Added more explainability tests.

More refined explanation of protocols/ports denied by NPs
np-guard · Jan 6, 2025 · ffe247c · ffe247c
1 parent 929c75d
commit ffe247c
Show file tree

Hide file tree

Showing 5 changed files with 1,657 additions and 66 deletions.
diff --git a/pkg/netpol/connlist/explanation_test.go b/pkg/netpol/connlist/explanation_test.go
@@ -48,25 +48,25 @@ var explainTests = []struct {
 	testDirName   string
 	focusWorkload string
 }{
+	{
+		testDirName: "onlineboutique",
+	},
+	{
+		testDirName: "anp_test_10",
+	},
 	{
 		testDirName: "ipblockstest",
 	},
 	{
 		testDirName: "netpol_named_port_test",
 	},
-	// {
-	// 	testDirName: "anp_test_10",
-	// },
 	{
 		testDirName: "anp_banp_blog_demo",
 	},
 	{
 		testDirName: "anp_banp_blog_demo_2",
 	},
 	// {
-	// 	testDirName: "onlineboutique",
-	// },
-	// {
 	// 	testDirName: "acs-security-demos",
 	// },
 	// {

diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go
@@ -161,14 +161,14 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds
 	}
 	ruleName := np.ruleName(ruleIdx, isIngress)
 	// all protocols are affected by the rule
-	res := common.MakeConnectionSetWithRule(false, ruleName, isIngress)
+	res := common.MakeConnectionSetWithRule(false, explNotReferencedProtocols(ruleName), isIngress)
 	for i := range rulePorts {
 		protocol := v1.ProtocolTCP
 		if rulePorts[i].Protocol != nil {
 			protocol = *rulePorts[i].Protocol
 		}
 		// the whole port range is affected by the rule (not only ports mentioned in the rule)
-		ports := common.MakeEmptyPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, isIngress))
+		ports := common.MakeEmptyPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(explNotReferencedPorts(ruleName), isIngress))
 		if rulePorts[i].Port == nil {
 			ports = common.MakeAllPortSetWithImplyingRules(common.MakeImplyingRulesWithRule(ruleName, isIngress))
 		} else {
@@ -212,7 +212,7 @@ func (np *NetworkPolicy) ruleConnections(rulePorts []netv1.NetworkPolicyPort, ds
 	if res.IsEmpty() {
 		// no connections found --> "named ports" of the rule had no match in the pod config
 		// remove empty protocols if any
-		res = common.MakeConnectionSetWithRule(false, explNoMatchOfNamesPortsToDst(ruleName), isIngress)
+		res = common.MakeConnectionSetWithRule(false, explNoMatchOfNamedPortsToDst(ruleName), isIngress)
 	}
 	return res, nil
 }
@@ -419,10 +419,18 @@ func (np *NetworkPolicy) nameWithDirectionAndExpl(isIngress bool, expl string) s
 	return fmt.Sprintf("%s//%s "+expl, np.fullName(), xgress, xgress)
 }
 
-func explNoMatchOfNamesPortsToDst(ruleName string) string {
+func explNoMatchOfNamedPortsToDst(ruleName string) string {
 	return fmt.Sprintf("%s (named ports of the rule have no match in the configuration of the dst peer)", ruleName)
 }
 
+func explNotReferencedPorts(ruleName string) string {
+	return fmt.Sprintf("%s (ports not referenced by the rule)", ruleName)
+}
+
+func explNotReferencedProtocols(ruleName string) string {
+	return fmt.Sprintf("%s (protocols not referenced by the rule)", ruleName)
+}
+
 // GetXgressAllowedConns returns the set of allowed connections to a captured dst pod from the src peer (for Ingress)
 // or from any captured pod to the dst peer (for Egress)
 func (np *NetworkPolicy) GetXgressAllowedConns(src, dst Peer, isIngress bool) (*common.ConnectionSet, error) {

diff --git a/test_outputs/connlist/anp_test_10_explain_output.txt b/test_outputs/connlist/anp_test_10_explain_output.txt
@@ -0,0 +1,57 @@
+----------------------------------------------------------------------------------------------------------------------------------------------------------------
+CONNECTIONS BETWEEN network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet]:
+
+ALLOWED UDP:[53] due to the following policies//rules:
+	EGRESS DIRECTION (ALLOWED)
+		1) [ANP] egress-udp//Egress rule allow-to-gryffindor-at-port-53 (Allow)
+	INGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
+
+DENIED UDP:[1-52,54-65535] due to the following policies//rules:
+	EGRESS DIRECTION (DENIED)
+		1) [ANP] egress-udp//Egress rule deny-to-gryffindor-everything-else (Deny)
+	INGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
+
+DENIED {SCTP,TCP}:[ALL PORTS] due to the following policies//rules:
+	EGRESS DIRECTION (DENIED)
+		1) [ANP] egress-udp//Egress rule deny-to-gryffindor-everything-else (Deny)
+	INGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------
+CONNECTIONS BETWEEN network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]:
+
+All Connections due to the following policies//rules:
+	EGRESS DIRECTION (ALLOWED)
+		1) [ANP] egress-udp//Egress rule allow-to-ravenclaw-everything (Allow)
+	INGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------
+CONNECTIONS BETWEEN network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]:
+
+ALLOWED UDP:[1-5352,5354-65535] the system default (Allow all)
+
+DENIED UDP:[5353] due to the following policies//rules:
+	EGRESS DIRECTION (DENIED)
+		1) [ANP] egress-udp//Egress rule deny-to-slytherin-at-port-5353 (Deny)
+	INGRESS DIRECTION (ALLOWED) due to the system default (Allow all)
+
+ALLOWED {SCTP,TCP}:[ALL PORTS] the system default (Allow all)
+
+----------------------------------------------------------------------------------------------------------------------------------------------------------------
+The following nodes are connected due to the system default or the assumed default for IPblock (Allow all):
+0.0.0.0-255.255.255.255 => network-policy-conformance-gryffindor/harry-potter[StatefulSet]
+0.0.0.0-255.255.255.255 => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]
+0.0.0.0-255.255.255.255 => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]
+0.0.0.0-255.255.255.255 => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]
+network-policy-conformance-gryffindor/harry-potter[StatefulSet] => 0.0.0.0-255.255.255.255
+network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]
+network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]
+network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]
+network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => 0.0.0.0-255.255.255.255
+network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => 0.0.0.0-255.255.255.255
+network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet]
+network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]
+network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet]
+network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255
+network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet]
+network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]
+network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]