Version: v0.4.7 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: May 22, 2021 License: MIT Imports: 11 Imported by: 0




View Source
const (
	ActionFeatureCreatePolicy = "action: create policy"
	ActionFeatureUpdatePolicy = "action: update policy"
	ActionFeatureDeletePolicy = "action: delete policy"

	ActionFeatureCreateNamespace    = "action: create namespace"
	ActionFeatureSetNamespaceLabels = "action: set namespace labels"
	ActionFeatureDeleteNamespace    = "action: delete namespace"

	ActionFeatureReadPolicies = "action: read policies"

	ActionFeatureCreatePod    = "action: create pod"
	ActionFeatureSetPodLabels = "action: set pod labels"
	ActionFeatureDeletePod    = "action: delete pod"
View Source
const (
	PolicyFeatureIngress          = "policy with ingress"
	PolicyFeatureEgress           = "policy with egress"
	PolicyFeatureIngressAndEgress = "policy with both ingress and egress"
View Source
const (
	TargetFeatureSpecificNamespace           = "target: specific namespace"
	TargetFeatureNamespaceEmpty              = "target: empty namespace"
	TargetFeaturePodSelectorEmpty            = "target: empty pod selector"
	TargetFeaturePodSelectorMatchLabels      = "target: pod selector match labels"
	TargetFeaturePodSelectorMatchExpressions = "target: pod selector match expression"
View Source
const (
	RuleFeatureAllPeersAllPortsAllProtocols = "all peers on all ports/protocols"

	RuleFeatureSliceEmpty     = "0 rules"
	RuleFeatureSliceSize1     = "1 rule"
	RuleFeatureSliceSize2Plus = "2+ rules"

	PeerFeaturePortSliceEmpty     = "0 port/protocols"
	PeerFeaturePortSliceSize1     = "1 port/protocol"
	PeerFeaturePortSliceSize2Plus = "2+ port/protocols"
	PeerFeatureNumberedPort       = "numbered port"
	PeerFeatureNamedPort          = "named port"
	PeerFeatureNilPort            = "nil port"
	PeerFeatureNilProtocol        = "nil protocol"
	PeerFeatureTCPProtocol        = "policy on TCP"
	PeerFeatureUDPProtocol        = "policy on UDP"
	PeerFeatureSCTPProtocol       = "policy on SCTP"

	PeerFeaturePeerSliceEmpty                    = "0 peers"
	PeerFeaturePeerSliceSize1                    = "1 peer"
	PeerFeaturePeerSliceSize2Plus                = "2+ peers"
	PeerFeatureIPBlockEmptyExcept                = "IPBlock (no except)"
	PeerFeatureIPBlockNonemptyExcept             = "IPBlock with except"
	PeerFeaturePodSelectorNil                    = "peer pod selector nil"
	PeerFeaturePodSelectorEmpty                  = "peer pod selector empty"
	PeerFeaturePodSelectorMatchLabels            = "peer pod selector match labels"
	PeerFeaturePodSelectorMatchExpressions       = "peer pod selector match expression"
	PeerFeatureNamespaceSelectorNil              = "peer namespace selector nil"
	PeerFeatureNamespaceSelectorEmpty            = "peer namespace selector empty"
	PeerFeatureNamespaceSelectorMatchLabels      = "peer namespace selector match labels"
	PeerFeatureNamespaceSelectorMatchExpressions = "peer namespace selector match expression"
View Source
const (
	TagAction        = "action"
	TagTarget        = "target"
	TagDirection     = "direction"
	TagPolicyStack   = "policy-stack"
	TagRule          = "rule"
	TagProtocol      = "protocol"
	TagPort          = "port"
	TagPeerIPBlock   = "peer-ipblock"
	TagPeerPods      = "peer-pods"
	TagMiscellaneous = "miscellaneous"
View Source
const (
	TagCreatePolicy       = "create-policy"
	TagDeletePolicy       = "delete-policy"
	TagUpdatePolicy       = "update-policy"
	TagCreatePod          = "create-pod"
	TagDeletePod          = "delete-pod"
	TagSetPodLabels       = "set-pod-labels"
	TagCreateNamespace    = "create-namespace"
	TagDeleteNamespace    = "delete-namespace"
	TagSetNamespaceLabels = "set-namespace-labels"
View Source
const (
	TagTargetNamespace   = "target-namespace"
	TagTargetPodSelector = "target-pod-selector"
View Source
const (
	TagIngress = "ingress"
	TagEgress  = "egress"
View Source
const (
	TagDenyAll           = "deny-all"
	TagAllowAll          = "allow-all"
	TagAnyPeer           = "any-peer"
	TagAnyPortProtocol   = "any-port-protocol"
	TagMultiPeer         = "multi-peer"
	TagMultiPortProtocol = "multi-port/protocol"
View Source
const (
	TagAllPods           = "all-pods"
	TagPodsByLabel       = "pods-by-label"
	TagAllNamespaces     = "all-namespaces"
	TagNamespacesByLabel = "namespaces-by-label"
	TagPolicyNamespace   = "policy-namespace"
View Source
const (
	TagIPBlockNoExcept   = "ip-block-no-except"
	TagIPBlockWithExcept = "ip-block-with-except"
View Source
const (
	TagAnyPort      = "any-port"
	TagNumberedPort = "numbered-port"
	TagNamedPort    = "named-port"
	TagEndPort      = "end-port"
View Source
const (
	TagTCPProtocol  = "tcp"
	TagUDPProtocol  = "udp"
	TagSCTPProtocol = "sctp"
View Source
const (
	TagPathological = "pathological"
	TagConflict     = "conflict"
	TagExample      = "example"
	TagUpstreamE2E  = "upstream-e2e"
View Source
const (
	ProbeModeServiceName = "service-name"
	ProbeModeServiceIP   = "service-ip"
	ProbeModePodIP       = "pod-ip"


View Source
var (
	ExplicitAllowAll = &NetpolPeers{
		Rules: []*Rule{
	DenyAll = &NetpolPeers{
		Rules: nil,
	// DenyAll2 should be identical to DenyAll -- but just in case :)
	DenyAll2 = &NetpolPeers{
		Rules: []*Rule{},

	AllowAllPodsRule = &Rule{
		Peers: []networkingv1.NetworkPolicyPeer{
				NamespaceSelector: &metav1.LabelSelector{},

	AllowAllByPod = &NetpolPeers{
		Rules: []*Rule{AllowAllPodsRule},

	AllowAllByIPRule = &Rule{
		Peers: []networkingv1.NetworkPolicyPeer{
				IPBlock: &networkingv1.IPBlock{
					CIDR: "",

	AllowAllByIP = &NetpolPeers{
		Rules: []*Rule{AllowAllByIPRule},

	DenyAllByIPRule = &Rule{
		Peers: []networkingv1.NetworkPolicyPeer{{
			IPBlock: &networkingv1.IPBlock{CIDR: ""},

	DenyAllByIP = &NetpolPeers{
		Rules: []*Rule{DenyAllByIPRule},

	DenyAllByPodRule = &Rule{
		Peers: []networkingv1.NetworkPolicyPeer{{
			NamespaceSelector: &metav1.LabelSelector{
				MatchLabels: map[string]string{"this-will-never-happen": "qrs123"},

	DenyAllByPod = &NetpolPeers{
		Rules: []*Rule{DenyAllByPodRule},
View Source
var (
	DenyAllRules  = []*Rule{}
	AllowAllRules = []*Rule{{}}
View Source
var (
	AllowDNSRule = &Rule{
		Ports: []NetworkPolicyPort{
				Protocol: &udp,
				Port:     &port53,
				Protocol: &tcp,
				Port:     &port53,

	AllowDNSPeers = &NetpolPeers{
		Rules: []*Rule{AllowDNSRule},
View Source
var (
	GeneralNetpolTraverser = &NetpolTraverser{
		policy: DefaultPolicyFeatures,
		target: DefaultTargetFeatures,

	IngressNetpolTraverser = &NetpolTraverser{
		ingress:      DefaultIngressOrEgressFeatures,
		ingressRule:  DefaultRuleFeature,
		ingressPeers: DefaultPeerFeatures,
		ingressPeer:  DefaultSinglePeerFeature,
		ingressPorts: DefaultPortFeatures,
		ingressPort:  DefaultSinglePortFeature,

	EgressNetpolTraverser = &NetpolTraverser{
		egress:      DefaultIngressOrEgressFeatures,
		egressRule:  DefaultRuleFeature,
		egressPeers: DefaultPeerFeatures,
		egressPeer:  DefaultSinglePeerFeature,
		egressPorts: DefaultPortFeatures,
		egressPort:  DefaultSinglePortFeature,
View Source
var (
	ProbeAllAvailable = &ProbeConfig{AllAvailable: true, Mode: ProbeModeServiceName}
View Source
var TagSet = map[string]bool{}
View Source
var TagSlice []string
View Source
var TagSubToPrimary = map[string]string{}


func AllowAllEgressDenyAllIngress added in v0.0.10

func AllowAllEgressDenyAllIngress(source *NetpolTarget, dest *NetpolTarget) *conflictCase

func AllowAllIngressDenyAllEgress added in v0.0.10

func AllowAllIngressDenyAllEgress(source *NetpolTarget, dest *NetpolTarget) *conflictCase

func CountTestCasesByTag added in v0.2.5

func CountTestCasesByTag(testCases []*TestCase) map[string]int

func DefaultIngressOrEgressFeatures added in v0.2.4

func DefaultIngressOrEgressFeatures(isIngress bool, peers *NetpolPeers, features map[string]bool)

func DefaultPeerFeatures added in v0.2.4

func DefaultPeerFeatures(isIngress bool, peers []NetworkPolicyPeer, features map[string]bool)

func DefaultPolicyFeatures added in v0.2.4

func DefaultPolicyFeatures(policy *Netpol, features map[string]bool)

func DefaultPortFeatures added in v0.2.4

func DefaultPortFeatures(isIngress bool, npPorts []NetworkPolicyPort, features map[string]bool)

func DefaultRuleFeature added in v0.2.4

func DefaultRuleFeature(isIngress bool, rule *Rule, features map[string]bool)

func DefaultSinglePeerFeature added in v0.2.4

func DefaultSinglePeerFeature(isIngress bool, peer NetworkPolicyPeer, features map[string]bool)

func DefaultSinglePortFeature added in v0.2.4

func DefaultSinglePortFeature(isIngress bool, npPort NetworkPolicyPort, features map[string]bool)

func DefaultTargetFeatures added in v0.2.4

func DefaultTargetFeatures(target *NetpolTarget, features map[string]bool)

func DenyAllEgressAllowAllEgress added in v0.0.10

func DenyAllEgressAllowAllEgress(source *NetpolTarget) *conflictCase

func DenyAllEgressAllowAllEgressByIP added in v0.0.10

func DenyAllEgressAllowAllEgressByIP(source *NetpolTarget) *conflictCase

func DenyAllEgressAllowAllEgressByPod added in v0.0.10

func DenyAllEgressAllowAllEgressByPod(source *NetpolTarget) *conflictCase

func DenyAllEgressByIP added in v0.0.10

func DenyAllEgressByIP(source *NetpolTarget) *conflictCase

func DenyAllEgressByIPAllowAllEgressByPod added in v0.0.10

func DenyAllEgressByIPAllowAllEgressByPod(source *NetpolTarget) *conflictCase

func DenyAllEgressByPod added in v0.0.10

func DenyAllEgressByPod(source *NetpolTarget) *conflictCase

func DenyAllEgressByPodAllowAllEgressByIP added in v0.0.10

func DenyAllEgressByPodAllowAllEgressByIP(source *NetpolTarget) *conflictCase

func DenyAllIngressAllowAllIngress added in v0.0.10

func DenyAllIngressAllowAllIngress(dest *NetpolTarget) *conflictCase

func DenyAllIngressAllowAllIngressByIP added in v0.0.10

func DenyAllIngressAllowAllIngressByIP(dest *NetpolTarget) *conflictCase

func DenyAllIngressAllowAllIngressByPod added in v0.0.10

func DenyAllIngressAllowAllIngressByPod(dest *NetpolTarget) *conflictCase

func DenyAllIngressByIP added in v0.0.10

func DenyAllIngressByIP(dest *NetpolTarget) *conflictCase

func DenyAllIngressByIPAllowAllIngressByPod added in v0.0.10

func DenyAllIngressByIPAllowAllIngressByPod(dest *NetpolTarget) *conflictCase

func DenyAllIngressByPod added in v0.0.10

func DenyAllIngressByPod(dest *NetpolTarget) *conflictCase

func DenyAllIngressByPodAllowAllIngressByIP added in v0.0.10

func DenyAllIngressByPodAllowAllIngressByIP(dest *NetpolTarget) *conflictCase

func MustGetPrimaryTag added in v0.3.0

func MustGetPrimaryTag(subordinateTag string) string

func RunTestCaseGeneratorTests added in v0.2.5

func RunTestCaseGeneratorTests()

func ValidateTags added in v0.3.0

func ValidateTags(tags []string) error


type Action added in v0.1.0

type Action struct {
	CreatePolicy *CreatePolicyAction
	UpdatePolicy *UpdatePolicyAction
	DeletePolicy *DeletePolicyAction

	CreateNamespace    *CreateNamespaceAction
	SetNamespaceLabels *SetNamespaceLabelsAction
	DeleteNamespace    *DeleteNamespaceAction

	ReadNetworkPolicies *ReadNetworkPoliciesAction

	CreatePod    *CreatePodAction
	SetPodLabels *SetPodLabelsAction
	DeletePod    *DeletePodAction

Action: exactly one field must be non-null. This models a discriminated union (sum type).

func CreateNamespace added in v0.2.4

func CreateNamespace(ns string, labels map[string]string) *Action

func CreatePod added in v0.2.4

func CreatePod(namespace string, pod string, labels map[string]string) *Action

func CreatePolicy added in v0.1.0

func CreatePolicy(policy *networkingv1.NetworkPolicy) *Action

func DeleteNamespace added in v0.2.4

func DeleteNamespace(ns string) *Action

func DeletePod added in v0.2.4

func DeletePod(namespace string, pod string) *Action

func DeletePolicy added in v0.1.0

func DeletePolicy(ns string, name string) *Action

func ReadNetworkPolicies added in v0.1.0

func ReadNetworkPolicies(namespaces []string) *Action

func SetNamespaceLabels added in v0.1.0

func SetNamespaceLabels(ns string, labels map[string]string) *Action

func SetPodLabels added in v0.1.0

func SetPodLabels(namespace string, pod string, labels map[string]string) *Action

func UpdatePolicy added in v0.1.0

func UpdatePolicy(policy *networkingv1.NetworkPolicy) *Action

type CreateNamespaceAction added in v0.2.4

type CreateNamespaceAction struct {
	Namespace string
	Labels    map[string]string

type CreatePodAction added in v0.2.4

type CreatePodAction struct {
	Namespace string
	Pod       string
	Labels    map[string]string

type CreatePolicyAction added in v0.1.0

type CreatePolicyAction struct {
	Policy *networkingv1.NetworkPolicy

type DeleteNamespaceAction added in v0.2.4

type DeleteNamespaceAction struct {
	Namespace string

type DeletePodAction added in v0.2.4

type DeletePodAction struct {
	Namespace string
	Pod       string

type DeletePolicyAction added in v0.1.0

type DeletePolicyAction struct {
	Namespace string
	Name      string

type Netpol

type Netpol struct {
	Name        string
	Description string
	Target      *NetpolTarget
	Ingress     *NetpolPeers
	Egress      *NetpolPeers

Netpol helps us to avoid the To/From Ingress/Egress dance. By splitting a NetworkPolicy into Target and Peers, it makes them easier to manipulate.

func AllowDNSPolicy added in v0.1.0

func AllowDNSPolicy(source *NetpolTarget) *Netpol

func BuildPolicy added in v0.2.1

func BuildPolicy(setters ...Setter) *Netpol

func NewNetpol added in v0.2.4

func NewNetpol(policy *NetworkPolicy) *Netpol

func (*Netpol) NetworkPolicy

func (n *Netpol) NetworkPolicy() *NetworkPolicy

func (*Netpol) NetworkPolicySpec added in v0.0.10

func (n *Netpol) NetworkPolicySpec() *NetworkPolicySpec

type NetpolPeers added in v0.0.10

type NetpolPeers struct {
	Rules []*Rule

type NetpolTarget added in v0.0.10

type NetpolTarget struct {
	Namespace   string
	PodSelector metav1.LabelSelector

func NewNetpolTarget added in v0.1.0

func NewNetpolTarget(namespace string, matchLabels map[string]string, matchExpressions []metav1.LabelSelectorRequirement) *NetpolTarget

type NetpolTraverser added in v0.2.4

type NetpolTraverser struct {
	// contains filtered or unexported fields

func (*NetpolTraverser) Traverse added in v0.2.4

func (n *NetpolTraverser) Traverse(policy *Netpol) map[string]bool

type PortProtocol added in v0.2.0

type PortProtocol struct {
	Protocol v1.Protocol
	Port     intstr.IntOrString

type ProbeConfig added in v0.2.0

type ProbeConfig struct {
	AllAvailable bool
	PortProtocol *PortProtocol
	Mode         ProbeMode

ProbeConfig: exactly one field must be non-null (or, in AllAvailable's case, non-false). This

models a discriminated union (sum type).

func NewAllAvailable added in v0.4.0

func NewAllAvailable(mode ProbeMode) *ProbeConfig

func NewProbeConfig added in v0.4.0

func NewProbeConfig(port intstr.IntOrString, protocol v1.Protocol, mode ProbeMode) *ProbeConfig

type ProbeMode added in v0.4.0

type ProbeMode string

func ParseProbeMode added in v0.4.0

func ParseProbeMode(mode string) (ProbeMode, error)

type ReadNetworkPoliciesAction added in v0.1.0

type ReadNetworkPoliciesAction struct {
	Namespaces []string

type Rule

type Rule struct {
	Ports []NetworkPolicyPort
	Peers []NetworkPolicyPeer

func (*Rule) Egress

func (r *Rule) Egress() NetworkPolicyEgressRule

func (*Rule) Ingress

func (r *Rule) Ingress() NetworkPolicyIngressRule

type SetNamespaceLabelsAction added in v0.1.0

type SetNamespaceLabelsAction struct {
	Namespace string
	Labels    map[string]string

type SetPodLabelsAction added in v0.1.0

type SetPodLabelsAction struct {
	Namespace string
	Pod       string
	Labels    map[string]string

type Setter added in v0.2.4

type Setter func(policy *Netpol)

Setter is used to declaratively build network policies

func SetDescription added in v0.2.4

func SetDescription(description string) Setter

func SetNamespace added in v0.2.1

func SetNamespace(ns string) Setter

func SetPeers added in v0.2.1

func SetPeers(isIngress bool, peers []NetworkPolicyPeer) Setter

func SetPodSelector added in v0.2.1

func SetPodSelector(sel metav1.LabelSelector) Setter

func SetPorts added in v0.2.1

func SetPorts(isIngress bool, ports []NetworkPolicyPort) Setter

func SetRules added in v0.2.1

func SetRules(isIngress bool, rules []*Rule) Setter

type StringSet added in v0.2.5

type StringSet map[string]bool

func NewStringSet added in v0.2.5

func NewStringSet(elems ...string) StringSet

func (StringSet) Add added in v0.3.0

func (s StringSet) Add(key string)

func (StringSet) ContainsAny added in v0.2.5

func (s StringSet) ContainsAny(stringSlice []string) bool

func (StringSet) GroupTags added in v0.3.0

func (s StringSet) GroupTags() map[string][]string

func (StringSet) Keys added in v0.2.5

func (s StringSet) Keys() []string

type TestCase added in v0.1.0

type TestCase struct {
	Description string
	Tags        StringSet
	Steps       []*TestStep

func NewSingleStepTestCase added in v0.1.0

func NewSingleStepTestCase(description string, tags StringSet, pp *ProbeConfig, actions ...*Action) *TestCase

func NewTestCase added in v0.1.0

func NewTestCase(description string, tags StringSet, steps ...*TestStep) *TestCase

func (*TestCase) GetFeatures added in v0.2.1

func (t *TestCase) GetFeatures() map[string][]string

type TestCaseGenerator added in v0.1.0

type TestCaseGenerator struct {
	PodIP        string
	AllowDNS     bool
	Namespaces   []string
	Tags         []string
	ExcludedTags []string

TODO Test cases:

1 policy with ingress:

- empty ingress
- ingress with 1 rule
  - empty
  - 1 port
    - empty
    - protocol
    - port
    - port + protocol
  - 2 ports
  - 1 from
    - 8 combos: (nil + nil => might mean ipblock must be non-nil)
      - pod sel: nil, empty, non-empty
      - ns sel: nil, empty, non-empty
    - ipblock
      - no except
      - yes except
  - 2 froms
    - 1 pod/ns, 1 ipblock
    - 2 pod/ns
    - 2 ipblocks
  - 1 port, 1 from
  - 2 ports, 2 froms
- ingress with 2 rules
- ingress with 3 rules

2 policies with ingress 1 policy with egress 2 policies with egress 1 policy with both ingress and egress 2 policies with both ingress and egress

func NewTestCaseGenerator added in v0.2.5

func NewTestCaseGenerator(allowDNS bool, podIP string, namespaces []string, tags []string, excludedTags []string) *TestCaseGenerator

func (*TestCaseGenerator) ActionTestCases added in v0.2.5

func (t *TestCaseGenerator) ActionTestCases() []*TestCase

func (*TestCaseGenerator) ConflictNetworkPolicies added in v0.2.5

func (t *TestCaseGenerator) ConflictNetworkPolicies(source *NetpolTarget, dest *NetpolTarget) []*TestCase

func (*TestCaseGenerator) ConflictTestCases added in v0.2.5

func (t *TestCaseGenerator) ConflictTestCases() []*TestCase

func (*TestCaseGenerator) ExampleTestCases added in v0.2.5

func (t *TestCaseGenerator) ExampleTestCases() []*TestCase

func (*TestCaseGenerator) GenerateAllTestCases added in v0.2.5

func (t *TestCaseGenerator) GenerateAllTestCases() []*TestCase

func (*TestCaseGenerator) GenerateTestCases added in v0.1.0

func (t *TestCaseGenerator) GenerateTestCases() []*TestCase

func (*TestCaseGenerator) PeersTestCases added in v0.2.5

func (t *TestCaseGenerator) PeersTestCases() []*TestCase

func (*TestCaseGenerator) PortProtocolTestCases added in v0.2.5

func (t *TestCaseGenerator) PortProtocolTestCases() []*TestCase

func (*TestCaseGenerator) RulesTestCases added in v0.2.5

func (t *TestCaseGenerator) RulesTestCases() []*TestCase

func (*TestCaseGenerator) SinglePeersTestCases added in v0.2.5

func (t *TestCaseGenerator) SinglePeersTestCases() []*TestCase

func (*TestCaseGenerator) SinglePortProtocolTestCases added in v0.2.5

func (t *TestCaseGenerator) SinglePortProtocolTestCases() []*TestCase

func (*TestCaseGenerator) TargetTestCases added in v0.2.5

func (t *TestCaseGenerator) TargetTestCases() []*TestCase

func (*TestCaseGenerator) TwoPeersTestCases added in v0.2.5

func (t *TestCaseGenerator) TwoPeersTestCases() []*TestCase

func (*TestCaseGenerator) TwoPortProtocolTestCases added in v0.2.5

func (t *TestCaseGenerator) TwoPortProtocolTestCases() []*TestCase

func (*TestCaseGenerator) UpstreamE2ETestCases added in v0.2.5

func (t *TestCaseGenerator) UpstreamE2ETestCases() []*TestCase

func (*TestCaseGenerator) ZeroPeersTestCases added in v0.2.5

func (t *TestCaseGenerator) ZeroPeersTestCases() []*TestCase

func (*TestCaseGenerator) ZeroPortProtocolTestCases added in v0.2.5

func (t *TestCaseGenerator) ZeroPortProtocolTestCases() []*TestCase

type TestStep added in v0.1.0

type TestStep struct {
	Probe   *ProbeConfig
	Actions []*Action

func NewTestStep added in v0.1.0

func NewTestStep(pp *ProbeConfig, actions ...*Action) *TestStep

type UpdatePolicyAction added in v0.1.0

type UpdatePolicyAction struct {
	Policy *networkingv1.NetworkPolicy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL