Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Policy Assistant] warn about same-priority ANPs with overlapping rules #222

Open
huntergregory opened this issue Apr 23, 2024 · 5 comments
Open

[Policy Assistant] warn about same-priority ANPs with overlapping rules #222

huntergregory opened this issue Apr 23, 2024 · 5 comments

Comments

@huntergregory
Copy link
Contributor

huntergregory commented Apr 23, 2024
edited
Loading

Parent issue: #150

This issue is derived from discussions in #216.

Proposal

Policy Assistant should be able to let admins know if any of their AdminNetworkPolicies have undefined/implementation-specific behavior (exact terminology TBD in #216).

Example

Command like:

policy-assistant analyze --mode=overlap --all-namespaces --all-pods

with output like:

INFO: detected AdminNetworkPolicies with the same priority. checking for overlapping rules
INFO: no overlapping rules found
WARN: analyzed only on the cluster's current set of Pods/labels (relabeling Pods might change this result)

or

INFO: detected AdminNetworkPolicies with the same priority. checking for overlapping rules
WARN: detected implementation-specific behavior for these AdminNetworkPolicies due to overlapping rules. policies: [anp-1 (allow-some-rule), anp-2 (deny-all-rule)]. pods: [kube-system/deployment/core-dns, test-namespace/daemonset/backend]
WARN: detected implementation-specific behavior for these AdminNetworkPolicies ...
...
WARN: analyzed only on the cluster's current set of Pods/labels (relabeling Pods might change this result)
@huntergregory huntergregory mentioned this issue Apr 23, 2024
Open
@huntergregory
Copy link
Contributor Author

Could use help in implementing this. The feature requires the following:

  1. First, we must start allowing ANPs with the same priority. Right here, we should instead log that there "may be overlapping rules" and suggest the --mode=overlap command:

    network-policy-api/cmd/policy-assistant/pkg/matcher/builder.go

    Line 27 in 669dfbc

    panic(errors.Errorf("duplicate priorities are undefined. priority: %d", p.Spec.Priority))
  2. Write a function keeping track of all rules that share the same priority for the given traffic, similar to Resolve():

    network-policy-api/cmd/policy-assistant/pkg/matcher/policy.go

    Lines 163 to 187 in 669dfbc

    func (d DirectionResult) Resolve() (*Effect, *Effect, *Effect) {
    if d == nil {
    return nil, nil, nil
    }
    // 1. ANP rules
    var anpEffect *Effect
    for _, e := range d {
    if e.PolicyKind != AdminNetworkPolicy {
    continue
    }
    if anpEffect == nil {
    anpEffect = &Effect{
    PolicyKind: AdminNetworkPolicy,
    Verdict: None,
    Priority: maxInt,
    }
    }
    if e.Verdict != None && e.Priority < anpEffect.Priority {
    eCopy := e
    anpEffect = &eCopy
    }
    }
  3. Create a --mode=overlap option for similar to --mode=explain:

    network-policy-api/cmd/policy-assistant/pkg/cli/analyze.go

    Lines 138 to 140 in 669dfbc

    case ExplainMode:
    fmt.Println("explained policies:")
    ExplainPolicies(policies)

We can start with implementing this for a single "traffic". See this struct:

network-policy-api/cmd/policy-assistant/pkg/matcher/traffic.go

Line 13 in 669dfbc

type Traffic struct {

May need to hard-code Traffic and AdminNetworkPolicies for now (some examples at example.go)

@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 22, 2024
@huntergregory
Copy link
Contributor Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 23, 2024
@k8s-triage-robot
Copy link

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 21, 2024
@huntergregory
Copy link
Contributor Author

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@k8s-ci-robot @huntergregory @k8s-triage-robot