewAugmentedIntervalWithRules(start, end int64, inSet bool, rules ImplyingRulesType) AugmentedInterval { From d78e3c46945214a45c27e1f014c5abb98fd47f03 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 14 Jan 2025 15:42:06 +0200 Subject: [PATCH 16/20] Changed explanation output for empty Xgress rules; More delicate updating implying rules. --- pkg/netpol/eval/internal/k8s/netpol.go | 5 +- .../internal/common/augmented_intervalset.go | 181 ++-- pkg/netpol/internal/common/connectionset.go | 25 +- pkg/netpol/internal/common/portset.go | 22 +- .../acs-security-demos_explain_output.txt | 994 +++++++++--------- .../connlist/anp_demo_explain_output.txt | 8 +- .../netpol_named_port_test_explain_output.txt | 4 +- .../onlineboutique_explain_output.txt | 192 ++-- 8 files changed, 715 insertions(+), 716 deletions(-) diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index 7b01b3aa..14d7747e 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -408,8 +408,9 @@ func (np *NetworkPolicy) EgressAllowedConn(dst Peer, protocol, port string) (boo } const ( - NoXgressRulesExpl = "(no %s rules defined)" - CapturedButNotSelectedExpl = "(captured but not selected by any %s rule)" + CapturedButNotSelectedTxt = "captured but not selected by any %s rule" + CapturedButNotSelectedExpl = "(" + CapturedButNotSelectedTxt + ")" + NoXgressRulesExpl = "(" + CapturedButNotSelectedTxt + " - no rules defined)" ) func (np *NetworkPolicy) nameWithDirectionAndExpl(isIngress bool, expl string) string { diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index 36f6a288..ec025ff1 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -36,7 +36,7 @@ const ( type ImplyingXgressRulesType struct { Rules map[string]int // DominantLayer keeps the highest priority layer among the current rules; - // used in combination with collectRulesType flag (on 'DontCollect' value) in updateImplyingRules + // used in combination with collectStyle flag (on 'NeverCollectRules' value) in updateImplyingRules DominantLayer LayerType // Result keeps the final connectivity decision which follows from the above rules // (allow, deny or not set) @@ -230,22 +230,8 @@ func (rules *ImplyingRulesType) SetResult(isAllowed, isIngress bool) { } } -// Union collects others' implying rules into the current ones if 'collectRules' flag if true; -// otherwise, it keeps the current rules or overrides them by others', depending on DominantLayer (or when empty). -// The DominantLayer special case is used in order to preserve higher-priority rules. -func (rules *ImplyingXgressRulesType) Union(other ImplyingXgressRulesType, collectRules bool) { - if other.Empty() { - return - } - if !collectRules { - if rules.Empty() || rules.DominantLayer < other.DominantLayer { - // current rules are empty or lower priority --> override by other - *rules = other.Copy() - rules.DominantLayer = other.DominantLayer - } - return - } - +// Union collects other implying rules into the current ones +func (rules *ImplyingXgressRulesType) Union(other ImplyingXgressRulesType) { // first, count how many rules are common in both sets common := 0 for name := range other.Rules { @@ -266,38 +252,78 @@ func (rules *ImplyingXgressRulesType) Union(other ImplyingXgressRulesType, colle } } -func (rules *ImplyingXgressRulesType) mayBeUpdatedBy(other ImplyingXgressRulesType, collectRules bool) bool { - if !collectRules { - return (rules.Empty() && !other.Empty()) || rules.DominantLayer < other.DominantLayer +type CollectStyleType int + +const ( + NeverCollectRules CollectStyleType = iota + CollectSameInclusionRules + AlwaysCollectRules +) + +// Update implying rules by other (either keep, override or collect), according to the following flags: +// - 'sameInclusion' flag if true iff there is no change in an inclusion status +// of the updated AugmentedInterval / ConnectionSet +// (depending if the current rules come from AugmentedInterval.implyingRules / ConnectionSet.CommonImplyingRules); +// in case of AugmentedInterval, 'inSet' status is same, in case of ConnectionSet conn.AllowAll is same). +// - 'collectStyle' flag specifies whether and how to collect rules (as described below). +// +// The logic of the update is as follows: +// - if 'collectStyle' is AlwaysCollectRules (comes from Intersection of connection sets) --> collect the rules in any case +// (Intersection of connection sets scenario) +// - if 'collectStyle' is CollectSameInclusionRules and the inclusion status persists ('sameInclusion' is true) --> collect the rules +// (Union of connection sets of multiple NPs scenario) +// - otherwise, if the inclusion status changes ('sameInclusion' is false) --> override the rules +// - otherwise, if the DominantLayer priortiy of the other rules is higher --> override the rules +// - otherwise, keep the current rules. +func (rules ImplyingXgressRulesType) update(other ImplyingXgressRulesType, sameInclusion bool, collectStyle CollectStyleType) ImplyingXgressRulesType { + result := rules.Copy() + if other.Empty() { + return result } - for name := range other.Rules { - if _, ok := rules.Rules[name]; !ok { - return true - } + if collectStyle == AlwaysCollectRules || (collectStyle == CollectSameInclusionRules && sameInclusion) { + result.Union(other) + return result } - return false + + // inclusion status changes --> override + if !sameInclusion { + result = other.Copy() + return result + } + // collectStyle == NeverCollectRules + // inclusion status persists --> keep or override according to the priority + if rules.Empty() || rules.DominantLayer < other.DominantLayer { + // rules are empty or of lower priority --> override + result = other.Copy() + } + return result } -func (rules *ImplyingRulesType) Union(other ImplyingRulesType, collectRules bool) { - rules.Ingress.Union(other.Ingress, collectRules) - rules.Egress.Union(other.Egress, collectRules) +func (rules ImplyingRulesType) Update(other ImplyingRulesType, sameInclusion bool, collectStyle CollectStyleType) ImplyingRulesType { + result := ImplyingRulesType{} + result.Ingress = rules.Ingress.update(other.Ingress, sameInclusion, collectStyle) + result.Egress = rules.Egress.update(other.Egress, sameInclusion, collectStyle) + return result } -// OverrideOrCollectOtherwise overrides current implying rules by others' if 'overrideRules' flag if true; -// otherwise, it collects others' implying rules into the current ones. -// It is used when updating implying rules (updateImplyingRules()) while adding a new interval (AddAugmentedInterval()), -// in the case that 'inSet' changes. -// A special case of collect is used when AddAugmentedInterval() is called with AlwaysCollect flag from Intersect(). -func (rules *ImplyingRulesType) OverrideOrCollectOtherwise(other ImplyingRulesType, overrideRules bool) { - if overrideRules { - *rules = other.Copy() - } else { - rules.Union(other, true) +// This function returns whether the current rules may be updated by the other rules. +// It follows the logic of Update() (see explanation above). +func (rules *ImplyingXgressRulesType) mayBeUpdatedBy(other ImplyingXgressRulesType, sameInclusion bool, collectStyle CollectStyleType) bool { + if collectStyle == AlwaysCollectRules || (collectStyle == CollectSameInclusionRules && sameInclusion) { + // return true iff Union would change anything + for name := range other.Rules { + if _, ok := rules.Rules[name]; !ok { + return true + } + } + return false } + return (!sameInclusion || rules.Empty() && !other.Empty()) || rules.DominantLayer < other.DominantLayer } -func (rules ImplyingRulesType) mayBeUpdatedBy(other ImplyingRulesType, collectRules bool) bool { - return rules.Ingress.mayBeUpdatedBy(other.Ingress, collectRules) || rules.Egress.mayBeUpdatedBy(other.Egress, collectRules) +func (rules ImplyingRulesType) mayBeUpdatedBy(other ImplyingRulesType, sameInclusion bool, collectStyle CollectStyleType) bool { + return rules.Ingress.mayBeUpdatedBy(other.Ingress, sameInclusion, collectStyle) || + rules.Egress.mayBeUpdatedBy(other.Egress, sameInclusion, collectStyle) } const ( @@ -477,35 +503,11 @@ func (c *AugmentedCanonicalSet) Equal(other *AugmentedCanonicalSet) bool { return true } -type CollectRulesType int - -const ( - // DontCollect: when adding a new interval, never collect impying rules for intervals in which 'inSet' status persists; - // instead, keep current rules or substutute them by new ones, according to a higher DominantLayer - DontCollect CollectRulesType = iota - // SimpleCollect: when adding a new interval, collect impying rules for intervals in which 'inSet' status persists - SimpleCollect - // AlwaysCollect: when adding a new interval, always collect impying rules (even if 'inSet' status changes); used in Intersect() - AlwaysCollect -) - -func updateImplyingRules(currInterval, newInterval AugmentedInterval, collectRulesType CollectRulesType) ImplyingRulesType { - newImplyingRules := currInterval.implyingRules.Copy() - if currInterval.inSet == newInterval.inSet { - // 'inSet' persists --> collect rules if not specified otherwise by DontCollect - newImplyingRules.Union(newInterval.implyingRules, collectRulesType != DontCollect) - } else { - // 'inSet' changes --> override rules if not specified otherwise by AlwaysCollect - newImplyingRules.OverrideOrCollectOtherwise(newInterval.implyingRules, collectRulesType != AlwaysCollect) - } - return newImplyingRules -} - // AddAugmentedInterval adds a new interval/hole to the set, // and updates the implying rules accordingly // //gocyclo:ignore -func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collectRulesType CollectRulesType) { +func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collectStyle CollectStyleType) { if v.interval.Start() < c.MinValue() || v.interval.End() > c.MaxValue() { log.Panic(errOutOfRangeInterval) } @@ -524,33 +526,36 @@ func (c *AugmentedCanonicalSet) AddAugmentedInterval(v AugmentedInterval, collec result = append(result, slices.Clone(set[0:left])...) // handle the left-hand side of the intersection of v with set + sameInclusion := set[left].inSet == v.inSet if v.interval.Start() > set[left].interval.Start() && - (set[left].inSet != v.inSet || set[left].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRulesType != DontCollect)) { + (!sameInclusion || set[left].implyingRules.mayBeUpdatedBy(v.implyingRules, sameInclusion, collectStyle)) { // split set[left] into two intervals, while the implying rules of the second interval should get the new value (from v) new1 := AugmentedInterval{interval: interval.New(set[left].interval.Start(), v.interval.Start()-1), inSet: set[left].inSet, implyingRules: set[left].implyingRules.Copy()} new2 := AugmentedInterval{interval: interval.New(v.interval.Start(), min(set[left].interval.End(), v.interval.End())), - inSet: v.inSet, implyingRules: updateImplyingRules(set[left], v, collectRulesType)} + inSet: v.inSet, implyingRules: set[left].implyingRules.Update(v.implyingRules, sameInclusion, collectStyle)} result = append(result, new1, new2) left++ } for ind := left; ind <= right; ind++ { + sameInclusion := set[ind].inSet == v.inSet if ind == right && v.interval.End() < set[right].interval.End() && - (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRulesType != DontCollect)) { + (!sameInclusion || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, sameInclusion, collectStyle)) { break // this is the corner case handled following the loop below } result = append(result, AugmentedInterval{interval: set[ind].interval, inSet: v.inSet, - implyingRules: updateImplyingRules(set[ind], v, collectRulesType)}) + implyingRules: set[ind].implyingRules.Update(v.implyingRules, sameInclusion, collectStyle)}) } // handle the right-hand side of the intersection of v with set + sameInclusion = set[right].inSet == v.inSet if v.interval.End() < set[right].interval.End() && - (set[right].inSet != v.inSet || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, collectRulesType != DontCollect)) { + (!sameInclusion || set[right].implyingRules.mayBeUpdatedBy(v.implyingRules, sameInclusion, collectStyle)) { // split set[right] into two intervals, while the implying rules of the first interval should get the new value (from v) if left < right || (left == right && v.interval.Start() == set[left].interval.Start()) { // a special case when left==right (i.e., v is included in one interval from set) was already handled // at the left-hand side of the intersection of v with set - new1 := AugmentedInterval{interval: interval.New(set[right].interval.Start(), v.interval.End()), - inSet: v.inSet, implyingRules: updateImplyingRules(set[right], v, collectRulesType)} + new1 := AugmentedInterval{interval: interval.New(set[right].interval.Start(), v.interval.End()), inSet: v.inSet, + implyingRules: set[right].implyingRules.Update(v.implyingRules, sameInclusion, collectStyle)} result = append(result, new1) } new2 := AugmentedInterval{interval: interval.New(v.interval.End()+1, set[right].interval.End()), @@ -579,15 +584,13 @@ func (c *AugmentedCanonicalSet) String() string { } // Union returns the union of the two sets -// Note: this function is not symmetrical regarding the update of implying rules: -// it always prefers implying rules of 'c', and adds to it those of 'other' depending if collectRules == true -func (c *AugmentedCanonicalSet) Union(other *AugmentedCanonicalSet, collectRules bool) *AugmentedCanonicalSet { +func (c *AugmentedCanonicalSet) Union(other *AugmentedCanonicalSet, collectSameInclusionRules bool) *AugmentedCanonicalSet { if c == other { return c.Copy() } - collectRulesType := DontCollect - if collectRules { - collectRulesType = SimpleCollect + collectStyle := NeverCollectRules + if collectSameInclusionRules { + collectStyle = CollectSameInclusionRules } // first, we add all 'out of set' intervals from both sets // then, we add all 'in set' intervals from both sets @@ -595,22 +598,22 @@ func (c *AugmentedCanonicalSet) Union(other *AugmentedCanonicalSet, collectRules res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) for _, left := range c.intervalSet { if !left.inSet { - res.AddAugmentedInterval(left, collectRulesType) + res.AddAugmentedInterval(left, collectStyle) } } for _, right := range other.intervalSet { if !right.inSet { - res.AddAugmentedInterval(right, collectRulesType) + res.AddAugmentedInterval(right, collectStyle) } } for _, left := range c.intervalSet { if left.inSet { - res.AddAugmentedInterval(left, collectRulesType) + res.AddAugmentedInterval(left, collectStyle) } } for _, right := range other.intervalSet { if right.inSet { - res.AddAugmentedInterval(right, collectRulesType) + res.AddAugmentedInterval(right, collectStyle) } } return res @@ -623,7 +626,7 @@ func (c *AugmentedCanonicalSet) Copy() *AugmentedCanonicalSet { func (c *AugmentedCanonicalSet) Contains(n int64) bool { otherSet := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) - otherSet.AddAugmentedInterval(NewAugmentedInterval(n, n, true), DontCollect) + otherSet.AddAugmentedInterval(NewAugmentedInterval(n, n, true), NeverCollectRules) return otherSet.ContainedIn(c) } @@ -675,22 +678,22 @@ func (c *AugmentedCanonicalSet) Intersect(other *AugmentedCanonicalSet) *Augment res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) for _, left := range c.intervalSet { if left.inSet { - res.AddAugmentedInterval(left, AlwaysCollect) // collect implying rules allowed by both sets + res.AddAugmentedInterval(left, AlwaysCollectRules) // collect implying rules allowed by both sets } } for _, right := range other.intervalSet { if right.inSet { - res.AddAugmentedInterval(right, AlwaysCollect) // collect implying rules allowed by both sets + res.AddAugmentedInterval(right, AlwaysCollectRules) // collect implying rules allowed by both sets } } for _, left := range c.intervalSet { if !left.inSet { - res.AddAugmentedInterval(left, AlwaysCollect) // collect implying rules allowed by both sets + res.AddAugmentedInterval(left, AlwaysCollectRules) // collect implying rules allowed by both sets } } for _, right := range other.intervalSet { if !right.inSet { - res.AddAugmentedInterval(right, AlwaysCollect) // collect implying rules allowed by both sets + res.AddAugmentedInterval(right, AlwaysCollectRules) // collect implying rules allowed by both sets } } return res @@ -733,7 +736,7 @@ func (c *AugmentedCanonicalSet) Subtract(other *AugmentedCanonicalSet) *Augmente if interval.inSet { hole := interval hole.inSet = false - res.AddAugmentedInterval(hole, DontCollect) + res.AddAugmentedInterval(hole, NeverCollectRules) } } return res @@ -766,7 +769,7 @@ func (c *AugmentedCanonicalSet) GetEquivalentCanonicalAugmentedSet() *AugmentedC res := NewAugmentedCanonicalSet(c.MinValue(), c.MaxValue(), false) interv, index := c.nextIncludedInterval(0) for index != NoIndex { - res.AddAugmentedInterval(NewAugmentedInterval(interv.Start(), interv.End(), true), DontCollect) + res.AddAugmentedInterval(NewAugmentedInterval(interv.Start(), interv.End(), true), NeverCollectRules) interv, index = c.nextIncludedInterval(index + 1) } return res diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go index 051681a9..7a7412af 100644 --- a/pkg/netpol/internal/common/connectionset.go +++ b/pkg/netpol/internal/common/connectionset.go @@ -84,7 +84,7 @@ func (conn *ConnectionSet) Intersection(other *ConnectionSet) { conn.AllowedProtocols = map[v1.Protocol]*PortSet{} } // union common implying rules - a symmetrical update - conn.CommonImplyingRules.Union(other.CommonImplyingRules, true) + conn.CommonImplyingRules = conn.CommonImplyingRules.Update(other.CommonImplyingRules, true, AlwaysCollectRules) return } // prepare conn and other for the intersection - we need to seep implying rules info into all protocols/ports @@ -169,17 +169,13 @@ func (conn *ConnectionSet) rebuildExplicitly() { } // Union updates ConnectionSet object to be the union result with other ConnectionSet -// the implying rules are updated only if something changes in conn, -// i.e., conn has a precedence over other -func (conn *ConnectionSet) Union(other *ConnectionSet, collectRules bool) { +func (conn *ConnectionSet) Union(other *ConnectionSet, collectSameInclusionRules bool) { + collectStyle := NeverCollectRules + if collectSameInclusionRules { + collectStyle = CollectSameInclusionRules + } if conn.IsEmpty() && (other.IsEmpty() || other.AllowAll) && len(conn.AllowedProtocols) == 0 && len(other.AllowedProtocols) == 0 { - if other.IsEmpty() { - // we should union implying rules - both contribute to the result being empty - conn.CommonImplyingRules.Union(other.CommonImplyingRules, collectRules) - } else { - // we should substitute the implying rules by others' rules - conn.CommonImplyingRules = other.CommonImplyingRules.Copy() - } + conn.CommonImplyingRules = conn.CommonImplyingRules.Update(other.CommonImplyingRules, other.IsEmpty(), collectStyle) conn.AllowAll = other.AllowAll return } @@ -190,7 +186,7 @@ func (conn *ConnectionSet) Union(other *ConnectionSet, collectRules bool) { other.rebuildExplicitly() for protocol := range conn.AllowedProtocols { if otherPorts, ok := other.AllowedProtocols[protocol]; ok { - conn.AllowedProtocols[protocol].Union(otherPorts, collectRules) + conn.AllowedProtocols[protocol].Union(otherPorts, collectSameInclusionRules) } } conn.CommonImplyingRules = InitImplyingRules() // clear common implying rules, since we have implying rules in AllowedProtocols @@ -205,8 +201,9 @@ func (conn *ConnectionSet) Subtract(other *ConnectionSet) { return } if other.AllowAll && len(other.AllowedProtocols) == 0 { - // a special case when we should replace current common implying rules by others' - conn.CommonImplyingRules = other.CommonImplyingRules.Copy() + // a special case when we should override the current common implying rules by others' + // because conn.AllowAll (aka the inclusion status) changes + conn.CommonImplyingRules = conn.CommonImplyingRules.Update(other.CommonImplyingRules, false, NeverCollectRules) conn.AllowAll = false conn.AllowedProtocols = map[v1.Protocol]*PortSet{} return diff --git a/pkg/netpol/internal/common/portset.go b/pkg/netpol/internal/common/portset.go index a517a5e0..0d6dbcae 100644 --- a/pkg/netpol/internal/common/portset.go +++ b/pkg/netpol/internal/common/portset.go @@ -97,12 +97,10 @@ func (p *PortSet) AddPort(port intstr.IntOrString, implyingRules ImplyingRulesTy if _, ok := p.NamedPorts[port.StrVal]; !ok { p.NamedPorts[port.StrVal] = InitImplyingRules() } - theRules := p.NamedPorts[port.StrVal] - theRules.Union(implyingRules, true) - p.NamedPorts[port.StrVal] = theRules + p.NamedPorts[port.StrVal] = p.NamedPorts[port.StrVal].Update(implyingRules, false, NeverCollectRules) delete(p.ExcludedNamedPorts, port.StrVal) } else { - p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRules(int64(port.IntVal), int64(port.IntVal), true, implyingRules), SimpleCollect) + p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRules(int64(port.IntVal), int64(port.IntVal), true, implyingRules), NeverCollectRules) } } @@ -112,20 +110,22 @@ func (p *PortSet) RemovePort(port intstr.IntOrString) { p.ExcludedNamedPorts[port.StrVal] = p.NamedPorts[port.StrVal] delete(p.NamedPorts, port.StrVal) } else { - p.Ports.AddAugmentedInterval(NewAugmentedInterval(int64(port.IntVal), int64(port.IntVal), false), DontCollect) + p.Ports.AddAugmentedInterval(NewAugmentedInterval(int64(port.IntVal), int64(port.IntVal), false), NeverCollectRules) } } // AddPortRange: update current PortSet object with new added port range as allowed func (p *PortSet) AddPortRange(minPort, maxPort int64, inSet bool, fromRule string, layer LayerType, isIngress bool) { - p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRule(minPort, maxPort, inSet, fromRule, layer, isIngress), SimpleCollect) + p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRule(minPort, maxPort, inSet, fromRule, layer, isIngress), NeverCollectRules) } // Union: update current PortSet object with union of input PortSet object // Note: this function is not symmetrical regarding the update of implying rules: -// it updates implying rules of 'p' by those of 'other' only for ports that get changed in 'p' -func (p *PortSet) Union(other *PortSet, collectRules bool) { - p.Ports = p.Ports.Union(other.Ports, collectRules) +// - for ports that get changed in 'p', it overrides implying rules of 'p' by those of 'other'; +// - for unchanged ports it updates implying rules of 'p' according to 'collectSameInclusionRules' +// (collecting when true, overriding by priority otherwise) +func (p *PortSet) Union(other *PortSet, collectSameInclusionRules bool) { + p.Ports = p.Ports.Union(other.Ports, collectSameInclusionRules) // union current namedPorts with other namedPorts, and delete other namedPorts from current excludedNamedPorts for k, v := range other.NamedPorts { if _, ok := p.NamedPorts[k]; !ok { @@ -206,9 +206,7 @@ func (p *PortSet) subtract(other *PortSet) { if _, ok := p.ExcludedNamedPorts[k]; !ok { p.ExcludedNamedPorts[k] = InitImplyingRules() } - theRules := p.ExcludedNamedPorts[k] - theRules.Union(v.Copy(), true) - p.ExcludedNamedPorts[k] = theRules + p.ExcludedNamedPorts[k] = p.ExcludedNamedPorts[k].Update(v, false, NeverCollectRules) delete(p.NamedPorts, k) } } diff --git a/test_outputs/connlist/acs-security-demos_explain_output.txt b/test_outputs/connlist/acs-security-demos_explain_output.txt index 1e9c26ea..17031bf1 100644 --- a/test_outputs/connlist/acs-security-demos_explain_output.txt +++ b/test_outputs/connlist/acs-security-demos_explain_output.txt @@ -5,7 +5,7 @@ No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/checkout[Deployment]: @@ -14,7 +14,7 @@ No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/notification[Deployment]: @@ -22,7 +22,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/notification[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -31,7 +31,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/recommendation[Deployment No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -40,7 +40,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/reports[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -49,7 +49,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => backend/shipping[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -59,7 +59,7 @@ No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => frontend/webapp[Deployment]: @@ -67,7 +67,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => frontend/webapp[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -76,7 +76,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => payments/gateway[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -85,7 +85,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => payments/mastercard-processor[Dep No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -94,7 +94,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => payments/visa-processor[Deploymen No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -102,8 +102,8 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -111,21 +111,21 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/checkout[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/notification[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -133,10 +133,10 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/recommendation[Deploy No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -144,10 +144,10 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/reports[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -155,10 +155,10 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => backend/shipping[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -166,22 +166,22 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => frontend/asset-cache[Deployme DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -190,25 +190,25 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => frontend/webapp[Deployment]: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -216,10 +216,10 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => payments/gateway[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -227,10 +227,10 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => payments/mastercard-processor No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -238,10 +238,10 @@ CONNECTIONS BETWEEN backend/catalog[Deployment] => payments/visa-processor[Deplo No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/catalog-netpol//Egress (no Egress rules defined) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/catalog-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -250,7 +250,7 @@ CONNECTIONS BETWEEN backend/checkout[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress (captured but not selected by any Egress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -261,21 +261,21 @@ DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN backend/checkout[Deployment] => backend/notification[Deployment]: @@ -290,28 +290,28 @@ DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #1 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -327,28 +327,28 @@ DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -358,21 +358,21 @@ DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -382,21 +382,21 @@ DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -439,7 +439,7 @@ DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: @@ -452,21 +452,21 @@ DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -482,28 +482,28 @@ DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -513,21 +513,21 @@ DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -537,21 +537,21 @@ DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/checkout-netpol//Egress rule #4 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -559,8 +559,8 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -568,32 +568,32 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => backend/catalog[Deployme No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN backend/notification[Deployment] => backend/checkout[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN backend/notification[Deployment] => backend/recommendation[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -601,10 +601,10 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => backend/reports[Deployme No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -612,10 +612,10 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => backend/shipping[Deploym No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -623,22 +623,22 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => frontend/asset-cache[Dep DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -647,25 +647,25 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => frontend/webapp[Deployme DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -673,10 +673,10 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => payments/gateway[Deploym No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -684,10 +684,10 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => payments/mastercard-proc No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -695,10 +695,10 @@ CONNECTIONS BETWEEN backend/notification[Deployment] => payments/visa-processor[ No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/notification-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/notification-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -706,7 +706,7 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => 0.0.0.0-255.255.255.25 No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress (captured but not selected by any Egress rule) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) @@ -721,14 +721,14 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #1 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -741,7 +741,7 @@ DENIED UDP:[5353] due to the following policies//rules: DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -751,51 +751,51 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/checkout[Deplo DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/recommendation-netpol//Egress rule #2 INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/notification[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/recommendation-netpol//Egress rule #2 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -803,25 +803,25 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/reports[Deploy DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/recommendation-netpol//Egress rule #2 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -829,25 +829,25 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => backend/shipping[Deplo DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/recommendation-netpol//Egress rule #2 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -855,21 +855,21 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => frontend/asset-cache[D DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -882,7 +882,7 @@ DENIED UDP:[5353] due to the following policies//rules: DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -892,40 +892,40 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => frontend/webapp[Deploy DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/recommendation-netpol//Egress rule #2 INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -933,25 +933,25 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => payments/gateway[Deplo DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/recommendation-netpol//Egress rule #2 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -959,25 +959,25 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => payments/mastercard-pr DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/recommendation-netpol//Egress rule #2 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -985,25 +985,25 @@ CONNECTIONS BETWEEN backend/recommendation[Deployment] => payments/visa-processo DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/recommendation-netpol//Egress rule #2 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1011,7 +1011,7 @@ CONNECTIONS BETWEEN backend/reports[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress (captured but not selected by any Egress rule) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) @@ -1026,14 +1026,14 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #1 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress rule #2 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress rule #2 (protocols not referenced by the rule) @@ -1046,7 +1046,7 @@ DENIED UDP:[5353] due to the following policies//rules: DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress rule #2 (protocols not referenced by the rule) @@ -1056,51 +1056,51 @@ CONNECTIONS BETWEEN backend/reports[Deployment] => backend/checkout[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/reports-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN backend/reports[Deployment] => backend/notification[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/reports-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1114,33 +1114,33 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #2 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #2 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/reports-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #2 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #2 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1148,25 +1148,25 @@ CONNECTIONS BETWEEN backend/reports[Deployment] => backend/shipping[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/reports-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1174,21 +1174,21 @@ CONNECTIONS BETWEEN backend/reports[Deployment] => frontend/asset-cache[Deployme DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -1201,7 +1201,7 @@ DENIED UDP:[5353] due to the following policies//rules: DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -1211,40 +1211,40 @@ CONNECTIONS BETWEEN backend/reports[Deployment] => frontend/webapp[Deployment]: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/reports-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1252,25 +1252,25 @@ CONNECTIONS BETWEEN backend/reports[Deployment] => payments/gateway[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/reports-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1278,25 +1278,25 @@ CONNECTIONS BETWEEN backend/reports[Deployment] => payments/mastercard-processor DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/reports-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1304,25 +1304,25 @@ CONNECTIONS BETWEEN backend/reports[Deployment] => payments/visa-processor[Deplo DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] backend/reports-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] backend/reports-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1330,8 +1330,8 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1339,32 +1339,32 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/catalog[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/checkout[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/notification[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1372,10 +1372,10 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/recommendation[Deplo No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1383,10 +1383,10 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => backend/reports[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1394,22 +1394,22 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => frontend/asset-cache[Deploym DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -1418,25 +1418,25 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => frontend/webapp[Deployment]: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1444,10 +1444,10 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => payments/gateway[Deployment] No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1455,10 +1455,10 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => payments/mastercard-processo No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1466,10 +1466,10 @@ CONNECTIONS BETWEEN backend/shipping[Deployment] => payments/visa-processor[Depl No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Egress (no Egress rules defined) - 2) [NP] backend/shipping-netpol//Egress (no Egress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] backend/shipping-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1477,8 +1477,8 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1486,32 +1486,32 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/catalog[Deployme No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/checkout[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/notification[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1519,10 +1519,10 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/recommendation[D No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1530,10 +1530,10 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/reports[Deployme No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1541,10 +1541,10 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => backend/shipping[Deploym No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1552,25 +1552,25 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => frontend/webapp[Deployme DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1578,10 +1578,10 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => payments/gateway[Deploym No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1589,10 +1589,10 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => payments/mastercard-proc No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1600,10 +1600,10 @@ CONNECTIONS BETWEEN frontend/asset-cache[Deployment] => payments/visa-processor[ No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/asset-cache-netpol//Egress (no Egress rules defined) - 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/asset-cache-netpol//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1611,7 +1611,7 @@ CONNECTIONS BETWEEN frontend/webapp[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress (captured but not selected by any Egress rule) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) @@ -1620,26 +1620,26 @@ CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/catalog[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Egress rule #5 INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/checkout[Deployment]: @@ -1652,14 +1652,14 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #1 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -1672,7 +1672,7 @@ DENIED UDP:[5353] due to the following policies//rules: DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -1682,25 +1682,25 @@ CONNECTIONS BETWEEN frontend/webapp[Deployment] => backend/notification[Deployme DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Egress rule #5 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1714,33 +1714,33 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #3 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #3 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Egress rule #5 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #3 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress rule #3 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1754,33 +1754,33 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Egress rule #5 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1794,33 +1794,33 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #4 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Egress rule #5 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #4 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1828,21 +1828,21 @@ CONNECTIONS BETWEEN frontend/webapp[Deployment] => frontend/asset-cache[Deployme DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -1855,7 +1855,7 @@ DENIED UDP:[5353] due to the following policies//rules: DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -1865,25 +1865,25 @@ CONNECTIONS BETWEEN frontend/webapp[Deployment] => payments/gateway[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Egress rule #5 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1891,25 +1891,25 @@ CONNECTIONS BETWEEN frontend/webapp[Deployment] => payments/mastercard-processor DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Egress rule #5 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1917,25 +1917,25 @@ CONNECTIONS BETWEEN frontend/webapp[Deployment] => payments/visa-processor[Deplo DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Egress rule #5 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (no Egress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Egress rule #5 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1943,7 +1943,7 @@ CONNECTIONS BETWEEN payments/gateway[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress (captured but not selected by any Egress rule) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) @@ -1952,77 +1952,77 @@ CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/catalog[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/checkout[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/notification[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2030,25 +2030,25 @@ CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/recommendation[Deplo DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2056,25 +2056,25 @@ CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/reports[Deployment]: DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2082,25 +2082,25 @@ CONNECTIONS BETWEEN payments/gateway[Deployment] => backend/shipping[Deployment] DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2108,21 +2108,21 @@ CONNECTIONS BETWEEN payments/gateway[Deployment] => frontend/asset-cache[Deploym DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -2135,7 +2135,7 @@ DENIED UDP:[5353] due to the following policies//rules: DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -2145,40 +2145,40 @@ CONNECTIONS BETWEEN payments/gateway[Deployment] => frontend/webapp[Deployment]: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #3 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2192,33 +2192,33 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #1 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #1 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2232,33 +2232,33 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #2 (ports not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED UDP:[1-5352,5354-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED UDP:[5353] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) 1) [NP] payments/gateway-netpol//Egress rule #3 INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) DENIED {SCTP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) 2) [NP] payments/gateway-netpol//Egress rule #2 (protocols not referenced by the rule) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2266,8 +2266,8 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => 0.0.0.0-255.255 No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2275,32 +2275,32 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/catalog No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/checkout[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/notification[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2308,10 +2308,10 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/recomme No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2319,10 +2319,10 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/reports No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2330,10 +2330,10 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => backend/shippin No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2341,22 +2341,22 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => frontend/asset- DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -2365,25 +2365,25 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => frontend/webapp DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2391,10 +2391,10 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => payments/gatewa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2402,10 +2402,10 @@ CONNECTIONS BETWEEN payments/mastercard-processor[Deployment] => payments/visa-p No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/mastercard-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/mastercard-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/visa-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2413,8 +2413,8 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => 0.0.0.0-255.255.255.2 No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2422,32 +2422,32 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/catalog[Deplo No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/catalog-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/checkout[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] backend/checkout-netpol//Ingress (captured but not selected by any Ingress rule) - 2) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 2) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/notification[Deployment]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/notification-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2455,10 +2455,10 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/recommendatio No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/recommendation-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2466,10 +2466,10 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/reports[Deplo No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/reports-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2477,10 +2477,10 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => backend/shipping[Depl No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] backend/default-deny-in-namespace-backend//Ingress (no Ingress rules defined) + 1) [NP] backend/default-deny-in-namespace-backend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] backend/shipping-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2488,22 +2488,22 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => frontend/asset-cache[ DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] frontend/asset-cache-netpol//Ingress rule #1 (protocols not referenced by the rule) @@ -2512,25 +2512,25 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => frontend/webapp[Deplo DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [NP] frontend/webapp-netpol//Ingress rule #1 DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2538,10 +2538,10 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => payments/gateway[Depl No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/gateway-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2549,10 +2549,10 @@ CONNECTIONS BETWEEN payments/visa-processor[Deployment] => payments/mastercard-p No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Egress (no Egress rules defined) - 2) [NP] payments/visa-processor-netpol//Egress (no Egress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Egress (captured but not selected by any Egress rule - no rules defined) + 2) [NP] payments/visa-processor-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] payments/default-deny-in-namespace-payments//Ingress (no Ingress rules defined) + 1) [NP] payments/default-deny-in-namespace-payments//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] payments/mastercard-processor-netpol//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -2586,12 +2586,12 @@ ALLOWED TCP:[8080] due to the following policies//rules: DENIED TCP:[1-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (ports not referenced by the rule) DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (no Ingress rules defined) + 1) [NP] frontend/default-deny-in-namespace-frontend//Ingress (captured but not selected by any Ingress rule - no rules defined) 2) [NP] frontend/webapp-netpol//Ingress rule #1 (protocols not referenced by the rule) diff --git a/test_outputs/connlist/anp_demo_explain_output.txt b/test_outputs/connlist/anp_demo_explain_output.txt index 079e1e32..03877b84 100644 --- a/test_outputs/connlist/anp_demo_explain_output.txt +++ b/test_outputs/connlist/anp_demo_explain_output.txt @@ -152,7 +152,7 @@ CONNECTIONS BETWEEN ravenclaw/luna-lovegood[StatefulSet] => 0.0.0.0-255.255.255. No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (no Egress rules defined) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -160,7 +160,7 @@ CONNECTIONS BETWEEN ravenclaw/luna-lovegood[StatefulSet] => gryffindor/harry-pot No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (no Egress rules defined) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) 1) [ANP] gress-rules-gryffindor//Ingress rule allow-from-ravenclaw-everything (Allow) @@ -169,7 +169,7 @@ CONNECTIONS BETWEEN ravenclaw/luna-lovegood[StatefulSet] => hufflepuff/cedric-di No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (no Egress rules defined) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -177,7 +177,7 @@ CONNECTIONS BETWEEN ravenclaw/luna-lovegood[StatefulSet] => slytherin/draco-malf No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (no Egress rules defined) + 1) [NP] ravenclaw/allow-some-ingress-from-to-ravenclaw//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/test_outputs/connlist/netpol_named_port_test_explain_output.txt b/test_outputs/connlist/netpol_named_port_test_explain_output.txt index a4fdd6b6..d5edba17 100644 --- a/test_outputs/connlist/netpol_named_port_test_explain_output.txt +++ b/test_outputs/connlist/netpol_named_port_test_explain_output.txt @@ -19,7 +19,7 @@ CONNECTIONS BETWEEN helloworld/pod-a[Deployment] => 0.0.0.0-255.255.255.255: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] helloworld/enable-ingress-from-named-port//Egress (no Egress rules defined) + 1) [NP] helloworld/enable-ingress-from-named-port//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -27,7 +27,7 @@ CONNECTIONS BETWEEN helloworld/pod-a[Deployment] => helloworld/new-pod[Deploymen No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] helloworld/enable-ingress-from-named-port//Egress (no Egress rules defined) + 1) [NP] helloworld/enable-ingress-from-named-port//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- diff --git a/test_outputs/connlist/onlineboutique_explain_output.txt b/test_outputs/connlist/onlineboutique_explain_output.txt index 2887d4a3..e329bf1e 100644 --- a/test_outputs/connlist/onlineboutique_explain_output.txt +++ b/test_outputs/connlist/onlineboutique_explain_output.txt @@ -52,7 +52,7 @@ CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/loadgenerator-555fbdc87d[ No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => default/paymentservice-bbcbdc6b6[ReplicaSet]: @@ -91,7 +91,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => 0.0.0.0-255.255. No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -99,7 +99,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/cartserv No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -108,7 +108,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/checkout No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -117,7 +117,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/currency No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -126,7 +126,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/emailser No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -135,7 +135,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/frontend No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) @@ -144,16 +144,16 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/loadgene No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -162,7 +162,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/productc No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -171,7 +171,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/recommen No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -180,7 +180,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/redis-ca No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -188,7 +188,7 @@ CONNECTIONS BETWEEN default/adservice-77d5cd745d[ReplicaSet] => default/shipping No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/adservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/adservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -197,7 +197,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => 0.0.0.0-255.255 No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -205,7 +205,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/adservi No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -214,7 +214,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/checkou No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -223,7 +223,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/currenc No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -232,7 +232,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/emailse No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -241,7 +241,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/fronten No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) @@ -250,16 +250,16 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/loadgen No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -268,7 +268,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/product No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -277,7 +277,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/recomme No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -286,7 +286,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/redis-c No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -294,7 +294,7 @@ CONNECTIONS BETWEEN default/cartservice-74f56fd4b[ReplicaSet] => default/shippin No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/cartservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/cartservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -394,7 +394,7 @@ No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] default/checkoutservice-netpol//Egress (captured but not selected by any Egress rule) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/checkoutservice-69c8ff664b[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: @@ -481,7 +481,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => 0.0.0.0-25 No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -489,7 +489,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/ad No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -498,7 +498,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/ca No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -507,7 +507,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/ch No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -516,7 +516,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/em No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -525,7 +525,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/fr No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) @@ -534,16 +534,16 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/lo No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -552,7 +552,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/pr No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -561,7 +561,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/re No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -570,7 +570,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/re No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -578,7 +578,7 @@ CONNECTIONS BETWEEN default/currencyservice-77654bbbdd[ReplicaSet] => default/sh No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/currencyservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/currencyservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -587,7 +587,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => 0.0.0.0-255.25 No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -595,7 +595,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/adserv No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -604,7 +604,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/cartse No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -613,7 +613,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/checko No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -622,7 +622,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/curren No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -631,7 +631,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/fronte No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) @@ -640,16 +640,16 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/loadge No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -658,7 +658,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/produc No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -667,7 +667,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/recomm No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -676,7 +676,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/redis- No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -684,7 +684,7 @@ CONNECTIONS BETWEEN default/emailservice-54c7c5d9d[ReplicaSet] => default/shippi No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/emailservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/emailservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -796,7 +796,7 @@ No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] default/frontend-netpol//Egress (captured but not selected by any Egress rule) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/frontend-99684f7f8[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: @@ -1001,7 +1001,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => 0.0.0.0-255. No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1009,7 +1009,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/adse No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1018,7 +1018,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/cart No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1027,7 +1027,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/chec No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1036,7 +1036,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/curr No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1045,7 +1045,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/emai No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1054,7 +1054,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/fron No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1063,16 +1063,16 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/load No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/productcatalogservice-68765d49b6[ReplicaSet]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1081,7 +1081,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/reco No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1090,7 +1090,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/redi No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1098,7 +1098,7 @@ CONNECTIONS BETWEEN default/paymentservice-bbcbdc6b6[ReplicaSet] => default/ship No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/paymentservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/paymentservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1107,7 +1107,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => 0.0. No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1115,7 +1115,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1124,7 +1124,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1133,7 +1133,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1142,7 +1142,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1151,7 +1151,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1160,7 +1160,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1169,16 +1169,16 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1187,7 +1187,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1196,7 +1196,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1204,7 +1204,7 @@ CONNECTIONS BETWEEN default/productcatalogservice-68765d49b6[ReplicaSet] => defa No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/productcatalogservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/productcatalogservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/shippingservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1277,7 +1277,7 @@ No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) 1) [NP] default/recommendationservice-netpol//Egress (captured but not selected by any Egress rule) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/recommendationservice-5f8c456796[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: @@ -1380,7 +1380,7 @@ CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/loadgen No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/redis-cart-78746d49dc[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: @@ -1419,7 +1419,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => 0.0.0.0-25 No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- @@ -1427,7 +1427,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/ad No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/adservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1436,7 +1436,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/ca No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/cartservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1445,7 +1445,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/ch No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/checkoutservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1454,7 +1454,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/cu No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/currencyservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1463,7 +1463,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/em No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/emailservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1472,7 +1472,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/fr No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/frontend-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1481,16 +1481,16 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/lo No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) - 1) [NP] default/loadgenerator-netpol//Ingress (no Ingress rules defined) + 1) [NP] default/loadgenerator-netpol//Ingress (captured but not selected by any Ingress rule - no rules defined) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/paymentservice-bbcbdc6b6[ReplicaSet]: No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/paymentservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1499,7 +1499,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/pr No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/productcatalogservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1508,7 +1508,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/re No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (DENIED) 1) [NP] default/recommendationservice-netpol//Ingress (captured but not selected by any Ingress rule) @@ -1517,7 +1517,7 @@ CONNECTIONS BETWEEN default/shippingservice-5bd985c46d[ReplicaSet] => default/re No Connections due to the following policies//rules: EGRESS DIRECTION (DENIED) - 1) [NP] default/shippingservice-netpol//Egress (no Egress rules defined) + 1) [NP] default/shippingservice-netpol//Egress (captured but not selected by any Egress rule - no rules defined) INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- From 4ab3d96c6fceba6350a5a7c497644940a3036fc6 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 14 Jan 2025 17:02:22 +0200 Subject: [PATCH 17/20] make linter happy; simplified complement pass connections calculation. --- .../eval/internal/k8s/policy_connections.go | 7 +------ .../internal/common/augmented_intervalset.go | 15 ++++++++++----- pkg/netpol/internal/common/portset.go | 3 ++- 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/pkg/netpol/eval/internal/k8s/policy_connections.go b/pkg/netpol/eval/internal/k8s/policy_connections.go index 1d7f7647..fb494cec 100644 --- a/pkg/netpol/eval/internal/k8s/policy_connections.go +++ b/pkg/netpol/eval/internal/k8s/policy_connections.go @@ -90,12 +90,7 @@ func (pc *PolicyConnections) CollectANPConns(newAdminPolicyConns *PolicyConnecti // ComplementPassConns complements pass connections to all connections (by adding the absent conections) func (pc *PolicyConnections) ComplementPassConns() { - defaultPassConn := common.MakeConnectionSet(true) - defaultPassConn.Subtract(pc.AllowedConns) - defaultPassConn.Subtract(pc.DeniedConns) - // 'GetEquivalentCanonicalConnectionSet' below removes implying rules - // (we don't collect implying rules for default pass connections) - pc.PassConns.Union(defaultPassConn.GetEquivalentCanonicalConnectionSet(), false) + pc.PassConns.Union(common.MakeConnectionSet(true), false) } // CollectAllowedConnsFromNetpols updates allowed conns of current PolicyConnections object with allowed connections from diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index ec025ff1..e52f2df9 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -269,13 +269,15 @@ const ( // // The logic of the update is as follows: // - if 'collectStyle' is AlwaysCollectRules (comes from Intersection of connection sets) --> collect the rules in any case -// (Intersection of connection sets scenario) +// (Intersection of connection sets scenario, mainly for intersecion with pass connections) // - if 'collectStyle' is CollectSameInclusionRules and the inclusion status persists ('sameInclusion' is true) --> collect the rules // (Union of connection sets of multiple NPs scenario) // - otherwise, if the inclusion status changes ('sameInclusion' is false) --> override the rules // - otherwise, if the DominantLayer priortiy of the other rules is higher --> override the rules // - otherwise, keep the current rules. -func (rules ImplyingXgressRulesType) update(other ImplyingXgressRulesType, sameInclusion bool, collectStyle CollectStyleType) ImplyingXgressRulesType { +func (rules ImplyingXgressRulesType) update(other ImplyingXgressRulesType, sameInclusion bool, + collectStyle CollectStyleType) ImplyingXgressRulesType { + result := rules.Copy() if other.Empty() { return result @@ -299,7 +301,8 @@ func (rules ImplyingXgressRulesType) update(other ImplyingXgressRulesType, sameI return result } -func (rules ImplyingRulesType) Update(other ImplyingRulesType, sameInclusion bool, collectStyle CollectStyleType) ImplyingRulesType { +func (rules ImplyingRulesType) Update(other ImplyingRulesType, sameInclusion bool, + collectStyle CollectStyleType) ImplyingRulesType { result := ImplyingRulesType{} result.Ingress = rules.Ingress.update(other.Ingress, sameInclusion, collectStyle) result.Egress = rules.Egress.update(other.Egress, sameInclusion, collectStyle) @@ -308,7 +311,8 @@ func (rules ImplyingRulesType) Update(other ImplyingRulesType, sameInclusion boo // This function returns whether the current rules may be updated by the other rules. // It follows the logic of Update() (see explanation above). -func (rules *ImplyingXgressRulesType) mayBeUpdatedBy(other ImplyingXgressRulesType, sameInclusion bool, collectStyle CollectStyleType) bool { +func (rules *ImplyingXgressRulesType) mayBeUpdatedBy(other ImplyingXgressRulesType, sameInclusion bool, + collectStyle CollectStyleType) bool { if collectStyle == AlwaysCollectRules || (collectStyle == CollectSameInclusionRules && sameInclusion) { // return true iff Union would change anything for name := range other.Rules { @@ -321,7 +325,8 @@ func (rules *ImplyingXgressRulesType) mayBeUpdatedBy(other ImplyingXgressRulesTy return (!sameInclusion || rules.Empty() && !other.Empty()) || rules.DominantLayer < other.DominantLayer } -func (rules ImplyingRulesType) mayBeUpdatedBy(other ImplyingRulesType, sameInclusion bool, collectStyle CollectStyleType) bool { +func (rules ImplyingRulesType) mayBeUpdatedBy(other ImplyingRulesType, sameInclusion bool, + collectStyle CollectStyleType) bool { return rules.Ingress.mayBeUpdatedBy(other.Ingress, sameInclusion, collectStyle) || rules.Egress.mayBeUpdatedBy(other.Egress, sameInclusion, collectStyle) } diff --git a/pkg/netpol/internal/common/portset.go b/pkg/netpol/internal/common/portset.go index 0d6dbcae..04e6a9b2 100644 --- a/pkg/netpol/internal/common/portset.go +++ b/pkg/netpol/internal/common/portset.go @@ -100,7 +100,8 @@ func (p *PortSet) AddPort(port intstr.IntOrString, implyingRules ImplyingRulesTy p.NamedPorts[port.StrVal] = p.NamedPorts[port.StrVal].Update(implyingRules, false, NeverCollectRules) delete(p.ExcludedNamedPorts, port.StrVal) } else { - p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRules(int64(port.IntVal), int64(port.IntVal), true, implyingRules), NeverCollectRules) + p.Ports.AddAugmentedInterval(NewAugmentedIntervalWithRules(int64(port.IntVal), int64(port.IntVal), + true, implyingRules), NeverCollectRules) } } From 2f52f7b8e5f31300636c0260ce00b0addbd92c85 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 14 Jan 2025 17:26:39 +0200 Subject: [PATCH 18/20] make linter happy --- pkg/netpol/internal/common/augmented_intervalset.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index e52f2df9..e03b82fb 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -277,7 +277,6 @@ const ( // - otherwise, keep the current rules. func (rules ImplyingXgressRulesType) update(other ImplyingXgressRulesType, sameInclusion bool, collectStyle CollectStyleType) ImplyingXgressRulesType { - result := rules.Copy() if other.Empty() { return result From ae744521133e6aa32988600a73422e35ca8a9fe3 Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 14 Jan 2025 17:35:06 +0200 Subject: [PATCH 19/20] changed names of pods in anp_banp_blog_demo test --- .../anp_banp_blog_demo_explain_output.txt | 40 +++++++++---------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt index b89b9f0b..87ca1aac 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_explain_output.txt @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => foo/my-foo[Pod]: +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => foo/myfoo[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) @@ -7,7 +7,7 @@ No Connections due to the following policies//rules: 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN bar/my-bar[Pod] => foo/my-foo[Pod]: +CONNECTIONS BETWEEN bar/mybar[Pod] => foo/myfoo[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -15,7 +15,7 @@ No Connections due to the following policies//rules: 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN baz/my-baz[Pod] => bar/my-bar[Pod]: +CONNECTIONS BETWEEN baz/mybaz[Pod] => bar/mybar[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -23,7 +23,7 @@ No Connections due to the following policies//rules: 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN baz/my-baz[Pod] => foo/my-foo[Pod]: +CONNECTIONS BETWEEN baz/mybaz[Pod] => foo/myfoo[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -31,7 +31,7 @@ No Connections due to the following policies//rules: 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN foo/my-foo[Pod] => bar/my-bar[Pod]: +CONNECTIONS BETWEEN foo/myfoo[Pod] => bar/mybar[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -39,7 +39,7 @@ No Connections due to the following policies//rules: 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: +CONNECTIONS BETWEEN monitoring/mymonitoring[Pod] => bar/mybar[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -48,7 +48,7 @@ No Connections due to the following policies//rules: 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: +CONNECTIONS BETWEEN monitoring/mymonitoring[Pod] => baz/mybaz[Pod]: All Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -56,7 +56,7 @@ All Connections due to the following policies//rules: 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: +CONNECTIONS BETWEEN monitoring/mymonitoring[Pod] => foo/myfoo[Pod]: All Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -66,15 +66,15 @@ All Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): -0.0.0.0-255.255.255.255 => bar/my-bar[Pod] -0.0.0.0-255.255.255.255 => baz/my-baz[Pod] -0.0.0.0-255.255.255.255 => monitoring/my-monitoring[Pod] -bar/my-bar[Pod] => 0.0.0.0-255.255.255.255 -bar/my-bar[Pod] => baz/my-baz[Pod] -bar/my-bar[Pod] => monitoring/my-monitoring[Pod] -baz/my-baz[Pod] => 0.0.0.0-255.255.255.255 -baz/my-baz[Pod] => monitoring/my-monitoring[Pod] -foo/my-foo[Pod] => 0.0.0.0-255.255.255.255 -foo/my-foo[Pod] => baz/my-baz[Pod] -foo/my-foo[Pod] => monitoring/my-monitoring[Pod] -monitoring/my-monitoring[Pod] => 0.0.0.0-255.255.255.255 +0.0.0.0-255.255.255.255 => bar/mybar[Pod] +0.0.0.0-255.255.255.255 => baz/mybaz[Pod] +0.0.0.0-255.255.255.255 => monitoring/mymonitoring[Pod] +bar/mybar[Pod] => 0.0.0.0-255.255.255.255 +bar/mybar[Pod] => baz/mybaz[Pod] +bar/mybar[Pod] => monitoring/mymonitoring[Pod] +baz/mybaz[Pod] => 0.0.0.0-255.255.255.255 +baz/mybaz[Pod] => monitoring/mymonitoring[Pod] +foo/myfoo[Pod] => 0.0.0.0-255.255.255.255 +foo/myfoo[Pod] => baz/mybaz[Pod] +foo/myfoo[Pod] => monitoring/mymonitoring[Pod] +monitoring/mymonitoring[Pod] => 0.0.0.0-255.255.255.255 From 3385cb14cf40acf1a98e31452a184c13e534e58e Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Tue, 14 Jan 2025 17:40:28 +0200 Subject: [PATCH 20/20] Changed named of pods in anp_banp_blog_demo_2 (according to the change in anp_banp_blog_demo) --- .../anp_banp_blog_demo_2_explain_output.txt | 40 +++++++++---------- tests/anp_banp_blog_demo_2/workloads.yaml | 16 ++++---- 2 files changed, 28 insertions(+), 28 deletions(-) diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt index df3a5b0c..71278b87 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => foo/my-foo[Pod]: +CONNECTIONS BETWEEN 0.0.0.0-255.255.255.255 => foo/myfoo[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) @@ -7,7 +7,7 @@ No Connections due to the following policies//rules: 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN bar/my-bar[Pod] => foo/my-foo[Pod]: +CONNECTIONS BETWEEN bar/mybar[Pod] => foo/myfoo[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -15,7 +15,7 @@ No Connections due to the following policies//rules: 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN baz/my-baz[Pod] => foo/my-foo[Pod]: +CONNECTIONS BETWEEN baz/mybaz[Pod] => foo/myfoo[Pod]: No Connections due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -23,7 +23,7 @@ No Connections due to the following policies//rules: 1) [NP] foo/allow-monitoring//Ingress (captured but not selected by any Ingress rule) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: +CONNECTIONS BETWEEN monitoring/mymonitoring[Pod] => bar/mybar[Pod]: ALLOWED TCP:[1234] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -46,7 +46,7 @@ DENIED TCP:[8080] due to the following policies//rules: 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: +CONNECTIONS BETWEEN monitoring/mymonitoring[Pod] => baz/mybaz[Pod]: ALLOWED TCP:[1-1233,1235-65535] the system default (Allow all) @@ -58,7 +58,7 @@ ALLOWED TCP:[1234] due to the following policies//rules: ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- -CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: +CONNECTIONS BETWEEN monitoring/mymonitoring[Pod] => foo/myfoo[Pod]: ALLOWED TCP:[1-1233,1235-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) @@ -83,17 +83,17 @@ ALLOWED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): -0.0.0.0-255.255.255.255 => bar/my-bar[Pod] -0.0.0.0-255.255.255.255 => baz/my-baz[Pod] -0.0.0.0-255.255.255.255 => monitoring/my-monitoring[Pod] -bar/my-bar[Pod] => 0.0.0.0-255.255.255.255 -bar/my-bar[Pod] => baz/my-baz[Pod] -bar/my-bar[Pod] => monitoring/my-monitoring[Pod] -baz/my-baz[Pod] => 0.0.0.0-255.255.255.255 -baz/my-baz[Pod] => bar/my-bar[Pod] -baz/my-baz[Pod] => monitoring/my-monitoring[Pod] -foo/my-foo[Pod] => 0.0.0.0-255.255.255.255 -foo/my-foo[Pod] => bar/my-bar[Pod] -foo/my-foo[Pod] => baz/my-baz[Pod] -foo/my-foo[Pod] => monitoring/my-monitoring[Pod] -monitoring/my-monitoring[Pod] => 0.0.0.0-255.255.255.255 +0.0.0.0-255.255.255.255 => bar/mybar[Pod] +0.0.0.0-255.255.255.255 => baz/mybaz[Pod] +0.0.0.0-255.255.255.255 => monitoring/mymonitoring[Pod] +bar/mybar[Pod] => 0.0.0.0-255.255.255.255 +bar/mybar[Pod] => baz/mybaz[Pod] +bar/mybar[Pod] => monitoring/mymonitoring[Pod] +baz/mybaz[Pod] => 0.0.0.0-255.255.255.255 +baz/mybaz[Pod] => bar/mybar[Pod] +baz/mybaz[Pod] => monitoring/mymonitoring[Pod] +foo/myfoo[Pod] => 0.0.0.0-255.255.255.255 +foo/myfoo[Pod] => bar/mybar[Pod] +foo/myfoo[Pod] => baz/mybaz[Pod] +foo/myfoo[Pod] => monitoring/mymonitoring[Pod] +monitoring/mymonitoring[Pod] => 0.0.0.0-255.255.255.255 diff --git a/tests/anp_banp_blog_demo_2/workloads.yaml b/tests/anp_banp_blog_demo_2/workloads.yaml index 00b070ff..51061e87 100644 --- a/tests/anp_banp_blog_demo_2/workloads.yaml +++ b/tests/anp_banp_blog_demo_2/workloads.yaml @@ -2,12 +2,12 @@ apiVersion: v1 kind: Pod metadata: namespace: foo - name: my-foo + name: myfoo labels: security: internal spec: containers: - - name: myfirstContainer + - name: myfirstcontainer image: fooimage --- @@ -16,12 +16,12 @@ apiVersion: v1 kind: Pod metadata: namespace: bar - name: my-bar + name: mybar labels: security: internal spec: containers: - - name: myfirstContainer + - name: myfirstcontainer image: barimage --- @@ -30,12 +30,12 @@ apiVersion: v1 kind: Pod metadata: namespace: baz - name: my-baz + name: mybaz labels: security: none spec: containers: - - name: myfirstContainer + - name: myfirstcontainer image: bazimage --- @@ -44,12 +44,12 @@ apiVersion: v1 kind: Pod metadata: namespace: monitoring - name: my-monitoring + name: mymonitoring labels: security: monitoring spec: containers: - - name: myfirstContainer + - name: myfirstcontainer image: monitoringimage ---