-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pre proccessing policy for general conns #306
pre proccessing policy for general conns #306
Conversation
Some notes: 1. main changes: - step1 : while upserting a new network-policy, scan its ingress and egress rules and store :
notes on step1:
- step2: while scaning the policies selecting a pod for allowed connections computations; updated the pod's general exposure data from the policy's stored data. (when updating the pod's data, checked and replaced 2. notes on
they were never used before and never initialized; |
** TODO:** (for next commit?)
|
some questions/comments:
I think we can find solutions for this, such as adding more api funcs to generate policy engine as desired.
why does it need to be stored in the policy? what if the connection from actual pod to a "fake" (representative) pod depends on a named port? how will this be handled by exposure analysis?
not sure I understand the entire sentence, though I think |
// - the maximal connection-set which the policy's rules allow to all namespaces in the cluster on egress direction | ||
EgressGeneralConns PolicyGeneralRulesConns | ||
|
||
namedPortsToPortNum map[v1.Protocol]map[string]int32 // internal map; map from protocol to map from namedPort which |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the matching of named port to its number is per pod, so why is it stored here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed the handling of named-ports
adding some examples - locally tested :
- an ingress policy; exposes the workload on ingress to entire-cluster on named ports; since the dst is the workload itself - converts the ports to numbers
- an egress policy - which exposes the workload to entire cluster ; on named ports : we will see these potential named ports on the result.
- an example combining named ports and port numbers:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks, the example seem to make sense
True, so do you suggest performing this pre-process only for exposure analysis ?
True, actually I was very unsure when and how to store these; I think also that I don't fully understand when a named port should be converted.. but if it is a "src" (egress conn); should we convert? or keep it as it? (a named port)
in this PR; focused on "general" (entire cluster) connections;
yes that is what I meant |
…nsure initializing empty maps for named ports
next tasks to be done are:
since this PR is already labeled |
ok, let's have these in a new PR |
db2c484
into
new_exposure_analysis_first_branch
issue : #236
sub-task: