generated from kubernetes/kubernetes-template-project
-
Notifications
You must be signed in to change notification settings - Fork 34
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #157 from huntergregory/bump-cyc-to-v0.5.5
chore: bump Cyclonus to v0.5.5
- Loading branch information
Showing
41 changed files
with
1,095 additions
and
1,035 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,212 @@ | ||
| # cyclonus analyze | ||
|
|
||
| The `analyze` command provides a suite of tools for understanding and poking network policies, | ||
| without the need for a working kubernetes cluster or CNI. | ||
|
|
||
| It provides several modes which can be activated by a `--mode $MODE` flag. Multiple `--mode` | ||
| flags may be provided in a single invocation. | ||
|
|
||
| ## Supported flags | ||
|
|
||
| ```bash | ||
| cyclonus analyze -h | ||
| analyze network policies | ||
|
|
||
| Usage: | ||
| cyclonus analyze [flags] | ||
|
|
||
| Flags: | ||
| -A, --all-namespaces reads kube resources from all namespaces; same as kubectl's '--all-namespaces'/'-A' flag | ||
| --context string selects kube context to read policies from; only reads from kube if one or more namespaces or all namespaces are specified | ||
| -h, --help help for analyze | ||
| --mode strings analysis modes to run; allowed values are parse,explain,lint,query-traffic,query-target,probe (default [explain]) | ||
| -n, --namespace strings namespaces to read kube resources from; similar to kubectl's '--namespace'/'-n' flag, except that multiple namespaces may be passed in and is empty if not set explicitly (instead of 'default' as in kubectl) | ||
| --policy-path string may be a file or a directory; if set, will attempt to read policies from the path | ||
| --probe-path string path to json model file for synthetic probe | ||
| --simplify-policies if true, reduce policies to simpler form while preserving semantics (default true) | ||
| --target-pod-path string path to json target pod file -- json array of dicts | ||
| --traffic-path string path to json traffic file, containing of a list of traffic objects | ||
| --use-example-policies if true, reads example policies | ||
|
|
||
| Global Flags: | ||
| -v, --verbosity string log level; one of [info, debug, trace, warn, error, fatal, panic] (default "info") | ||
| ``` | ||
| ## Mode examples | ||
| ### `--mode explain`: explains network policies | ||
| Groups policies by target, divides rules into egress and ingress, and gives a basic explanation of the combined | ||
| policies. This clarifies the interactions between "denies" and "allows" from multiple policies. | ||
| ``` | ||
| cyclonus analyze \ | ||
| --mode explain \ | ||
| --policy-path ./networkpolicies/simple-example/ | ||
|
|
||
| +---------+---------------+------------------------+---------------------+--------------------------+ | ||
| | TYPE | TARGET | SOURCE RULES | PEER | PORT/PROTOCOL | | ||
| +---------+---------------+------------------------+---------------------+--------------------------+ | ||
| | Ingress | namespace: y | y/allow-label-to-label | no ips | no ports, no protocols | | ||
| | | Match labels: | y/deny-all-for-label | | | | ||
| | | pod: a | | | | | ||
| + + + +---------------------+--------------------------+ | ||
| | | | | namespace: y | all ports, all protocols | | ||
| | | | | pods: Match labels: | | | ||
| | | | | pod: c | | | ||
| + +---------------+------------------------+---------------------+ + | ||
| | | namespace: y | y/allow-all-for-label | all pods, all ips | | | ||
| | | Match labels: | | | | | ||
| | | pod: b | | | | | ||
| + +---------------+------------------------+---------------------+--------------------------+ | ||
| | | namespace: y | y/allow-by-ip | ports for all IPs | no ports, no protocols | | ||
| | | Match labels: | | | | | ||
| | | pod: c | | | | | ||
| + + + +---------------------+--------------------------+ | ||
| | | | | 0.0.0.0/24 | all ports, all protocols | | ||
| | | | | except [] | | | ||
| | | | | | | | ||
| + + + +---------------------+--------------------------+ | ||
| | | | | no pods | no ports, no protocols | | ||
| | | | | | | | ||
| | | | | | | | ||
| + +---------------+------------------------+---------------------+ + | ||
| | | namespace: y | y/deny-all | no pods, no ips | | | ||
| | | all pods | | | | | ||
| +---------+---------------+------------------------+---------------------+--------------------------+ | ||
| ``` | ||
| ### `--mode query-target`: which policy rules apply to a pod? | ||
| This takes the previous command a step further: it combines the rules from all the targets that apply | ||
| to a pod. | ||
| ``` | ||
| cyclonus analyze \ | ||
| --mode query-target \ | ||
| --policy-path ./networkpolicies/simple-example/ \ | ||
| --target-pod-path ./examples/targets.json | ||
|
|
||
| pod in ns y with labels map[pod:a]: | ||
| +---------+---------------+-----------------------------+---------------------+--------------------------+ | ||
| | TYPE | TARGET | SOURCE RULES | PEER | PORT/PROTOCOL | | ||
| +---------+---------------+-----------------------------+---------------------+--------------------------+ | ||
| | Ingress | namespace: y | y/allow-label-to-label | no ips | no ports, no protocols | | ||
| | | Match labels: | y/deny-all-for-label | | | | ||
| | | pod: a | y/deny-all | | | | ||
| + + + +---------------------+--------------------------+ | ||
| | | | | namespace: y | all ports, all protocols | | ||
| | | | | pods: Match labels: | | | ||
| | | | | pod: c | | | ||
| +---------+---------------+-----------------------------+---------------------+--------------------------+ | ||
| | | | | | | | ||
| +---------+---------------+-----------------------------+---------------------+--------------------------+ | ||
| | Egress | namespace: y | y/deny-all-egress | all pods, all ips | all ports, all protocols | | ||
| | | Match labels: | y/allow-all-egress-by-label | | | | ||
| | | pod: a | | | | | ||
| +---------+---------------+-----------------------------+---------------------+--------------------------+ | ||
| ``` | ||
| ### `--mode query-traffic`: will policies allow or block traffic? | ||
| Given arbitrary traffic examples (from a source to a destination, including labels, over a port and protocol), | ||
| this command parses network policies and determines if the traffic is allowed or not. | ||
| ``` | ||
| cyclonus analyze \ | ||
| --mode query-traffic \ | ||
| --policy-path ./networkpolicies/simple-example/ \ | ||
| --traffic-path ./examples/traffic.json | ||
| Traffic: | ||
| +--------------------------+-------------+---------------+-----------+-----------+------------+ | ||
| | PORT/PROTOCOL | SOURCE/DEST | POD IP | NAMESPACE | NS LABELS | POD LABELS | | ||
| +--------------------------+-------------+---------------+-----------+-----------+------------+ | ||
| | 80 (serve-80-tcp) on TCP | source | 192.168.1.99 | y | ns: y | app: c | | ||
| + +-------------+---------------+ + +------------+ | ||
| | | destination | 192.168.1.100 | | | pod: b | | ||
| +--------------------------+-------------+---------------+-----------+-----------+------------+ | ||
| Is traffic allowed? | ||
| +-------------+--------+---------------+ | ||
| | TYPE | ACTION | TARGET | | ||
| +-------------+--------+---------------+ | ||
| | Ingress | Allow | namespace: y | | ||
| | | | Match labels: | | ||
| | | | pod: b | | ||
| + +--------+---------------+ | ||
| | | Deny | namespace: y | | ||
| | | | all pods | | ||
| +-------------+--------+---------------+ | ||
| | | | | | ||
| +-------------+--------+---------------+ | ||
| | Egress | Deny | namespace: y | | ||
| | | | all pods | | ||
| +-------------+--------+---------------+ | ||
| | IS ALLOWED? | FALSE | | ||
| +-------------+--------+---------------+ | ||
| ``` | ||
| ### `--mode probe`: simulates a connectivity probe | ||
| Runs a simulated connectivity probe against a set of network policies, without using a kubernetes cluster. | ||
| ``` | ||
| cyclonus analyze \ | ||
| --mode probe \ | ||
| --policy-path ./networkpolicies/simple-example/ \ | ||
| --probe-path ./examples/probe.json | ||
| Combined: | ||
| +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+ | ||
| | | X/A | X/B | X/C | Y/A | Y/B | Y/C | Z/A | Z/B | Z/C | | ||
| +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+ | ||
| | x/a | . | . | . | X | . | X | . | . | . | | ||
| | x/b | . | . | . | X | . | X | . | . | . | | ||
| | x/c | . | . | . | X | . | X | . | . | . | | ||
| | y/a | . | . | . | X | . | X | . | . | . | | ||
| | y/b | . | . | . | X | . | X | . | . | . | | ||
| | y/c | X | X | X | X | X | X | X | X | X | | ||
| | z/a | . | . | . | X | . | X | . | . | . | | ||
| | z/b | . | . | . | X | . | X | . | . | . | | ||
| | z/c | . | . | . | X | . | X | . | . | . | | ||
| +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+ | ||
| ``` | ||
| ### `--mode lint`: lints network policies | ||
| Checks network policies for common problems. | ||
| ``` | ||
| cyclonus analyze \ | ||
| --mode lint \ | ||
| --policy-path ./networkpolicies/simple-example | ||
| +-----------------+------------------------------+-------------------+-----------------------------+ | ||
| | SOURCE/RESOLVED | TYPE | TARGET | SOURCE POLICIES | | ||
| +-----------------+------------------------------+-------------------+-----------------------------+ | ||
| | Resolved | CheckTargetAllEgressAllowed | namespace: y | y/allow-all-egress-by-label | | ||
| | | | | | | ||
| | | | pod selector: | | | ||
| | | | matchExpressions: | | | ||
| | | | - key: pod | | | ||
| | | | operator: In | | | ||
| | | | values: | | | ||
| | | | - a | | | ||
| | | | - b | | | ||
| | | | | | | ||
| +-----------------+------------------------------+-------------------+-----------------------------+ | ||
| | Resolved | CheckDNSBlockedOnTCP | namespace: y | y/deny-all-egress | | ||
| | | | | | | ||
| | | | pod selector: | | | ||
| | | | {} | | | ||
| | | | | | | ||
| +-----------------+------------------------------+-------------------+-----------------------------+ | ||
| | Resolved | CheckDNSBlockedOnUDP | namespace: y | y/deny-all-egress | | ||
| | | | | | | ||
| | | | pod selector: | | | ||
| | | | {} | | | ||
| | | | | | | ||
| +-----------------+------------------------------+-------------------+-----------------------------+ | ||
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,69 @@ | ||
| # cyclonus generate | ||
|
|
||
| For CNI conformance testing. | ||
|
|
||
| Generate network policy test scenarios, install the scenarios one at a time in kubernetes, | ||
| and compare actual measured connectivity to expected connectivity using a truth table. | ||
|
|
||
| ## Supported flags | ||
|
|
||
| ```bash | ||
| generate network policies, create and probe against kubernetes, and compare to expected results | ||
|
|
||
| Usage: | ||
| cyclonus generate [flags] | ||
|
|
||
| Flags: | ||
| --allow-dns if using egress, allow tcp and udp over port 53 for DNS resolution (default true) | ||
| --cleanup-namespaces if true, clean up namespaces after completion | ||
| --context string kubernetes context to use; if empty, uses default context | ||
| --destination-type string override to set what to direct requests at; if not specified, the tests will be left as-is; one of service-name, service-ip, pod-ip | ||
| --dry-run if true, don't actually do anything: just print out what would be done | ||
| --exclude strings exclude tests with any of these tags. See 'include' field for valid tags (default [multi-peer,upstream-e2e,example,end-port]) | ||
| -h, --help help for generate | ||
| --ignore-loopback if true, ignore loopback for truthtable correctness verification | ||
| --include strings include tests with any of these tags; if empty, all tests will be included. | ||
| --job-timeout-seconds int number of seconds to pass on to 'agnhost connect --timeout=%ds' flag (default 10) | ||
| --junit-results-file string output junit results to the specified file | ||
| --mock if true, use a mock kube runner (i.e. don't actually run tests against kubernetes; instead, product fake results | ||
| --namespace strings namespaces to create/use pods in (default [x,y,z]) | ||
| --noisy if true, print all results | ||
| --perturbation-wait-seconds int number of seconds to wait after perturbing the cluster (i.e. create a network policy, modify a ns/pod label) before running probes, to give the CNI time to update the cluster state (default 5) | ||
| --pod strings pods to create in namespaces (default [a,b,c]) | ||
| --pod-creation-timeout-seconds int number of seconds to wait for pods to create, be running and have IP addresses (default 60) | ||
| --retries int number of kube probe retries to allow, if probe fails (default 1) | ||
| --server-port ints ports to run server on (default [80,81]) | ||
| --server-protocol strings protocols to run server on (default [TCP,UDP,SCTP]) | ||
|
|
||
| Global Flags: | ||
| -v, --verbosity string log level; one of [info, debug, trace, warn, error, fatal, panic] (default "info") | ||
| ``` | ||
| ## Example | ||
| ``` | ||
| cyclonus generate \ | ||
| --mode simple-fragments \ | ||
| --include conflict,peer-ipblock \ | ||
| --ignore-loopback \ | ||
| --perturbation-wait-seconds 15 | ||
|
|
||
| ... | ||
| Tag results: | ||
| ``` | ||
| | Tag | Result | | ||
| | --- | --- | | ||
| | direction | 10 / 20 = 50% ❌ | | ||
| | - egress | 5 / 11 = 45% ❌ | | ||
| | - ingress | 5 / 11 = 45% ❌ | | ||
| | miscellaneous | 10 / 16 = 62% ❌ | | ||
| | - conflict | 10 / 16 = 62% ❌ | | ||
| | peer-ipblock | 0 / 4 = 0% ❌ | | ||
| | - IP-block-no-except | 0 / 2 = 0% ❌ | | ||
| | - IP-block-with-except | 0 / 2 = 0% ❌ | | ||
| | peer-pods | 4 / 4 = 100% ✅ | | ||
| | - all-namespaces | 4 / 4 = 100% ✅ | | ||
| | - all-pods | 4 / 4 = 100% ✅ | | ||
| | rule | 6 / 8 = 75% ❌ | | ||
| | - allow-all | 2 / 4 = 50% ❌ | | ||
| | - deny-all | 6 / 8 = 75% ❌ | |
Oops, something went wrong.