Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Policy Assistant] warn about same-priority ANPs with overlapping rules #222

Open
huntergregory opened this issue Apr 23, 2024 · 1 comment
Open

[Policy Assistant] warn about same-priority ANPs with overlapping rules #222

huntergregory opened this issue Apr 23, 2024 · 1 comment

Comments

@huntergregory
Copy link
Contributor

huntergregory commented Apr 23, 2024
edited
Loading

Parent issue: #150

This issue is derived from discussions in #216.

Proposal

Policy Assistant should be able to let admins know if any of their AdminNetworkPolicies have undefined/implementation-specific behavior (exact terminology TBD in #216).

Example

Command like:

policy-assistant analyze --mode=overlap --all-namespaces --all-pods

with output like:

INFO: detected AdminNetworkPolicies with the same priority. checking for overlapping rules
INFO: no overlapping rules found
WARN: analyzed only on the cluster's current set of Pods/labels (relabeling Pods might change this result)

or

INFO: detected AdminNetworkPolicies with the same priority. checking for overlapping rules
WARN: detected implementation-specific behavior for these AdminNetworkPolicies due to overlapping rules. policies: [anp-1 (allow-some-rule), anp-2 (deny-all-rule)]. pods: [kube-system/deployment/core-dns, test-namespace/daemonset/backend]
WARN: detected implementation-specific behavior for these AdminNetworkPolicies ...
...
WARN: analyzed only on the cluster's current set of Pods/labels (relabeling Pods might change this result)
@huntergregory huntergregory mentioned this issue Apr 23, 2024
Open
@huntergregory
Copy link
Contributor Author

Could use help in implementing this. The feature requires the following:

  1. First, we must start allowing ANPs with the same priority. Right here, we should instead log that there "may be overlapping rules" and suggest the --mode=overlap command:

    network-policy-api/cmd/policy-assistant/pkg/matcher/builder.go

    Line 27 in 669dfbc

    panic(errors.Errorf("duplicate priorities are undefined. priority: %d", p.Spec.Priority))
  2. Write a function keeping track of all rules that share the same priority for the given traffic, similar to Resolve():

    network-policy-api/cmd/policy-assistant/pkg/matcher/policy.go

    Lines 163 to 187 in 669dfbc

    func (d DirectionResult) Resolve() (*Effect, *Effect, *Effect) {
    if d == nil {
    return nil, nil, nil
    }
    // 1. ANP rules
    var anpEffect *Effect
    for _, e := range d {
    if e.PolicyKind != AdminNetworkPolicy {
    continue
    }
    if anpEffect == nil {
    anpEffect = &Effect{
    PolicyKind: AdminNetworkPolicy,
    Verdict: None,
    Priority: maxInt,
    }
    }
    if e.Verdict != None && e.Priority < anpEffect.Priority {
    eCopy := e
    anpEffect = &eCopy
    }
    }
  3. Create a --mode=overlap option for similar to --mode=explain:

    network-policy-api/cmd/policy-assistant/pkg/cli/analyze.go

    Lines 138 to 140 in 669dfbc

    case ExplainMode:
    fmt.Println("explained policies:")
    ExplainPolicies(policies)

We can start with implementing this for a single "traffic". See this struct:

network-policy-api/cmd/policy-assistant/pkg/matcher/traffic.go

Line 13 in 669dfbc

type Traffic struct {

May need to hard-code Traffic and AdminNetworkPolicies for now (some examples at example.go)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@huntergregory