Added more explainability tests.

Sorting the order of NPs in explainability output
np-guard · Jan 7, 2025 · 520ef12 · 520ef12
1 parent ffe247c
commit 520ef12
Show file tree

Hide file tree

Showing 4 changed files with 2,611 additions and 12 deletions.
diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go
@@ -48,6 +48,9 @@ var explainTests = []struct {
 	testDirName   string
 	focusWorkload string
 }{
+	{
+		testDirName: "acs-security-demos",
+	},
 	{
 		testDirName: "onlineboutique",
 	},
@@ -66,11 +69,4 @@ var explainTests = []struct {
 	{
 		testDirName: "anp_banp_blog_demo_2",
 	},
-	// {
-	// 	testDirName: "acs-security-demos",
-	// },
-	// {
-	// 	testDirName:   "acs-security-demos",
-	// 	focusWorkload: "ingress-controller",
-	// },
 }
diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go
@@ -9,6 +9,7 @@ package eval
 import (
 	"errors"
 	"net"
+	"sort"
 	"strings"
 
 	netv1 "k8s.io/api/networking/v1"
@@ -103,6 +104,11 @@ func (pe *PolicyEngine) getPoliciesSelectingPod(peer k8s.Peer, direction netv1.P
 	if pe.exposureAnalysisFlag && len(res) > 0 {
 		p.UpdatePodXgressProtectedFlag(direction == netv1.PolicyTypeIngress)
 	}
+	if pe.explain && len(res) > 0 {
+		sort.Slice(res, func(i, j int) bool {
+			return res[i].FullName() < res[j].FullName()
+		})
+	}
 	return res, nil
 }
 

diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go
@@ -416,7 +416,7 @@ func (np *NetworkPolicy) nameWithDirectionAndExpl(isIngress bool, expl string) s
 	if isIngress {
 		xgress = "Ingress"
 	}
-	return fmt.Sprintf("%s//%s "+expl, np.fullName(), xgress, xgress)
+	return fmt.Sprintf("%s//%s "+expl, np.FullName(), xgress, xgress)
 }
 
 func explNoMatchOfNamedPortsToDst(ruleName string) string {
@@ -474,11 +474,11 @@ func (np *NetworkPolicy) GetXgressAllowedConns(src, dst Peer, isIngress bool) (*
 }
 
 func (np *NetworkPolicy) netpolWarning(description string) string {
-	return fmt.Sprintf("network policy %q: %s", np.fullName(), description)
+	return fmt.Sprintf("network policy %q: %s", np.FullName(), description)
 }
 
 func (np *NetworkPolicy) netpolErr(title, description string) error {
-	return fmt.Errorf("network policy %s %s: %s", np.fullName(), title, description)
+	return fmt.Errorf("network policy %s %s: %s", np.FullName(), title, description)
 }
 
 func (np *NetworkPolicy) parseNetpolCIDR(cidr string, except []string) (*netset.IPBlock, error) {
@@ -579,7 +579,7 @@ func (np *NetworkPolicy) Selects(p *Pod, direction netv1.PolicyType) (bool, erro
 	return selector.Matches(labels.Set(p.Labels)), nil
 }
 
-func (np *NetworkPolicy) fullName() string {
+func (np *NetworkPolicy) FullName() string {
 	return "[NP] " + types.NamespacedName{Name: np.Name, Namespace: np.Namespace}.String()
 }
 
@@ -588,7 +588,7 @@ func (np *NetworkPolicy) ruleName(ruleIdx int, isIngress bool) string {
 	if isIngress {
 		xgress = ingressName
 	}
-	return fmt.Sprintf("%s//%s rule #%d", np.fullName(), xgress, ruleIdx+1)
+	return fmt.Sprintf("%s//%s rule #%d", np.FullName(), xgress, ruleIdx+1)
 }
 
 func (np *NetworkPolicy) LogWarnings(l logger.Logger) {