diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go index d065f638..a890794f 100644 --- a/pkg/netpol/connlist/explanation_test.go +++ b/pkg/netpol/connlist/explanation_test.go @@ -69,4 +69,13 @@ var explainTests = []struct { { testDirName: "anp_banp_blog_demo_2", }, + { + testDirName: "anp_and_banp_using_networks_and_nodes_test", + }, + { + testDirName: "anp_banp_test_with_named_port_matched", + }, + { + testDirName: "anp_banp_test_with_named_port_unmatched", + }, } diff --git a/test_outputs/connlist/anp_and_banp_using_networks_and_nodes_test_explain_output.txt b/test_outputs/connlist/anp_and_banp_using_networks_and_nodes_test_explain_output.txt new file mode 100644 index 00000000..127ae912 --- /dev/null +++ b/test_outputs/connlist/anp_and_banp_using_networks_and_nodes_test_explain_output.txt @@ -0,0 +1,54 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ns1/pod1[Deployment] => 104.154.164.160-104.154.164.160: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] egress-peer-1//Egress rule deny-egress (Deny) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ns1/pod1[Deployment] => 104.154.164.170-104.154.164.170: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] egress-peer-1//Egress rule allow-egress (Allow) + INGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ns1/pod1[Deployment] => ns2/pod1[Deployment]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] egress-peer-1//Egress rule deny-egress (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN ns1/pod1[Deployment] => ns3/pod1[Deployment]: + +All Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) + 1) [ANP] egress-peer-1//Egress rule allow-egress (Allow) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => ns1/pod1[Deployment] +0.0.0.0-255.255.255.255 => ns2/pod1[Deployment] +0.0.0.0-255.255.255.255 => ns3/pod1[Deployment] +ns1/pod1[Deployment] => 0.0.0.0-104.154.164.159 +ns1/pod1[Deployment] => 104.154.164.161-104.154.164.169 +ns1/pod1[Deployment] => 104.154.164.171-255.255.255.255 +ns2/pod1[Deployment] => 0.0.0.0-104.154.164.159 +ns2/pod1[Deployment] => 104.154.164.160-104.154.164.160 +ns2/pod1[Deployment] => 104.154.164.161-104.154.164.169 +ns2/pod1[Deployment] => 104.154.164.170-104.154.164.170 +ns2/pod1[Deployment] => 104.154.164.171-255.255.255.255 +ns2/pod1[Deployment] => ns1/pod1[Deployment] +ns2/pod1[Deployment] => ns3/pod1[Deployment] +ns3/pod1[Deployment] => 0.0.0.0-104.154.164.159 +ns3/pod1[Deployment] => 104.154.164.160-104.154.164.160 +ns3/pod1[Deployment] => 104.154.164.161-104.154.164.169 +ns3/pod1[Deployment] => 104.154.164.170-104.154.164.170 +ns3/pod1[Deployment] => 104.154.164.171-255.255.255.255 +ns3/pod1[Deployment] => ns1/pod1[Deployment] +ns3/pod1[Deployment] => ns2/pod1[Deployment] diff --git a/test_outputs/connlist/anp_banp_test_with_named_port_matched_explain_output.txt b/test_outputs/connlist/anp_banp_test_with_named_port_matched_explain_output.txt new file mode 100644 index 00000000..376e591a --- /dev/null +++ b/test_outputs/connlist/anp_banp_test_with_named_port_matched_explain_output.txt @@ -0,0 +1,35 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Egress rule pass-all-egress-to-slytherin (Pass) + 2) [BANP] default//Egress rule deny-all-egress-to-slytherin (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet]: + +ALLOWED TCP:[80] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (ALLOWED) + 1) [ANP] pass-example//Ingress rule allow-ingress-from-slytherin-on-named-port (Allow) + +DENIED TCP:[1-79,81-65535] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Ingress rule pass-all-ingress-from-slytherin (Pass) + 2) [BANP] default//Ingress rule deny-all-ingress-from-slytherin (Deny) + +DENIED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Ingress rule pass-all-ingress-from-slytherin (Pass) + 2) [BANP] default//Ingress rule deny-all-ingress-from-slytherin (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => network-policy-conformance-gryffindor/harry-potter[StatefulSet] +0.0.0.0-255.255.255.255 => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] +network-policy-conformance-gryffindor/harry-potter[StatefulSet] => 0.0.0.0-255.255.255.255 +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255 diff --git a/test_outputs/connlist/anp_banp_test_with_named_port_unmatched_explain_output.txt b/test_outputs/connlist/anp_banp_test_with_named_port_unmatched_explain_output.txt new file mode 100644 index 00000000..cbb02942 --- /dev/null +++ b/test_outputs/connlist/anp_banp_test_with_named_port_unmatched_explain_output.txt @@ -0,0 +1,24 @@ +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Egress rule pass-all-egress-to-slytherin (Pass) + 2) [BANP] default//Egress rule deny-all-egress-to-slytherin (Deny) + INGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +CONNECTIONS BETWEEN network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet]: + +No Connections due to the following policies//rules: + EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) + INGRESS DIRECTION (DENIED) + 1) [ANP] pass-example//Ingress rule pass-all-ingress-from-slytherin (Pass) + 2) [BANP] default//Ingress rule deny-all-ingress-from-slytherin (Deny) + +---------------------------------------------------------------------------------------------------------------------------------------------------------------- +The following nodes are connected due to the system default or the assumed default for IPblock (Allow all): +0.0.0.0-255.255.255.255 => network-policy-conformance-gryffindor/harry-potter[StatefulSet] +0.0.0.0-255.255.255.255 => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] +network-policy-conformance-gryffindor/harry-potter[StatefulSet] => 0.0.0.0-255.255.255.255 +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255