Extend anp egress peer (#447)

* adding ANP to parser.k8sobj * fixing gocritic rangeValCopy by indexing * w.i.p. anp support - first commit * more examples (2 ANPs/ ANP+NP) * fixing references * new_test that ensures rule ordering in ANP is respected * update the conn representation as complement in case it is shorter (all but: udp 5353 instead of SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535) * test with swapped rules from another test + diff test * more-tests * fixing conns computations and a test with multiple ANPs * extending output formats of existing tests * tiny fix * fixing a tinu bug in ruleConnections func * tiny doc updte * tiny doc update * a @todo tbd while review * return error if ANPs are without name or not unique names * remove redundant lines * reverting the changes adding complement string representation (all but) for connectionSet * Merge github.com:np-guard/netpol-analyzer into support_admin_netpolicy * minor updates to netpol_errors * currently disabling exposure-analysis when there are admin-network-policies in the input resources * some organizations (mainly comments updates) * updating some todo messages * updating some todo messages/questions * todo question * removing a todo that had an answer for, will add some tests on that case * fixing single anp conns compute when ingress and egress are intersected (not fully matched) * Update pkg/internal/netpolerrors/netpol_errors.go Co-authored-by: Tanya <[email protected]> * Update pkg/netpol/eval/internal/k8s/adminnetpol.go Co-authored-by: Tanya <[email protected]> * update todo msg * some fixes to anp so it matches latest apis * fixing port-set union func * Update pkg/netpol/connlist/connlist.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/adminnetpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/internal/common/connectionset.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/adminnetpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/adminnetpol.go Co-authored-by: Adi Sosnovich <[email protected]> * go.mod + lint fix * adding todo comment * fixes in subtract * one line func eliminated * uniqueness names are required for netpols and admin-netpols * hasNetpols considers ANPs too * Tests for AdminNetworkPolicy (#388) * Added some ANP tests from policy-assistant. Fixed a small bug in handling named ports in ANP * fixing lint errors * Fixing lint error * Reorganized testing infrastructure from for tests fro parsed resources - creating pod and namespace resources per test; reading expected results from file. Added more tests from policy assistant. * fixing lint errors * return error if ANPs are without name or not unique names * Revert "return error if ANPs are without name or not unique names" This reverts commit 1805549. * Added ANP/BANP names in tests. Added more tests, including BANP tests, currently commented out. * Fixed lint errors. * Fixed lint errors * Added eval parsed resources tests (along with connlist tests). Moved all parsed resources tests to a separate file. * fixing lint errors * fixing lint errors * Added testing of CheckIfAllowed and CheckIfAllowedNew * fixing lint errors * making linter happy * Reorganized eval ANP tests, to not depend on connlist. * Small fixes. * small fixes * Changed expected results to not use "all but" expressions. * making linter happy * making linter happy * making lint happy * making linter happy * make linter happy * Creating k8sObjects during a test run, rather then in a test creation. * making lint happy * make lint happy * linter * shutting up linter * Moved to parsed_resources_tests some functions used only there. * Added fake pod status IP fields * Avoiding unnecessary exports; Fixing lint errors. * Making linter happy * Update pkg/internal/testutils/parsed_resources_tests.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/internal/testutils/parsed_resources_tests.go Co-authored-by: Adi Sosnovich <[email protected]> * Fixed typos; removed unneeded change. --------- Co-authored-by: shireenf-ibm <[email protected]> Co-authored-by: Adi Sosnovich <[email protected]> * updating some todo comment which were updated in BANP PR * sort anps only once before allowed-conns computes (#402) * sort anps only once before allowed-conns computes * support_banp (#403) * support_banp+tests * removing lint note * fix merge errors * why failed to use generics for duplicated code in egressRuleSelectsPeer and ingressRuleSelectsPeer * banp tests with swapped rules * integrating Tanya's tests with BANP + adding results; results were compared to policy-assistant, all good * pass action is not defined for BANP * more code enhancement, + could not use generics * adding banp to policy kinds * adding comment on priority range * Update pkg/internal/netpolerrors/netpol_errors.go Co-authored-by: Tanya <[email protected]> * Update pkg/netpol/eval/internal/k8s/adminnetpol.go Co-authored-by: Tanya <[email protected]> * Update pkg/netpol/eval/internal/k8s/adminnetpol.go Co-authored-by: Tanya <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Tanya <[email protected]> * Update pkg/netpol/eval/internal/k8s/policy_connections.go Co-authored-by: Tanya <[email protected]> * some fixes + a new test * tiny doc update * demo test * tiny change to getPoliciesSelectingPod func and deleting the "deprecated" if statements in "getAllAllowedXgressConnsFromNetpols" * removing redundant if statements * new parsed tests with expected outputs and a fix to the func computing "intersection" between ANP's egress-ingress * fixing implementing approach + some more parsed tests * tiny doc update * renaming func * comment changed * removing comment * changing const names * fixing if else * code optimizations and re-org * moving parsed_resources_tests file + some re-orgs * optimizing collect from banp + fixing one test output * optimize + fix + tests confirming results - tested with policy-assistant * deny examples parallel to the allow examples added previously * switch * policy conns * collect from banp * updating outputs with empty line at eof * add anp_banp_blog_demo example Signed-off-by: adisos <[email protected]> * update example Signed-off-by: adisos <[email protected]> * tiny fix * update example - add another workload and ns Signed-off-by: adisos <[email protected]> * update example Signed-off-by: adisos <[email protected]> * min-max priority consts * moving consts * renaming some tests + adding blog_test to the connlist_test * test updates * updating test * adding references * updating test anp_test_6_swapping_rules * w.i.p supporting networks (ips) + one goodpath test * lint fix * first adding the logger to eval pkg * adding the logger to k8s policy objects * adding warnings + tests * adding unit-tests to check expected warnings are written to the logger * tiny update to avoid unexpected error of peerStr compare * test update * test update * add test details Signed-off-by: adisos <[email protected]> * switching sections of adminnetpol.go file * adding options to policy-engine without breaking the API * min&max port * warning consistency + doc update on IPv6 * enhance test * test : netpol with empty port range * test anp with named-port-with-ips * illegal port range errors * - logging policy warnings - each warning once - add warnings to funcs called by eval cmd too * separating computation per direction to avoid unnecessary lines of disjoint ip-blocks * removing comment * shorten warnings * Update pkg/netpol/eval/internal/k8s/adminnetpol.go Co-authored-by: Adi Sosnovich <[email protected]> * adding objects as option to the policy-engine * moving logPolicyWarnings to checkIfAllowed * renaming a func * adding new func GetWorkloadPeersList * initiating policyengine with objects considering all options * avoid dup. * adding warnings type * returning only workloads as []Peer for connlist API * Update pkg/netpol/connlist/connlist.go Co-authored-by: Adi Sosnovich <[email protected]> * doc update --------- Signed-off-by: adisos <[email protected]> Co-authored-by: Tanya <[email protected]> Co-authored-by: Adi Sosnovich <[email protected]> Co-authored-by: adisos <[email protected]>
np-guard · Dec 11, 2024 · f198af1 · f198af1
1 parent c4811e0
commit f198af1
Show file tree

Hide file tree

Showing 58 changed files with 2,698 additions and 28,836 deletions.
diff --git a/docs/connlist_output.md b/docs/connlist_output.md
@@ -99,7 +99,11 @@ The frames in the graph represent namespaces of the analyzed cluster.
 ![svg graph](./connlist_example_svg.svg)
 
 
-### Possible warning
+### Possible warnings
 `Route/Ingress specified workload as a backend, but network policies are blocking ingress connections from an arbitrary in-cluster source to this workload. Connectivity map will not include a possibly allowed connection between the ingress controller and this workload.`
 
 Since the analysis assumes the manifest of the ingress controller is unknown, it checks whether an arbitrary workload can access the destination workloads specified in Ingress/Route rules. If such access is not permitted by network policies, this connection is removed from the report. It may be an allowed connection if a network policy specifically allows ingress access to that workload from a specific workload/namespace of the actual ingress controller installed.
+
+`IPv6 addresses are not supported`
+
+While egress rules with `networks` field in an (baseline-)admin-network-policy may select an external destination by IPv6 address format, such addresses will be ignored and omitted from the connectivity report, since the analysis supports only IPv4 addresses for external IP-blocks.
diff --git a/pkg/cli/evaluate.go b/pkg/cli/evaluate.go
@@ -179,7 +179,11 @@ func runEvalCommand() error {
 		podNames = append(podNames, sourcePod)
 	}
 
-	pe := eval.NewPolicyEngine()
+	cLogger := logger.NewDefaultLoggerWithVerbosity(determineLogVerbosity())
+	pe, err := eval.NewPolicyEngineWithOptionsList(eval.WithLogger(cLogger))
+	if err != nil { // will not get here
+		return err
+	}
 
 	if dirPath != "" {
 		if err := updatePolicyEngineObjectsFromDirPath(pe, podNames); err != nil {

diff --git a/pkg/internal/testutils/testlogger.go b/pkg/internal/testutils/testlogger.go
@@ -0,0 +1,55 @@
+/*
+Copyright 2023- IBM Inc. All Rights Reserved.
+
+SPDX-License-Identifier: Apache-2.0
+*/
+
+package testutils
+
+import (
+	"bytes"
+	"fmt"
+	"log"
+)
+
+// implements logger.Logger (to be used with connlist-analyzer)
+type TestLogger struct {
+	l      *log.Logger
+	buffer *bytes.Buffer
+}
+
+// NewTestLogger returns a new TestLogger that writes to a buffer for testing
+func NewTestLogger() *TestLogger {
+	var buf bytes.Buffer
+	return &TestLogger{
+		l:      log.New(&buf, "", 0),
+		buffer: &buf,
+	}
+}
+
+// GetLoggerMessages  returns logged messages as a string
+func (tl *TestLogger) GetLoggerMessages() string {
+	return tl.buffer.String()
+}
+
+// implementing the interface funcs:
+
+// Debugf writes a debug message to the log
+func (tl *TestLogger) Debugf(format string, o ...interface{}) {
+	tl.l.Printf(format, o...)
+}
+
+// Infof writes an informative message to the log
+func (tl *TestLogger) Infof(format string, o ...interface{}) {
+	tl.l.Printf(format, o...)
+}
+
+// Warnf writes a warning message to the log
+func (tl *TestLogger) Warnf(format string, o ...interface{}) {
+	tl.l.Println(format)
+}
+
+// Errorf writes an error message to the log
+func (tl *TestLogger) Errorf(err error, format string, o ...interface{}) {
+	tl.l.Printf("%s: %v", fmt.Sprintf(format, o...), err)
+}
diff --git a/pkg/netpol/connlist/connlist.go b/pkg/netpol/connlist/connlist.go
@@ -199,14 +199,11 @@ func (ca *ConnlistAnalyzer) hasFatalError() error {
 
 // getPolicyEngine returns a new policy engine considering the exposure analysis option
 func (ca *ConnlistAnalyzer) getPolicyEngine(objectsList []parser.K8sObject) (*eval.PolicyEngine, error) {
-	// TODO: do we need logger in policyEngine?
 	if !ca.exposureAnalysis {
-		return eval.NewPolicyEngineWithObjects(objectsList)
+		return eval.NewPolicyEngineWithOptionsList(eval.WithLogger(ca.logger), eval.WithObjectsList(objectsList))
 	}
 	// else build new policy engine with exposure analysis option
-	pe := eval.NewPolicyEngineWithOptions(ca.exposureAnalysis)
-	err := pe.AddObjectsForExposureAnalysis(objectsList)
-	return pe, err
+	return eval.NewPolicyEngineWithOptionsList(eval.WithExposureAnalysis(), eval.WithLogger(ca.logger), eval.WithObjectsList(objectsList))
 }
 
 func (ca *ConnlistAnalyzer) connsListFromParsedResources(objectsList []parser.K8sObject) ([]Peer2PeerConnection, []Peer, error) {
@@ -415,37 +412,74 @@ func convertEvalPeersToConnlistPeer(peers []eval.Peer) []Peer {
 	return res
 }
 
-// getConnectionsList returns connections list from PolicyEngine and ingressAnalyzer objects
-// if the exposure-analysis option is on, also computes and updates the exposure-analysis results
-func (ca *ConnlistAnalyzer) getConnectionsList(pe *eval.PolicyEngine, ia *ingressanalyzer.IngressAnalyzer) ([]Peer2PeerConnection,
-	[]Peer, error) {
-	connsRes := make([]Peer2PeerConnection, 0)
-	if !pe.HasPodPeers() {
-		return connsRes, []Peer{}, nil
+// getPeersForConnsComputation returns two slices of src and dst peers and a slice of workload peers.
+// - srcPeers contains all workload peers from manifests + (if exposure-analysis) representative peers + disjoint ip-blocks
+// from ingress policy rules
+// - dstPeers contains all workload peers from manifests + (if exposure-analysis) representative peers + disjoint ip-blocks
+// from egress policy rules
+// - peers is list of workload peers from manifests
+func (ca *ConnlistAnalyzer) getPeersForConnsComputation(pe *eval.PolicyEngine) (srcPeers, dstPeers, peers []Peer, err error) {
+	// get ip-block peers (src ip-block and dst ip-blocks and disjoint of both) extracted from policy rules
+	srcIpbList, dstIpbList, _, err := pe.GetIPBlockPeersLists()
+	if err != nil {
+		ca.errors = append(ca.errors, newResourceEvaluationError(err))
+		return nil, nil, nil, err
 	}
+	// initiate results slices with IpBlock peers (peers are  converted []connlist.Peer list to be used in connlist pkg and returned)
+	srcPeers = convertEvalPeersToConnlistPeer(srcIpbList)
+	dstPeers = convertEvalPeersToConnlistPeer(dstIpbList)
 
-	// get workload peers and ip blocks
-	peerList, err := pe.GetPeersList()
+	// get workload peers - peers from manifests
+	peerList, err := pe.GetWorkloadPeersList()
 	if err != nil {
 		ca.errors = append(ca.errors, newResourceEvaluationError(err))
-		return nil, nil, err
+		return nil, nil, nil, err
 	}
-	// represent peerList as []connlist.Peer list to be returned
-	peers := convertEvalPeersToConnlistPeer(peerList)
+	// represent peerList as []connlist.Peer list to be used and returned by connlist pkg
+	workloadPeers := convertEvalPeersToConnlistPeer(peerList)
+	// append workload peers to results slices
+	srcPeers = append(srcPeers, workloadPeers...)
+	dstPeers = append(dstPeers, workloadPeers...)
+	peers = workloadPeers
 
-	// realAndRepresentativePeers represents []connlist.Peer to be sent to ca.getConnectionsBetweenPeers
-	realAndRepresentativePeers := peers
+	// if exposure-analysis is on get representative peers and append to src and dst peers slices
 	if ca.exposureAnalysis {
-		representativePeers := pe.GetRepresentativePeersList()
-		realAndRepresentativePeers = append(realAndRepresentativePeers, convertEvalPeersToConnlistPeer(representativePeers)...)
+		representativePeers := convertEvalPeersToConnlistPeer(pe.GetRepresentativePeersList())
+		srcPeers = append(srcPeers, representativePeers...)
+		dstPeers = append(dstPeers, representativePeers...)
 	}
+
+	// update the ca.peersList from workload peers list (used for updating dot outputs with all workloads from manifests)
 	ca.peersList = make([]Peer, 0, len(peerList))
 	for _, p := range peerList {
 		if ca.isPeerFocusWorkload(p) {
 			ca.peersList = append(ca.peersList, p)
 		}
 	}
 
+	return srcPeers, dstPeers, peers, nil
+}
+
+// getConnectionsList returns connections list from PolicyEngine and ingressAnalyzer objects
+// if the exposure-analysis option is on, also computes and updates the exposure-analysis results
+func (ca *ConnlistAnalyzer) getConnectionsList(pe *eval.PolicyEngine, ia *ingressanalyzer.IngressAnalyzer) ([]Peer2PeerConnection,
+	[]Peer, error) {
+	connsRes := make([]Peer2PeerConnection, 0)
+	if !pe.HasPodPeers() {
+		return connsRes, []Peer{}, nil
+	}
+
+	// srcPeers are : all workload peers from manifests + (if exposure-analysis) representative peers + disjoint ip-blocks
+	// from ingress policy rules
+	// dstPeers are : all workload peers from manifests + (if exposure-analysis) representative peers + disjoint ip-blocks
+	// from egress policy rules
+	// srcPeers and dstPeers are used to compute allowed conns between peers (to be sent to ca.getConnectionsBetweenPeers)
+	// peers is the list of workload peers from manifests (to be returned by connlist API)
+	srcPeers, dstPeers, peers, err := ca.getPeersForConnsComputation(pe)
+	if err != nil {
+		return nil, nil, err
+	}
+
 	excludeIngressAnalysis := (ia == nil || ia.IsEmpty())
 
 	// if ca.focusWorkload is not empty, check if it exists in the peers before proceeding
@@ -458,11 +492,16 @@ func (ca *ConnlistAnalyzer) getConnectionsList(pe *eval.PolicyEngine, ia *ingres
 
 	// compute connections between peers based on pe analysis of network policies
 	// if exposure-analysis is on, also compute and return the exposures-map
-	peersAllowedConns, exposureMaps, err := ca.getConnectionsBetweenPeers(pe, realAndRepresentativePeers)
+	peersAllowedConns, exposureMaps, err := ca.getConnectionsBetweenPeers(pe, srcPeers, dstPeers)
 	if err != nil {
 		ca.errors = append(ca.errors, newResourceEvaluationError(err))
 		return nil, nil, err
 	}
+	// log warnings that were raised by the policies during computing the allowed conns between all peers
+	// note that this ensures any warning is printed only once + all relevant warnings are raised.
+	// the decision if to print the warnings to the logger is determined by the logger's verbosity - handled by the logger
+	pe.LogPoliciesWarnings()
+
 	connsRes = peersAllowedConns
 
 	if ca.exposureAnalysis {
@@ -511,7 +550,8 @@ func (ca *ConnlistAnalyzer) existsFocusWorkload(excludeIngressAnalysis bool) (ex
 
 // getConnectionsBetweenPeers returns connections list from PolicyEngine object
 // and exposures-map containing the exposed peers data if the exposure-analysis is on , else empty map
-func (ca *ConnlistAnalyzer) getConnectionsBetweenPeers(pe *eval.PolicyEngine, peers []Peer) ([]Peer2PeerConnection, *exposureMaps, error) {
+func (ca *ConnlistAnalyzer) getConnectionsBetweenPeers(pe *eval.PolicyEngine, srcPeers, dstPeers []Peer) ([]Peer2PeerConnection,
+	*exposureMaps, error) {
 	connsRes := make([]Peer2PeerConnection, 0)
 	exposureMaps := &exposureMaps{
 		ingressExposureMap: map[Peer]*peerXgressExposureData{},
@@ -521,10 +561,10 @@ func (ca *ConnlistAnalyzer) getConnectionsBetweenPeers(pe *eval.PolicyEngine, pe
 	ingressSet := make(map[Peer]bool, 0)
 	egressSet := make(map[Peer]bool, 0)
 
-	for i := range peers {
-		srcPeer := peers[i]
-		for j := range peers {
-			dstPeer := peers[j]
+	for i := range srcPeers {
+		srcPeer := srcPeers[i]
+		for j := range dstPeers {
+			dstPeer := dstPeers[j]
 			if !ca.includePairOfWorkloads(pe, srcPeer, dstPeer) {
 				continue
 			}

diff --git a/pkg/netpol/connlist/connlist_test.go b/pkg/netpol/connlist/connlist_test.go
@@ -15,6 +15,7 @@ import (
 	"github.com/np-guard/netpol-analyzer/pkg/internal/output"
 	"github.com/np-guard/netpol-analyzer/pkg/internal/testutils"
 	"github.com/np-guard/netpol-analyzer/pkg/manifests/fsscanner"
+	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/alerts"
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/examples"
 
 	"github.com/stretchr/testify/require"
@@ -172,6 +173,16 @@ func TestConnlistAnalyzeFatalErrors(t *testing.T) {
 			dirName:          "np_bad_path_test_1",
 			errorStrContains: netpolerrors.NPWithSameNameError("default/backend-netpol"),
 		},
+		{
+			name:             "Input_dir_has_netpol_with_illegal_port_should_return_fatal_error",
+			dirName:          "np_bad_path_test_2",
+			errorStrContains: alerts.EndPortWithNamedPortErrStr,
+		},
+		{
+			name:             "Input_dir_has_netpol_with_illegal_port_range_should_return_fatal_error",
+			dirName:          "np_test_with_empty_port_range",
+			errorStrContains: alerts.IllegalPortRangeError(10, 1),
+		},
 		// anp & banp bad path tests
 		{
 			name:             "Input_dir_has_two_admin_netpols_with_same_priority_should_return_fatal_error",
@@ -248,6 +259,11 @@ func TestConnlistAnalyzeFatalErrors(t *testing.T) {
 			dirName:          "anp_bad_path_test_17",
 			errorStrContains: netpolerrors.ANPPortsError,
 		},
+		{
+			name:             "Input_dir_has_an_admin_netpol_with_an_illegal_rule_port_range_should_return_fatal_error",
+			dirName:          "anp_test_with_empty_port_range",
+			errorStrContains: alerts.IllegalPortRangeError(10, 1),
+		},
 		{
 			name:             "Input_dir_has_an_admin_netpol_with_an_invalid_ingress_rule_action_should_return_fatal_error",
 			dirName:          "anp_bad_path_test_18",
@@ -563,6 +579,59 @@ func TestErrorsAndWarningsConnlistFromDirPathOnly(t *testing.T) {
 	}
 }
 
+func TestLoggerWarnings(t *testing.T) {
+	// this test contains writing to a buffer , so it is not running in parallel to other tests.
+	// (we need to add mutex to the TestLogger if we wish to run the tests in parallel)
+	cases := []struct {
+		name                        string
+		dirName                     string
+		expectedWarningsStrContains []string
+	}{
+		{
+			name:                        "input_admin_policy_contains_nodes_egress_peer_should_get_warning",
+			dirName:                     "anp_and_banp_using_networks_and_nodes_test",
+			expectedWarningsStrContains: []string{alerts.WarnUnsupportedNodesField},
+		},
+		{
+			name:                        "input_admin_policy_contains_ipv6_addresses_in_networks_egress_peer_should_get_warning",
+			dirName:                     "anp_and_banp_using_networks_with_ipv6_test",
+			expectedWarningsStrContains: []string{alerts.WarnUnsupportedIPv6Address},
+		},
+		{
+			name:    "input_admin_policy_contains_unsupported_fields_and_unknown_named_port_should_get_some_warnings",
+			dirName: "anp_banp_test_multiple_warnings",
+			expectedWarningsStrContains: []string{
+				alerts.WarnUnsupportedIPv6Address,
+				alerts.WarnUnsupportedNodesField,
+				alerts.WarnPrefixPortName,
+			},
+		},
+		{
+			name:                        "input_admin_policy_contains_unknown_port_name_should_get_warning",
+			dirName:                     "anp_banp_test_with_named_port_unmatched",
+			expectedWarningsStrContains: []string{alerts.WarnPrefixPortName},
+		},
+		{
+			name:                        "input_admin_policy_contains_named_port_with_networks_should_get_warning",
+			dirName:                     "anp_test_named_ports_multiple_peers",
+			expectedWarningsStrContains: []string{alerts.WarnNamedPortIgnoredForIP},
+		},
+	}
+	for _, tt := range cases {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			tLogger := testutils.NewTestLogger()
+			_, _, err := getConnlistFromDirPathRes([]ConnlistAnalyzerOption{WithLogger(tLogger)}, tt.dirName)
+			require.Nil(t, err, "test: %q", tt.name)
+			logMsges := tLogger.GetLoggerMessages()
+			for _, warn := range tt.expectedWarningsStrContains {
+				require.Contains(t, logMsges, warn,
+					"test: %q; logger warnings do not contain the expected warning : %q", tt.name, warn)
+			}
+		})
+	}
+}
+
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////
 
 // TestNotContainedOutputLines tests output for non-expected lines to be contained
@@ -581,13 +650,13 @@ func TestNotContainedOutputLines(t *testing.T) {
 			name:                 "connlist_does_not_contain_connections_from_focus_workload_to_itself",
 			dirName:              "ipblockstest",
 			focusWorkload:        "calico-node",
-			expectedResultLen:    49,
+			expectedResultLen:    43,
 			extractedLineExample: "kube-system/calico-node[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections",
 		},
 		{
 			name:                 "connlist_of_dir_does_not_contain_any_line_of_connections_from_workload_to_itself",
 			dirName:              "ipblockstest",
-			expectedResultLen:    602,
+			expectedResultLen:    470,
 			extractedLineExample: "kube-system/calico-node[DaemonSet] => kube-system/calico-node[DaemonSet] : All Connections",
 		},
 	}
@@ -1500,6 +1569,35 @@ var goodPathTests = []struct {
 		testDirName:   "anp_banp_blog_demo",
 		outputFormats: ValidFormats,
 	},
+	{
+		testDirName:   "anp_and_banp_using_networks_test",
+		outputFormats: ValidFormats,
+	},
+	{
+		testDirName:   "anp_banp_test_with_named_port_matched",
+		outputFormats: []string{output.DefaultFormat},
+	},
+	// anp tests that raise warnings too (@todo add unit test for warning messages!!)
+	{
+		testDirName:   "anp_and_banp_using_networks_and_nodes_test",
+		outputFormats: []string{output.DefaultFormat},
+	},
+	{
+		testDirName:   "anp_and_banp_using_networks_with_ipv6_test",
+		outputFormats: []string{output.DefaultFormat},
+	},
+	{
+		testDirName:   "anp_banp_test_multiple_warnings",
+		outputFormats: []string{output.DefaultFormat},
+	},
+	{
+		testDirName:   "anp_banp_test_with_named_port_unmatched",
+		outputFormats: []string{output.DefaultFormat},
+	},
+	{
+		testDirName:   "anp_test_named_ports_multiple_peers",
+		outputFormats: []string{output.DefaultFormat},
+	},
 }
 
 func runParsedResourcesConnlistTests(t *testing.T, testList []examples.ParsedResourcesTest) {