func AddNamespaceLabel(ctx context.Context, k8s *kubeManager, name string, key string, val string)
AddNamespaceLabels adds a new label to a namespace
func AddPodLabels(ctx context.Context, k8s *kubeManager, namespace string, name string, newPodLabels map[string]string)
AddPodLabels adds new labels to a running pod
func CreatePolicy(ctx context.Context, k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
CreatePolicy creates a policy in the given namespace
func DeleteNamespaceLabel(ctx context.Context, k8s *kubeManager, name string, key string)
DeleteNamespaceLabel deletes a label from a namespace (if present)
func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy
func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
func ProbePodToPodConnectivity(prober Prober, allPods []TestPod, dnsDomain string, testCase *TestCase)
ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`
func ResetPodLabels(ctx context.Context, k8s *kubeManager, namespace string, name string)
ResetPodLabels resets the labels for a deployment's template
func UpdatePolicy(ctx context.Context, k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
UpdatePolicy updates a networkpolicy
func ValidateOrFail(k8s *kubeManager, testCase *TestCase)
ValidateOrFail validates connectivity
Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details
type Container struct {
Port int32
Protocol v1.Protocol
}
func (c *Container) Name() string
Name returns the container name
func (c *Container) PortName() string
PortName returns the container port name
func (c *Container) Spec() v1.Container
Spec returns the kube container spec
Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth
type Model struct {
Namespaces []*Namespace
PodNames []string
Ports []int32
Protocols []v1.Protocol
}
func NewModel(namespaceBaseNames []string, podNames []string, ports []int32, protocols []v1.Protocol) *Model
NewModel instantiates a model based on: - namespaceBaseNames - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.
func NewWindowsModel(namespaceBaseNames []string, podNames []string, ports []int32) *Model
NewWindowsModel returns a model specific to windows testing.
Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details
type Namespace struct {
BaseName string
Pods []*Pod
}
Peer is used for matching pods by either or both of the pod's namespace and name.
type Peer struct {
Namespace string
Pod string
}
func (p *Peer) Matches(pod PodString) bool
Matches checks whether the Peer matches the PodString: - an empty namespace means the namespace will always match - otherwise, the namespace must match the PodString's namespace - same goes for Pod: empty matches everything, otherwise must match exactly
Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details
type Pod struct {
Name string
Containers []*Container
}
func (p *Pod) ContainerSpecs() []v1.Container
ContainerSpecs builds kubernetes container specs for the pod
func (p *Pod) KubePod(namespace string) *v1.Pod
KubePod returns the kube pod (will add label selectors for windows if needed).
func (p *Pod) Labels() map[string]string
Labels returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors
func (p *Pod) QualifiedServiceAddress(namespace string, dnsDomain string) string
QualifiedServiceAddress returns the address that can be used to access the service
func (p *Pod) Service(namespace string) *v1.Service
Service returns a kube service spec
func (p *Pod) ServiceName(namespace string) string
ServiceName returns the unqualified service name
PodString represents a namespace 'x' + pod 'a' as "x/a".
type PodString string
func NewPodString(namespace string, podName string) PodString
NewPodString instantiates a PodString from the given namespace and name.
func (pod PodString) Namespace() string
Namespace extracts the namespace
func (pod PodString) PodName() string
PodName extracts the pod name
func (pod PodString) String() string
String converts back to a string
ProbeJob packages the data for the input of a pod->pod connectivity probe
type ProbeJob struct {
PodFrom TestPod
PodTo TestPod
PodToServiceIP string
ToPort int
ToPodDNSDomain string
Protocol v1.Protocol
ExpectConnectivity bool
}
ProbeJobResults packages the data for the results of a pod->pod connectivity probe
type ProbeJobResults struct {
Job *ProbeJob
IsConnected bool
Err error
Command string
}
decouple us from k8smanager.go
type Prober interface {
// contains filtered or unexported methods
}
Reachability packages the data for a cluster-wide connectivity probe
type Reachability struct {
Expected *TruthTable
Observed *TruthTable
PodStrings []PodString
}
func NewReachability(podStrings []PodString, defaultExpectation bool) *Reachability
NewReachability instantiates a reachability
func (r *Reachability) AllowLoopback()
AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.
func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)
Expect sets the expected value for a single observation
func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)
ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)
func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)
ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)
func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)
ExpectPeer sets expected values using Peer matchers
func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)
Observe records a single connectivity observation
func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)
PrintSummary prints the summary
func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)
Summary produces a useful summary of expected and observed data
type SetFunc func(policy *networkingv1.NetworkPolicy)
func SetGenerateName(name string) SetFunc
func SetObjectMetaLabel(targetLabels map[string]string) SetFunc
func SetObjectMetaName(name string) SetFunc
func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc
func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc
func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc
func SetSpecPodSelectorMatchLabels(targetLabels map[string]string) SetFunc
TestCase describes the data for a netpol test
type TestCase struct {
ToPort int
Protocol v1.Protocol
Reachability *Reachability
}
TestPod represents an actual running pod. For each Pod defined by the model, there will be a corresponding TestPod. TestPod includes some runtime info (namespace name, service IP) which is not available in the model.
type TestPod struct {
Namespace string
Name string
ContainerName string
ServiceIP string
}
func (pod TestPod) PodString() PodString
TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair
type TruthTable struct {
Froms []string
Tos []string
Values map[string]map[string]bool
// contains filtered or unexported fields
}
func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable
NewTruthTable creates a new truth table with froms and tos
func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable
NewTruthTableFromItems creates a new truth table with items
func (tt *TruthTable) Compare(other *TruthTable) *TruthTable
Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.
func (tt *TruthTable) Get(from string, to string) bool
Get gets the specified value
func (tt *TruthTable) IsComplete() bool
IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.
func (tt *TruthTable) PrettyPrint(indent string) string
PrettyPrint produces a nice visual representation.
func (tt *TruthTable) Set(from string, to string, value bool)
Set sets the value for from->to
func (tt *TruthTable) SetAllFrom(from string, value bool)
SetAllFrom sets all values where from = 'from'
func (tt *TruthTable) SetAllTo(to string, value bool)
SetAllTo sets all values where to = 'to'