Merge pull request #107 from seungsoo-lee/master

Update L4/L7 aggregation
accuknox · Jan 25, 2021 · 7ffee3d · 7ffee3d
2 parents 91d12aa + 5dcd639
commit 7ffee3d
Show file tree

Hide file tree

Showing 9 changed files with 352 additions and 204 deletions.
diff --git a/database/mysql/init/flow_management.sql b/database/mysql/init/flow_management.sql
@@ -71,7 +71,5 @@ CREATE TABLE IF NOT EXISTS `auto_policy_config` (
   `l3_aggregation_level` int DEFAULT NULL,
   `l4_aggregation_level` int DEFAULT NULL,
   `l7_aggregation_level` int DEFAULT NULL,
-  `http_url_threshold` int DEFAULT NULL,
-
   PRIMARY KEY (`id`)
 );
diff --git a/scripts/startService.sh b/scripts/startService.sh
@@ -33,8 +33,8 @@ export POLICY_DIR=$KNOX_AUTO_HOME/policies/
 #   all (egress+ingress): 3
 #   egress only: 1
 #   ingress only: 2
-export DISCOVERY_POLICY_TYPES=1
-export DISCOVERY_RULE_TYPES=1
+export DISCOVERY_POLICY_TYPES=3
+export DISCOVERY_RULE_TYPES=511
 
 # skip namepsace info
 export IGNORING_NAMESPACES="kube-system|knox-auto-policy|cilium|hipster"

diff --git a/src/core/configManager.go b/src/core/configManager.go
@@ -15,6 +15,9 @@ var Cfg types.Configuration
 // SkipNamespaces ...
 var SkipNamespaces []string
 
+// HTTPUrlThreshold
+var HTTPUrlThreshold int
+
 func init() {
 	// initially, default -> applied
 	LoadDefaultConfig()
@@ -104,8 +107,8 @@ func LoadDefaultConfig() {
 	Cfg.PolicyDir = libs.GetEnv("POLICY_DIR", "./")
 
 	// discovery types
-	Cfg.DiscoveryPolicyTypes = libs.GetEnvInt("DISCOVERY_POLICY_TYPES", 3)
-	Cfg.DiscoveryRuleTypes = libs.GetEnvInt("DISCOVERY_RULE_TYPES", 511)
+	Cfg.DiscoveryPolicyTypes = libs.GetEnvInt("DISCOVERY_POLICY_TYPES", 3) // 3: all types
+	Cfg.DiscoveryRuleTypes = libs.GetEnvInt("DISCOVERY_RULE_TYPES", 511)   // 511: all rules
 
 	// cidr bits
 	Cfg.CIDRBits = 32
@@ -116,9 +119,14 @@ func LoadDefaultConfig() {
 
 	// aggregation level
 	Cfg.L3AggregationLevel = 3
-	Cfg.L4AggregationLevel = 3
+	Cfg.L4Compression = 3
 	Cfg.L7AggregationLevel = 3
-	Cfg.HTTPUrlThreshold = 3
+
+	if Cfg.L7AggregationLevel == 3 {
+		HTTPUrlThreshold = 3
+	} else if Cfg.L7AggregationLevel == 2 {
+		HTTPUrlThreshold = 5
+	}
 }
 
 // AddConfiguration function

diff --git a/src/core/httpAggregator.go b/src/core/httpAggregator.go
@@ -181,7 +181,7 @@ func (n *Node) aggregateChildNodes() {
 	}
 
 	// step 1: #child nodes > threshold
-	if len(n.childNodes) > Cfg.HTTPUrlThreshold {
+	if len(n.childNodes) > HTTPUrlThreshold {
 		childPaths := []string{}
 		for _, childNode := range n.childNodes {
 			childPaths = append(childPaths, childNode.path)
@@ -433,7 +433,7 @@ func aggreateHTTPPathsNaive(paths []string) []string {
 
 	for key, paths := range depthToPaths {
 		// if threshold over, aggregate it
-		if len(paths) >= Cfg.HTTPUrlThreshold {
+		if len(paths) >= HTTPUrlThreshold {
 			aggregatedPaths = append(aggregatedPaths, key+"/.*")
 		} else {
 			for _, path := range paths {
@@ -480,6 +480,11 @@ func AggregatePaths(treeMap map[string]*Node, paths []string) []string {
 
 // AggregateHTTPRules function
 func AggregateHTTPRules(mergedSrcPerMergedDst map[string][]MergedPortDst) {
+	// if level 1, do not aggregate http path
+	if Cfg.L7AggregationLevel == 1 {
+		return
+	}
+
 	for mergedSrc, dsts := range mergedSrcPerMergedDst {
 		for i, dst := range dsts {
 			// check if dst is for HTTP rules