You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is a policy engine that calculates whether traffic is allowed/denied for a given set of:
protocol
destination port
source Pod info
destination Pod info
Can we brute force calculate all possible connections between each Deployment/DaemonSet in a cluster? There are only 65,000 ports, so this may be feasible?
The text was updated successfully, but these errors were encountered:
huntergregory
changed the title
[Policy Assistant] without specifying ports/protocols, determine all allowed L4 traffic between two Pods
[Policy Assistant] calculate all allowed connections in a cluster
Apr 19, 2024
This issue is more about the data structure and code for calculating it. A follow-up goal will be to display the data structure in a useful/pretty way.
Parent issue: #150
Goal
For all the Deployments and DaemonSets in a cluster, calculate the set of allowed connections given a set of policies.
Current Functionality
Check whether traffic is allowed/denied for the specified source, destination, and port/protocol.
Proposed New Feature
Produce JSON of all allowed connections and the effective policy rules causing this.
Here is one idea for the format (let me put this in a PR):
Implementation
There is a policy engine that calculates whether traffic is allowed/denied for a given set of:
Can we brute force calculate all possible connections between each Deployment/DaemonSet in a cluster? There are only 65,000 ports, so this may be feasible?
Code
It's determined whether traffic is allowed here:
network-policy-api/cmd/policy-assistant/pkg/matcher/policy.go
Line 269 in 669dfbc
network-policy-api/cmd/policy-assistant/pkg/matcher/policy.go
Line 311 in 669dfbc
Based on the port/protocol logic from the
PeerMatcher
interface:network-policy-api/cmd/policy-assistant/pkg/matcher/peermatcher.go
Line 29 in 669dfbc
The text was updated successfully, but these errors were encountered: