From 929c75de031e32f257689b2fc6cd0705cf71d1dc Mon Sep 17 00:00:00 2001 From: Tanya Veksler Date: Mon, 6 Jan 2025 17:06:46 +0200 Subject: [PATCH] More compact explanation printing. --- .../internal/common/augmented_intervalset.go | 4 + pkg/netpol/internal/common/connectionset.go | 40 ++- .../anp_banp_blog_demo_2_explain_output.txt | 44 +-- .../connlist/ipblockstest_explain_output.txt | 252 ++++-------------- 4 files changed, 105 insertions(+), 235 deletions(-) diff --git a/pkg/netpol/internal/common/augmented_intervalset.go b/pkg/netpol/internal/common/augmented_intervalset.go index e8c1bdf1..f313bc87 100644 --- a/pkg/netpol/internal/common/augmented_intervalset.go +++ b/pkg/netpol/internal/common/augmented_intervalset.go @@ -326,6 +326,10 @@ func (augInt AugmentedInterval) Equal(other AugmentedInterval) bool { return augInt.inSet == other.inSet && augInt.interval.Equal(other.interval) && augInt.implyingRules.Equal(&other.implyingRules) } +func (augInt AugmentedInterval) EqualInSetAndRules(other AugmentedInterval) bool { + return augInt.inSet == other.inSet && augInt.implyingRules.Equal(&other.implyingRules) +} + // AugmentedCanonicalSet is a set of int64 integers, implemented using an ordered slice of non-overlapping, non-touching intervals. // The intervals should include both included intervals and holes; // i.e., start of every interval is the end of a previous interval incremented by 1. diff --git a/pkg/netpol/internal/common/connectionset.go b/pkg/netpol/internal/common/connectionset.go index 2d25be9b..9a8dba0c 100644 --- a/pkg/netpol/internal/common/connectionset.go +++ b/pkg/netpol/internal/common/connectionset.go @@ -370,6 +370,10 @@ func (p PortRangeData) Equal(other PortRangeData) bool { return p.Interval.Equal(other.Interval) } +func (p PortRangeData) EqualInSetAndRules(other PortRangeData) bool { + return p.Interval.EqualInSetAndRules(other.Interval) +} + func (p *PortRangeData) String() string { if p.isWholeRange() { return allPortsStr @@ -380,12 +384,16 @@ func (p *PortRangeData) String() string { return fmt.Sprintf("%d", p.Start()) } -func (p *PortRangeData) StringWithExplanation(protocolString string) string { +func explOfInSetProtocolPortsAndRules(inSet bool, protocolString, portsString, rulesString string) string { resultStr := allowResultStr - if !p.InSet() { + if !inSet { resultStr = denyResultStr } - return resultStr + SpaceSeparator + protocolString + ":" + p.String() + p.Interval.implyingRules.String() + return resultStr + SpaceSeparator + protocolString + ":" + "[" + portsString + "]" + rulesString +} + +func (p *PortRangeData) StringWithExplanation(protocolString string) string { + return explOfInSetProtocolPortsAndRules(p.InSet(), protocolString, p.String(), p.Interval.implyingRules.String()) } func (p *PortRangeData) InSet() bool { @@ -416,7 +424,7 @@ const ( connsAndPortRangeSeparator = "," allConnsStr = "All Connections" noConnsStr = "No Connections" - allPortsStr = "[ALL PORTS]" + allPortsStr = "ALL PORTS" ) func ConnStrFromConnProperties(allProtocolsAndPorts bool, protocolsAndPorts map[v1.Protocol][]PortRange) string { @@ -467,11 +475,31 @@ func portsString(ports []PortRange) string { return strings.Join(portsStr, connsAndPortRangeSeparator) } +type InSetAndRulesStr struct { + inSet bool + rulesString string +} + func portsStringWithExplanation(ports []PortRange, protocolString string) string { - portsStr := make([]string, 0, len(ports)) + // for compact explanation: collect together ranges with the same 'inSet' and impying rules + portRangeClasses := map[InSetAndRulesStr]*interval.CanonicalSet{} for i := range ports { - portsStr = append(portsStr, ports[i].(*PortRangeData).StringWithExplanation(protocolString)) + portRangeData := ports[i].(*PortRangeData) + thisInSetAndRulesStr := InSetAndRulesStr{portRangeData.Interval.inSet, portRangeData.Interval.implyingRules.String()} + _, ok := portRangeClasses[thisInSetAndRulesStr] + if !ok { + portRangeClasses[thisInSetAndRulesStr] = interval.NewCanonicalSet() + } + portRangeClasses[thisInSetAndRulesStr].AddInterval(portRangeData.Interval.interval) + } + portsStr := make([]string, len(portRangeClasses)) + ind := 0 + for inSetAndRulesStr, intervals := range portRangeClasses { + portsStr[ind] = explOfInSetProtocolPortsAndRules(inSetAndRulesStr.inSet, protocolString, + intervals.String(), inSetAndRulesStr.rulesString) + ind++ } + sort.Strings(portsStr) return strings.Join(portsStr, NewLine) } diff --git a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt index f099a052..8b48f5a4 100644 --- a/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt +++ b/test_outputs/connlist/anp_banp_blog_demo_2_explain_output.txt @@ -25,79 +25,57 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => bar/my-bar[Pod]: -ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) - -DENIED TCP:1-1233 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (DENIED) - 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) - -ALLOWED TCP:1234 due to the following policies//rules: +ALLOWED TCP:[1234] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) -DENIED TCP:1235-8079 due to the following policies//rules: +ALLOWED TCP:[9001-65535] the system default (Allow all) + +DENIED TCP:[1-1233,1235-8079,8081-9000] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) -DENIED TCP:8080 due to the following policies//rules: +DENIED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (DENIED) 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) 2) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) -DENIED TCP:8081-9000 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (DENIED) - 1) [BANP] default//Ingress rule deny-ingress-from-all-namespaces (Deny) - -ALLOWED TCP:9001-65535 the system default (Allow all) +ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => baz/my-baz[Pod]: -ALLOWED TCP:1-1233 the system default (Allow all) +ALLOWED TCP:[1-1233,1235-65535] the system default (Allow all) -ALLOWED TCP:1234 due to the following policies//rules: +ALLOWED TCP:[1234] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) -ALLOWED TCP:1235-65535 the system default (Allow all) - ALLOWED {SCTP,UDP}:[ALL PORTS] the system default (Allow all) ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN monitoring/my-monitoring[Pod] => foo/my-foo[Pod]: -ALLOWED TCP:1-1233 due to the following policies//rules: +ALLOWED TCP:[1-1233,1235-8079,8081-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] foo/allow-monitoring//Ingress rule #1 -ALLOWED TCP:1234 due to the following policies//rules: +ALLOWED TCP:[1234] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [ANP] allow-monitoring//Ingress rule allow-ingress-from-monitoring (Allow) -ALLOWED TCP:1235-8079 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (ALLOWED) - 1) [NP] foo/allow-monitoring//Ingress rule #1 - -ALLOWED TCP:8080 due to the following policies//rules: +ALLOWED TCP:[8080] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) 1) [ANP] pass-monitoring//Ingress rule pass-ingress-from-monitoring (Pass) 2) [NP] foo/allow-monitoring//Ingress rule #1 -ALLOWED TCP:8081-65535 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) - INGRESS DIRECTION (ALLOWED) - 1) [NP] foo/allow-monitoring//Ingress rule #1 - ALLOWED {SCTP,UDP}:[ALL PORTS] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the system default (Allow all) INGRESS DIRECTION (ALLOWED) diff --git a/test_outputs/connlist/ipblockstest_explain_output.txt b/test_outputs/connlist/ipblockstest_explain_output.txt index 36480105..0947c377 100644 --- a/test_outputs/connlist/ipblockstest_explain_output.txt +++ b/test_outputs/connlist/ipblockstest_explain_output.txt @@ -1,17 +1,12 @@ ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/calico-node-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -24,17 +19,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -47,17 +37,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -70,17 +55,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -93,17 +73,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -116,17 +91,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -139,17 +109,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 0.0.0.0-9.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -218,17 +183,12 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/calico-node-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -241,17 +201,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -264,17 +219,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -287,17 +237,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -310,17 +255,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -333,17 +273,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -356,17 +291,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 11.0.0.0-172.20.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -435,17 +365,12 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/calico-node-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -458,17 +383,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -481,17 +401,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -504,17 +419,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -527,17 +437,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -550,17 +455,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -573,17 +473,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.22.0.0-172.29.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -652,17 +547,12 @@ No Connections due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/calico-node-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -675,17 +565,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-file-plugin-7bfb8b69bf[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -698,17 +583,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-keepalived-watcher[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -721,17 +601,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-kube-fluentd-with-tier[DaemonSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -744,17 +619,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/ibm-storage-watcher-8494b4b8bb[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -767,17 +637,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/tiller-deploy-5c45c9966b[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 @@ -790,17 +655,12 @@ DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules: ---------------------------------------------------------------------------------------------------------------------------------------------------------------- CONNECTIONS BETWEEN 172.31.0.0-255.255.255.255 => kube-system/vpn-858f6d9777[ReplicaSet]: -DENIED UDP:1-52 due to the following policies//rules: - EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) - INGRESS DIRECTION (DENIED) - 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 - -ALLOWED UDP:53 due to the following policies//rules: +ALLOWED UDP:[53] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (ALLOWED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1 -DENIED UDP:54-65535 due to the following policies//rules: +DENIED UDP:[1-52,54-65535] due to the following policies//rules: EGRESS DIRECTION (ALLOWED) due to the assumed default for IPblock (Allow all) INGRESS DIRECTION (DENIED) 1) [NP] kube-system/enable-from-ipblock-to-isolated-by-tier//Ingress rule #1