From 0b8979e1b36dafa07aab36ce09740edb8719b39e Mon Sep 17 00:00:00 2001 From: Daichi Sakaue Date: Fri, 18 Oct 2024 18:14:34 +0900 Subject: [PATCH] Implement inspect and summary commands Signed-off-by: Daichi Sakaue --- cmd/npv/app/dump.go | 2 +- cmd/npv/app/helper.go | 122 ++++++++++++++++-- cmd/npv/app/inspect.go | 226 ++++++++++++++++++++++++++++++++++ cmd/npv/app/list.go | 29 +++-- cmd/npv/app/summary.go | 117 ++++++++++++++++++ e2e/Makefile | 14 ++- e2e/inspect_test.go | 102 +++++++++++++++ e2e/list_test.go | 95 +++++++------- e2e/suite_test.go | 2 + e2e/summary_test.go | 31 +++++ e2e/testdata/policy/README.md | 10 +- e2e/testdata/policy/l3.yaml | 16 +-- e2e/testdata/ubuntu.yaml | 1 + go.mod | 2 +- 14 files changed, 684 insertions(+), 85 deletions(-) create mode 100644 cmd/npv/app/inspect.go create mode 100644 cmd/npv/app/summary.go create mode 100644 e2e/inspect_test.go create mode 100644 e2e/summary_test.go diff --git a/cmd/npv/app/dump.go b/cmd/npv/app/dump.go index bb93769..8d310ab 100644 --- a/cmd/npv/app/dump.go +++ b/cmd/npv/app/dump.go @@ -27,7 +27,7 @@ var dumpCmd = &cobra.Command{ } func runDump(ctx context.Context, w io.Writer, name string) error { - clientset, dynamicClient, _, err := createClients(ctx, name) + clientset, dynamicClient, err := createK8sClients() if err != nil { return err } diff --git a/cmd/npv/app/helper.go b/cmd/npv/app/helper.go index 9f39101..0d0c637 100644 --- a/cmd/npv/app/helper.go +++ b/cmd/npv/app/helper.go @@ -4,8 +4,12 @@ import ( "context" "errors" "fmt" + "math/rand" + "strconv" + "strings" "github.com/cilium/cilium/pkg/client" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" "k8s.io/apimachinery/pkg/runtime/schema" @@ -14,34 +18,56 @@ import ( "k8s.io/client-go/rest" ) -func createClients(ctx context.Context, name string) (*kubernetes.Clientset, *dynamic.DynamicClient, *client.Client, error) { +const ( + directionEgress = "Egress" + directionIngress = "Ingress" + + policyAllow = "Allow" + policyDeny = "Deny" +) + +var cachedCiliumClients map[string]*client.Client + +func init() { + cachedCiliumClients = make(map[string]*client.Client) +} + +func createK8sClients() (*kubernetes.Clientset, *dynamic.DynamicClient, error) { config, err := rest.InClusterConfig() if err != nil { - return nil, nil, nil, err + return nil, nil, err } - // Create Kubernetes Clients clientset, err := kubernetes.NewForConfig(config) if err != nil { - return nil, nil, nil, err + return nil, nil, err } dynamicClient, err := dynamic.NewForConfig(config) if err != nil { - return nil, nil, nil, err + return nil, nil, err } - // Create Cilium Client + return clientset, dynamicClient, nil +} + +func createCiliumClient(ctx context.Context, clientset *kubernetes.Clientset, name string) (*client.Client, error) { endpoint, err := getProxyEndpoint(ctx, clientset, rootOptions.namespace, name) if err != nil { - return nil, nil, nil, err + return nil, err + } + + if cached, ok := cachedCiliumClients[endpoint]; ok { + return cached, nil } + ciliumClient, err := client.NewClient(endpoint) if err != nil { - return nil, nil, nil, err + return nil, err } + cachedCiliumClients[endpoint] = ciliumClient - return clientset, dynamicClient, ciliumClient, err + return ciliumClient, err } func getProxyEndpoint(ctx context.Context, c *kubernetes.Clientset, namespace, name string) (string, error) { @@ -89,3 +115,81 @@ func getPodEndpointID(ctx context.Context, d *dynamic.DynamicClient, namespace, return endpointID, nil } + +func getIdentityMap(ctx context.Context, d *dynamic.DynamicClient) (map[int]*unstructured.Unstructured, error) { + gvr := schema.GroupVersionResource{ + Group: "cilium.io", + Version: "v2", + Resource: "ciliumidentities", + } + li, err := d.Resource(gvr).List(ctx, metav1.ListOptions{}) + if err != nil { + return nil, err + } + + ret := make(map[int]*unstructured.Unstructured) + for _, item := range li.Items { + id, err := strconv.Atoi(item.GetName()) + if err != nil { + return nil, err + } + ret[id] = &item + } + return ret, nil +} + +func getIdentityExampleMap(ctx context.Context, d *dynamic.DynamicClient) (map[int]string, error) { + gvr := schema.GroupVersionResource{ + Group: "cilium.io", + Version: "v2", + Resource: "ciliumendpoints", + } + + li, err := d.Resource(gvr).Namespace(corev1.NamespaceAll).List(ctx, metav1.ListOptions{}) + if err != nil { + return nil, err + } + + ret := make(map[int]string) + for _, ep := range li.Items { + identity, ok, err := unstructured.NestedInt64(ep.Object, "status", "identity", "id") + if err != nil { + return nil, err + } + if !ok { + continue + } + if _, ok := ret[int(identity)]; ok { + ret[int(identity)] += "," + ep.GetName() + } else { + ret[int(identity)] = ep.GetName() + } + } + for k, v := range ret { + if strings.Contains(v, ",") { + samples := strings.Split(v, ",") + i := rand.Intn(len(samples)) + ret[k] = samples[i] + } + } + return ret, nil +} + +func findPodWithPrefix(ctx context.Context, clientset *kubernetes.Clientset, namespace, name string) (string, error) { + pods, err := clientset.CoreV1().Pods(rootOptions.namespace).List(ctx, metav1.ListOptions{}) + if err != nil { + return "", nil + } + found := false + prefix := name + for _, p := range pods.Items { + if strings.HasPrefix(p.GetName(), prefix) { + if found { + return "", errors.New("multiple pods found for the prefix: " + prefix) + } + found = true + name = p.GetName() + } + } + return name, nil +} diff --git a/cmd/npv/app/inspect.go b/cmd/npv/app/inspect.go new file mode 100644 index 0000000..4ba1130 --- /dev/null +++ b/cmd/npv/app/inspect.go @@ -0,0 +1,226 @@ +package app + +import ( + "context" + "encoding/json" + "fmt" + "io" + "net/http" + "strconv" + "text/tabwriter" + + "github.com/cilium/cilium/pkg/identity" + "github.com/cilium/cilium/pkg/u8proto" + "github.com/spf13/cobra" + "k8s.io/apimachinery/pkg/apis/meta/v1/unstructured" + "k8s.io/client-go/dynamic" + "k8s.io/client-go/kubernetes" +) + +var inspectOptions struct { + prefix bool +} + +func init() { + inspectCmd.Flags().BoolVarP(&inspectOptions.prefix, "prefix", "p", false, "find pod with specified prefix") + rootCmd.AddCommand(inspectCmd) +} + +var inspectCmd = &cobra.Command{ + Use: "inspect", + Short: "Inspect network policies applied to a pod", + Long: `Inspect network policies applied to a pod`, + + Args: cobra.ExactArgs(1), + RunE: func(cmd *cobra.Command, args []string) error { + return runInspect(context.Background(), cmd.OutOrStdout(), args[0]) + }, +} + +type policyEntryKey struct { + Identity int `json:"Identity"` + Direction int `json:"TrafficDirection"` + Protocol int `json:"Nexthdr"` + BigPort int `json:"DestPortNetwork"` // big endian +} + +// For the meanings of the flags, see: +// https://github.com/cilium/cilium/blob/v1.16.3/bpf/lib/common.h#L394 +type policyEntry struct { + Flags int `json:"Flags"` + Packets int `json:"Packets"` + Bytes int `json:"Bytes"` + Key policyEntryKey `json:"Key"` +} + +func (p policyEntry) IsDenyRule() bool { + return (p.Flags & 1) > 0 +} + +func (p policyEntry) IsEgressRule() bool { + return p.Key.Direction > 0 +} + +func (p policyEntry) IsWildcardProtocol() bool { + return (p.Flags & 2) > 0 +} + +func (p policyEntry) IsWildcardPort() bool { + return (p.Flags & 4) > 0 +} + +// This command aims to show the result of "cilium bpf policy get" from a remote pod. +// https://github.com/cilium/cilium/blob/v1.16.3/cilium-dbg/cmd/bpf_policy_get.go +type inspectEntry struct { + Policy string `json:"policy"` + Direction string `json:"direction"` + Namespace string `json:"namespace"` + Example string `json:"example"` + Identity int `json:"identity"` + WildcardProtocol bool `json:"wildcard_protocol"` + WildcardPort bool `json:"wildcard_port"` + Protocol int `json:"protocol"` + Port int `json:"port"` + Bytes int `json:"bytes"` + Packets int `json:"packets"` +} + +func queryPolicyMap(ctx context.Context, clientset *kubernetes.Clientset, dynamicClient *dynamic.DynamicClient, namespace, name string) ([]policyEntry, error) { + endpointID, err := getPodEndpointID(ctx, dynamicClient, namespace, name) + if err != nil { + return nil, fmt.Errorf("failed to get pod endpoint ID: %w", err) + } + + url, err := getProxyEndpoint(ctx, clientset, namespace, name) + if err != nil { + return nil, fmt.Errorf("failed to get proxy endpoint: %w", err) + } + + url = fmt.Sprintf("%s/policy/%d", url, endpointID) + resp, err := http.Get(url) + if err != nil { + return nil, fmt.Errorf("failed to request policy: %w", err) + } + defer resp.Body.Close() + + data, err := io.ReadAll(resp.Body) + if err != nil { + return nil, fmt.Errorf("failed to read response: %w", err) + } + + policies := make([]policyEntry, 0) + if err = json.Unmarshal(data, &policies); err != nil { + return nil, fmt.Errorf("failed to unmarshal response: %w", err) + } + + return policies, nil +} + +func runInspect(ctx context.Context, w io.Writer, name string) error { + clientset, dynamicClient, err := createK8sClients() + if err != nil { + return err + } + + if inspectOptions.prefix { + newName, err := findPodWithPrefix(ctx, clientset, rootOptions.namespace, name) + if err != nil { + return err + } + name = newName + } + + policies, err := queryPolicyMap(ctx, clientset, dynamicClient, rootOptions.namespace, name) + if err != nil { + return err + } + + ids, err := getIdentityMap(ctx, dynamicClient) + if err != nil { + return err + } + + examples, err := getIdentityExampleMap(ctx, dynamicClient) + if err != nil { + return err + } + + arr := make([]inspectEntry, len(policies)) + for i, policy := range policies { + var entry inspectEntry + if policy.IsDenyRule() { + entry.Policy = policyDeny + } else { + entry.Policy = policyAllow + } + if policy.IsEgressRule() { + entry.Direction = directionEgress + } else { + entry.Direction = directionIngress + } + entry.Namespace = "-" + if id, ok := ids[policy.Key.Identity]; ok { + ns, ok, err := unstructured.NestedString(id.Object, "security-labels", "k8s:io.kubernetes.pod.namespace") + if err != nil { + return err + } + if ok { + entry.Namespace = ns + } + } + if v, ok := examples[policy.Key.Identity]; ok { + entry.Example = v + } else { + idObj := identity.NumericIdentity(policy.Key.Identity) + if idObj.IsReservedIdentity() { + entry.Example = "reserved:" + idObj.String() + } else { + entry.Example = "-" + } + } + entry.Identity = policy.Key.Identity + entry.WildcardProtocol = policy.IsWildcardProtocol() + entry.WildcardPort = policy.IsWildcardPort() + entry.Protocol = policy.Key.Protocol + entry.Port = ((policy.Key.BigPort & 0xFF) << 8) + ((policy.Key.BigPort & 0xFF00) >> 8) + entry.Bytes = policy.Bytes + entry.Packets = policy.Packets + arr[i] = entry + } + + switch rootOptions.output { + case OutputJson: + text, err := json.MarshalIndent(arr, "", " ") + if err != nil { + return err + } + _, err = w.Write(text) + return err + case OutputSimple: + tw := tabwriter.NewWriter(w, 0, 1, 1, ' ', 0) + if !rootOptions.noHeaders { + if _, err := tw.Write([]byte("POLICY\tDIRECTION\tIDENTITY\tNAMESPACE\tEXAMPLE\tPROTOCOL\tPORT\tBYTES\tPACKETS\n")); err != nil { + return err + } + } + for _, p := range arr { + var protocol, port string + if p.WildcardProtocol { + protocol = "ANY" + } else { + protocol = u8proto.U8proto(p.Protocol).String() + } + if p.WildcardPort { + port = "ANY" + } else { + port = strconv.Itoa(p.Port) + } + if _, err := tw.Write([]byte(fmt.Sprintf("%v\t%v\t%v\t%v\t%v\t%v\t%v\t%v\t%v\n", p.Policy, p.Direction, p.Identity, p.Namespace, p.Example, protocol, port, p.Bytes, p.Packets))); err != nil { + return err + } + } + return tw.Flush() + default: + return fmt.Errorf("unknown format: %s", rootOptions.output) + } +} diff --git a/cmd/npv/app/list.go b/cmd/npv/app/list.go index 0ab21c3..1b48a67 100644 --- a/cmd/npv/app/list.go +++ b/cmd/npv/app/list.go @@ -15,7 +15,14 @@ import ( "golang.org/x/exp/maps" ) +var listOptions struct { + manifests bool + prefix bool +} + func init() { + listCmd.Flags().BoolVarP(&listOptions.manifests, "manifests", "m", false, "show policy manifests") + listCmd.Flags().BoolVarP(&listOptions.prefix, "prefix", "p", false, "find pod with specified prefix") rootCmd.AddCommand(listCmd) } @@ -30,11 +37,6 @@ var listCmd = &cobra.Command{ }, } -const ( - directionEgress = "EGRESS" - directionIngress = "INGRESS" -) - type derivedFromEntry struct { Direction string `json:"direction"` Kind string `json:"kind"` @@ -74,9 +76,22 @@ func parseDerivedFromEntry(input []string, direction string) derivedFromEntry { } func runList(ctx context.Context, w io.Writer, name string) error { - _, dynamicClient, client, err := createClients(ctx, name) + clientset, dynamicClient, err := createK8sClients() + if err != nil { + return fmt.Errorf("failed to create k8s clients: %w", err) + } + + if listOptions.prefix { + newName, err := findPodWithPrefix(ctx, clientset, rootOptions.namespace, name) + if err != nil { + return err + } + name = newName + } + + client, err := createCiliumClient(ctx, clientset, name) if err != nil { - return fmt.Errorf("failed to create clients: %w", err) + return fmt.Errorf("failed to create Cilium client: %w", err) } endpointID, err := getPodEndpointID(ctx, dynamicClient, rootOptions.namespace, name) diff --git a/cmd/npv/app/summary.go b/cmd/npv/app/summary.go new file mode 100644 index 0000000..df0c331 --- /dev/null +++ b/cmd/npv/app/summary.go @@ -0,0 +1,117 @@ +package app + +import ( + "context" + "encoding/json" + "fmt" + "io" + "sort" + "strings" + "text/tabwriter" + + "github.com/spf13/cobra" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +func init() { + rootCmd.AddCommand(summaryCmd) +} + +var summaryCmd = &cobra.Command{ + Use: "summary", + Short: "Show summary of network policy count", + Long: `Show summary of network policy count`, + + Args: cobra.ExactArgs(0), + RunE: func(cmd *cobra.Command, args []string) error { + return runSummary(context.Background(), cmd.OutOrStdout()) + }, +} + +type summaryEntry struct { + Namespace string `json:"namespace"` + Name string `json:"name"` + IngressAllow int `json:"ingress_allow"` + IngressDeny int `json:"ingress_deny"` + EgressAllow int `json:"egress_allow"` + EgressDeny int `json:"egress_deny"` +} + +func lessSummaryEntry(x, y *summaryEntry) bool { + ret := strings.Compare(x.Namespace, y.Namespace) + if ret == 0 { + ret = strings.Compare(x.Name, y.Name) + } + return ret < 0 +} + +func runSummary(ctx context.Context, w io.Writer) error { + clientset, dynamicClient, err := createK8sClients() + if err != nil { + return err + } + + summary := make([]summaryEntry, 0) + pods, err := clientset.CoreV1().Pods(rootOptions.namespace).List(ctx, metav1.ListOptions{}) + if err != nil { + return err + } + + for _, p := range pods.Items { + var entry summaryEntry + entry.Namespace = p.Namespace + entry.Name = p.Name + + if p.Spec.HostNetwork { + entry.EgressDeny = -1 + entry.EgressAllow = -1 + entry.IngressDeny = -1 + entry.IngressAllow = -1 + } else { + policies, err := queryPolicyMap(ctx, clientset, dynamicClient, rootOptions.namespace, p.Name) + if err != nil { + return err + } + + for _, p := range policies { + switch { + case p.IsEgressRule() && p.IsDenyRule(): + entry.EgressDeny++ + case p.IsEgressRule() && !p.IsDenyRule(): + entry.EgressAllow++ + case !p.IsEgressRule() && p.IsDenyRule(): + entry.IngressDeny++ + case !p.IsEgressRule() && !p.IsDenyRule(): + entry.IngressAllow++ + } + } + } + summary = append(summary, entry) + } + sort.Slice(summary, func(i, j int) bool { return lessSummaryEntry(&summary[i], &summary[j]) }) + + switch rootOptions.output { + case OutputJson: + text, err := json.MarshalIndent(summary, "", " ") + if err != nil { + return err + } + _, err = w.Write(text) + return err + case OutputSimple: + tw := tabwriter.NewWriter(w, 0, 1, 1, ' ', 0) + if !rootOptions.noHeaders { + if _, err := tw.Write([]byte("NAMESPACE\tNAME\tINGRESS-ALLOW\tINGRESS-DENY\tEGRESS-ALLOW\tEGRESS-DENY\n")); err != nil { + return err + } + } + for _, p := range summary { + if _, err := tw.Write([]byte(fmt.Sprintf("%v\t%v\t%v\t%v\t%v\t%v\n", p.Namespace, p.Name, p.IngressAllow, p.IngressDeny, p.EgressAllow, p.EgressDeny))); err != nil { + return err + } + } + return tw.Flush() + default: + return fmt.Errorf("unknown format: %s", rootOptions.output) + } +} diff --git a/e2e/Makefile b/e2e/Makefile index 56e9a16..e879900 100644 --- a/e2e/Makefile +++ b/e2e/Makefile @@ -48,11 +48,11 @@ run-test-pod-%: .PHONY: install-test-pod install-test-pod: $(MAKE) --no-print-directory run-test-pod-self - $(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-allow - $(MAKE) --no-print-directory run-test-pod-l3-ingress-implicit-deny - $(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-deny - $(MAKE) --no-print-directory run-test-pod-l3-egress-implicit-deny - $(MAKE) --no-print-directory run-test-pod-l3-egress-explicit-deny + $(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-allow-all + $(MAKE) --no-print-directory run-test-pod-l3-ingress-implicit-deny-all + $(MAKE) --no-print-directory run-test-pod-l3-ingress-explicit-deny-all + $(MAKE) --no-print-directory run-test-pod-l3-egress-implicit-deny-all + $(MAKE) --no-print-directory run-test-pod-l3-egress-explicit-deny-all $(MAKE) --no-print-directory run-test-pod-l4-ingress-explicit-allow-any $(MAKE) --no-print-directory run-test-pod-l4-ingress-explicit-allow-tcp @@ -70,7 +70,9 @@ install-policy-viewer: $(MAKE) -C ../ build PODNAME=$$(kubectl get po -l app=ubuntu -o name | cut -d'/' -f2); \ kubectl cp $(POLICY_VIEWER) $${PODNAME}:/tmp/; \ - kubectl exec $${PODNAME} -- chmod +x /tmp/npv + kubectl exec $${PODNAME} -- chmod +x /tmp/npv; \ + kubectl cp $$(aqua which kubectl) $${PODNAME}:/tmp/; \ + kubectl exec $${PODNAME} -- chmod +x /tmp/kubectl .PHONY: test test: diff --git a/e2e/inspect_test.go b/e2e/inspect_test.go new file mode 100644 index 0000000..404fa1e --- /dev/null +++ b/e2e/inspect_test.go @@ -0,0 +1,102 @@ +package e2e + +import ( + "strings" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +func testInspect() { + cases := []struct { + Prefix string + Expected string + }{ + { + Prefix: "self", + Expected: `Deny,Egress,l4-egress-explicit-deny-tcp,false,false,6,8080 +Deny,Egress,l4-egress-explicit-deny-any,false,false,132,53 +Deny,Egress,l4-egress-explicit-deny-any,false,false,17,53 +Deny,Egress,l4-egress-explicit-deny-any,false,false,6,53 +Deny,Egress,l3-egress-explicit-deny-all,true,true,0,0 +Allow,Ingress,reserved:host,true,true,0,0 +Allow,Egress,l3-ingress-explicit-deny-all,true,true,0,0 +Allow,Egress,l4-ingress-explicit-allow-any,false,false,132,53 +Allow,Egress,l4-ingress-explicit-allow-any,false,false,17,53 +Allow,Egress,l4-ingress-explicit-allow-any,false,false,6,53 +Allow,Egress,l3-ingress-implicit-deny-all,true,true,0,0 +Allow,Egress,l3-ingress-explicit-allow-all,true,true,0,0 +Allow,Egress,l4-ingress-explicit-deny-any,false,false,6,53 +Allow,Egress,l4-ingress-explicit-deny-any,false,false,17,53 +Allow,Egress,l4-ingress-explicit-deny-any,false,false,132,53 +Allow,Egress,l4-ingress-explicit-allow-tcp,false,false,6,8080 +Allow,Egress,l4-ingress-explicit-deny-udp,false,false,17,161`, + }, + { + Prefix: "l3-ingress-explicit-allow-all", + Expected: `Allow,Ingress,reserved:host,true,true,0,0 +Allow,Ingress,self,true,true,0,0`, + }, + { + Prefix: "l3-ingress-implicit-deny-all", + Expected: `Allow,Ingress,reserved:host,true,true,0,0`, + }, + { + Prefix: "l3-ingress-explicit-deny-all", + Expected: `Deny,Ingress,self,true,true,0,0 +Allow,Ingress,reserved:host,true,true,0,0`, + }, + { + Prefix: "l3-egress-implicit-deny-all", + Expected: `Allow,Ingress,reserved:host,true,true,0,0`, + }, + { + Prefix: "l3-egress-explicit-deny-all", + Expected: `Allow,Ingress,reserved:host,true,true,0,0`, + }, + { + Prefix: "l4-ingress-explicit-allow-any", + Expected: `Allow,Ingress,reserved:host,true,true,0,0 +Allow,Ingress,self,false,false,6,53 +Allow,Ingress,self,false,false,17,53 +Allow,Ingress,self,false,false,132,53`, + }, + { + Prefix: "l4-ingress-explicit-allow-tcp", + Expected: `Allow,Ingress,reserved:host,true,true,0,0 +Allow,Ingress,self,false,false,6,8080`, + }, + { + Prefix: "l4-ingress-explicit-deny-any", + Expected: `Deny,Ingress,self,false,false,6,53 +Deny,Ingress,self,false,false,17,53 +Deny,Ingress,self,false,false,132,53 +Allow,Ingress,reserved:host,true,true,0,0`, + }, + { + Prefix: "l4-ingress-explicit-deny-udp", + Expected: `Deny,Ingress,self,false,false,17,161 +Allow,Ingress,reserved:host,true,true,0,0`, + }, + { + Prefix: "l4-egress-explicit-deny-any", + Expected: `Allow,Ingress,reserved:host,true,true,0,0`, + }, + { + Prefix: "l4-egress-explicit-deny-tcp", + Expected: `Allow,Ingress,reserved:host,true,true,0,0`, + }, + } + + It("should inspect policy configuration", func() { + for _, c := range cases { + result := runViewerSafe(Default, nil, "inspect", "-o=json", "-p", c.Prefix) + // remove hash suffix from pod names + result = jqSafe(Default, result, "-r", `[.[] | .example = (.example | split("-") | .[0:5] | join("-"))]`) + result = jqSafe(Default, result, "-r", `[.[] | .example = (.example | if startswith("self") then "self" else . end)]`) + result = jqSafe(Default, result, "-r", `.[] | [.policy, .direction, .example, .wildcard_protocol, .wildcard_port, .protocol, .port] | @csv`) + resultString := strings.Replace(string(result), `"`, "", -1) + Expect(resultString).To(Equal(c.Expected), "compare failed. prefix: %s\nactual: %s\nexpected: %s", c.Prefix, resultString, c.Expected) + } + }) +} diff --git a/e2e/list_test.go b/e2e/list_test.go index a5ca46a..b88fdff 100644 --- a/e2e/list_test.go +++ b/e2e/list_test.go @@ -9,86 +9,85 @@ import ( func testList() { cases := []struct { - Selector string + Prefix string Expected string }{ { - Selector: "test=self", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -EGRESS,CiliumNetworkPolicy,default,l3-egress -EGRESS,CiliumNetworkPolicy,default,l4-egress -INGRESS,CiliumNetworkPolicy,default,l3-baseline`, + Prefix: "self", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Egress,CiliumNetworkPolicy,default,l3-egress +Egress,CiliumNetworkPolicy,default,l4-egress +Ingress,CiliumNetworkPolicy,default,l3-baseline`, }, { - Selector: "test=l3-ingress-explicit-allow", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-ingress-explicit-allow`, + Prefix: "l3-ingress-explicit-allow-all", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-ingress-explicit-allow-all`, }, { - Selector: "test=l3-ingress-implicit-deny", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline`, + Prefix: "l3-ingress-implicit-deny-all", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline`, }, { - Selector: "test=l3-ingress-explicit-deny", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-ingress-explicit-deny`, + Prefix: "l3-ingress-explicit-deny-all", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-ingress-explicit-deny-all`, }, { - Selector: "test=l3-egress-implicit-deny", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline`, + Prefix: "l3-egress-implicit-deny-all", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline`, }, { - Selector: "test=l3-egress-explicit-deny", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline`, + Prefix: "l3-egress-explicit-deny-all", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline`, }, { - Selector: "test=l4-ingress-explicit-allow-any", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l4-ingress-explicit-allow-any`, + Prefix: "l4-ingress-explicit-allow-any", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l4-ingress-explicit-allow-any`, }, { - Selector: "test=l4-ingress-explicit-allow-tcp", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l4-ingress-explicit-allow-tcp`, + Prefix: "l4-ingress-explicit-allow-tcp", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l4-ingress-explicit-allow-tcp`, }, { - Selector: "test=l4-ingress-explicit-deny-any", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l4-ingress-explicit-deny-any`, + Prefix: "l4-ingress-explicit-deny-any", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l4-ingress-explicit-deny-any`, }, { - Selector: "test=l4-ingress-explicit-deny-udp", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l4-ingress-explicit-deny-udp`, + Prefix: "l4-ingress-explicit-deny-udp", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l4-ingress-explicit-deny-udp`, }, { - Selector: "test=l4-egress-explicit-deny-any", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline`, + Prefix: "l4-egress-explicit-deny-any", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline`, }, { - Selector: "test=l4-egress-explicit-deny-tcp", - Expected: `EGRESS,CiliumNetworkPolicy,default,l3-baseline -INGRESS,CiliumNetworkPolicy,default,l3-baseline`, + Prefix: "l4-egress-explicit-deny-tcp", + Expected: `Egress,CiliumNetworkPolicy,default,l3-baseline +Ingress,CiliumNetworkPolicy,default,l3-baseline`, }, } It("should list applied policies", func() { for _, c := range cases { - podName := onePodByLabelSelector(Default, "default", c.Selector) - result := runViewerSafe(Default, nil, "list", "-o=json", "--no-headers", podName) + result := runViewerSafe(Default, nil, "list", "-o=json", "-p", c.Prefix) result = jqSafe(Default, result, "-r", ".[] | [.direction, .kind, .namespace, .name] | @csv") resultString := strings.Replace(string(result), `"`, "", -1) - Expect(resultString).To(Equal(c.Expected), "compare failed. selector: %s, actual: %s, expected: %s", c.Selector, resultString, c.Expected) + Expect(resultString).To(Equal(c.Expected), "compare failed. prefix: %s\nactual: %s\nexpected: %s", c.Prefix, resultString, c.Expected) } }) } diff --git a/e2e/suite_test.go b/e2e/suite_test.go index 250b5be..e01132c 100644 --- a/e2e/suite_test.go +++ b/e2e/suite_test.go @@ -25,4 +25,6 @@ var _ = Describe("Test network-policy-viewer", func() { func runTest() { Context("dump", testDump) Context("list", testList) + Context("inspect", testInspect) + Context("summary", testSummary) } diff --git a/e2e/summary_test.go b/e2e/summary_test.go new file mode 100644 index 0000000..7dab3e2 --- /dev/null +++ b/e2e/summary_test.go @@ -0,0 +1,31 @@ +package e2e + +import ( + "strings" + + . "github.com/onsi/ginkgo/v2" + . "github.com/onsi/gomega" +) + +func testSummary() { + expected := `l3-egress-explicit-deny-all,1,0,0,0 +l3-egress-implicit-deny-all,1,0,0,0 +l3-ingress-explicit-allow-all,2,0,0,0 +l3-ingress-explicit-deny-all,1,1,0,0 +l3-ingress-implicit-deny-all,1,0,0,0 +l4-egress-explicit-deny-any,1,0,0,0 +l4-egress-explicit-deny-tcp,1,0,0,0 +l4-ingress-explicit-allow-any,4,0,0,0 +l4-ingress-explicit-allow-tcp,2,0,0,0 +l4-ingress-explicit-deny-any,1,3,0,0 +l4-ingress-explicit-deny-udp,1,1,0,0` + + It("should show summary", func() { + result := runViewerSafe(Default, nil, "summary", "-o=json", "--no-headers") + // remove hash suffix from pod names + result = jqSafe(Default, result, "-r", `[.[] | select(.name | startswith("l")) | .name = (.name | split("-") | .[0:5] | join("-"))]`) + result = jqSafe(Default, result, "-r", `.[] | [.name, .ingress_allow, .ingress_deny, .egress_allow, .egress_deny] | @csv`) + resultString := strings.Replace(string(result), `"`, "", -1) + Expect(resultString).To(Equal(expected), "compare failed.\nactual: %s\nexpected: %s", resultString, expected) + }) +} diff --git a/e2e/testdata/policy/README.md b/e2e/testdata/policy/README.md index d685ede..2383f41 100644 --- a/e2e/testdata/policy/README.md +++ b/e2e/testdata/policy/README.md @@ -2,11 +2,11 @@ | Target | From self (Egress) | To pod (Ingress) | |-|-|-| -| l3-ingress-explicit-allow | allow | allow | -| l3-ingress-implicit-deny | allow | - | -| l3-ingress-explicit-deny | allow | deny | -| l3-egress-implicit-deny | - | - | -| l3-egress-explicit-deny | deny | - | +| l3-ingress-explicit-allow-all | allow | allow | +| l3-ingress-implicit-deny-all | allow | - | +| l3-ingress-explicit-deny-all | allow | deny | +| l3-egress-implicit-deny-all | - | - | +| l3-egress-explicit-deny-all | deny | - | | l4-ingress-explicit-allow-any | allow (L4) | allow (L4) | | l4-ingress-explicit-allow-tcp | allow (L4) | allow (L4) | | l4-ingress-explicit-deny-any | allow (L4) | deny (L4) | diff --git a/e2e/testdata/policy/l3.yaml b/e2e/testdata/policy/l3.yaml index 15c42ef..efde9e3 100644 --- a/e2e/testdata/policy/l3.yaml +++ b/e2e/testdata/policy/l3.yaml @@ -26,29 +26,29 @@ spec: egress: - toEndpoints: - matchLabels: - k8s:test: l3-ingress-explicit-allow + k8s:test: l3-ingress-explicit-allow-all - toEndpoints: - matchLabels: k8s:test: l3-ingress-no-rule - toEndpoints: - matchLabels: - k8s:test: l3-ingress-implicit-deny + k8s:test: l3-ingress-implicit-deny-all - toEndpoints: - matchLabels: - k8s:test: l3-ingress-explicit-deny + k8s:test: l3-ingress-explicit-deny-all egressDeny: - toEndpoints: - matchLabels: - k8s:test: l3-egress-explicit-deny + k8s:test: l3-egress-explicit-deny-all --- apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: l3-ingress-explicit-allow + name: l3-ingress-explicit-allow-all spec: endpointSelector: matchLabels: - k8s:test: l3-ingress-explicit-allow + k8s:test: l3-ingress-explicit-allow-all ingress: - fromEndpoints: - matchLabels: @@ -57,11 +57,11 @@ spec: apiVersion: cilium.io/v2 kind: CiliumNetworkPolicy metadata: - name: l3-ingress-explicit-deny + name: l3-ingress-explicit-deny-all spec: endpointSelector: matchLabels: - k8s:test: l3-ingress-explicit-deny + k8s:test: l3-ingress-explicit-deny-all ingressDeny: - fromEndpoints: - matchLabels: diff --git a/e2e/testdata/ubuntu.yaml b/e2e/testdata/ubuntu.yaml index 2319064..24c5392 100644 --- a/e2e/testdata/ubuntu.yaml +++ b/e2e/testdata/ubuntu.yaml @@ -21,6 +21,7 @@ rules: - cilium.io resources: - ciliumendpoints + - ciliumidentities verbs: - get - list diff --git a/go.mod b/go.mod index 0904b62..a3a9435 100644 --- a/go.mod +++ b/go.mod @@ -8,6 +8,7 @@ require ( github.com/onsi/gomega v1.34.2 github.com/spf13/cobra v1.8.1 golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 + k8s.io/api v0.29.3 k8s.io/apimachinery v0.29.3 k8s.io/client-go v0.29.3 ) @@ -92,7 +93,6 @@ require ( gopkg.in/ini.v1 v1.67.0 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/api v0.29.3 // indirect k8s.io/klog/v2 v2.120.0 // indirect k8s.io/kube-openapi v0.0.0-20240105020646-a37d4de58910 // indirect k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect