@@ -86,6 +86,7 @@ Images are available at [mfenwick100/cyclonus](https://hub.docker.com/r/mfenwick
86
86
docker pull docker.io/mfenwick100/cyclonus:latest
87
87
```
88
88
89
+
89
90
## Integrations
90
91
91
92
### krew plugin
@@ -107,248 +108,10 @@ Cyclonus is available as a [krew/kubectl plugin](https://github.com/mattfenwick/
107
108
108
109
## Cyclonus functionality
109
110
110
- ### Probe
111
-
112
- Run a connectivity probe against a Kubernetes cluster.
113
-
114
- ```
115
- cyclonus probe
116
-
117
- Kube results for:
118
- policy y/allow-all-for-label:
119
- policy y/allow-by-ip:
120
- policy y/allow-label-to-label:
121
- policy y/deny-all:
122
- policy y/deny-all-for-label:
123
- +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
124
- | - | X/A | X/B | X/C | Y/A | Y/B | Y/C | Z/A | Z/B | Z/C |
125
- +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
126
- | x/a | . | . | . | X | . | X | . | . | . |
127
- | x/b | . | . | . | X | . | X | . | . | . |
128
- | x/c | . | . | . | X | . | X | . | . | . |
129
- | y/a | . | . | . | X | . | X | . | . | . |
130
- | y/b | . | . | . | X | . | X | . | . | . |
131
- | y/c | . | . | . | . | . | X | . | . | . |
132
- | z/a | . | . | . | X | . | X | . | . | . |
133
- | z/b | . | . | . | X | . | X | . | . | . |
134
- | z/c | . | . | . | X | . | X | . | . | . |
135
- +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
136
-
137
- 0 wrong, 0 no value, 81 correct, 0 ignored out of 81 total
138
- ```
139
-
140
- ### Policy generator
141
-
142
- For CNI conformance testing.
143
-
144
- Generate network policy test scenarios, install the scenarios one at a time in kubernetes,
145
- and compare actual measured connectivity to expected connectivity using a truth table.
146
-
147
- ```
148
- cyclonus generate \
149
- --mode simple-fragments \
150
- --include conflict,peer-ipblock \
151
- --ignore-loopback \
152
- --perturbation-wait-seconds 15
153
-
154
- ...
155
- Tag results:
156
- ```
157
- | Tag | Result |
158
- | --- | --- |
159
- | direction | 10 / 20 = 50% ❌ |
160
- | - egress | 5 / 11 = 45% ❌ |
161
- | - ingress | 5 / 11 = 45% ❌ |
162
- | miscellaneous | 10 / 16 = 62% ❌ |
163
- | - conflict | 10 / 16 = 62% ❌ |
164
- | peer-ipblock | 0 / 4 = 0% ❌ |
165
- | - IP-block-no-except | 0 / 2 = 0% ❌ |
166
- | - IP-block-with-except | 0 / 2 = 0% ❌ |
167
- | peer-pods | 4 / 4 = 100% ✅ |
168
- | - all-namespaces | 4 / 4 = 100% ✅ |
169
- | - all-pods | 4 / 4 = 100% ✅ |
170
- | rule | 6 / 8 = 75% ❌ |
171
- | - allow-all | 2 / 4 = 50% ❌ |
172
- | - deny-all | 6 / 8 = 75% ❌ |
173
-
174
- ### Policy analysis
175
-
176
- #### Explain policies
177
-
178
- Groups policies by target, divides rules into egress and ingress, and gives a basic explanation of the combined
179
- policies. This clarifies the interactions between "denies" and "allows" from multiple policies.
180
-
181
- ```
182
- cyclonus analyze \
183
- --mode explain \
184
- --policy-path ./networkpolicies/simple-example/
185
-
186
- +---------+---------------+------------------------+---------------------+--------------------------+
187
- | TYPE | TARGET | SOURCE RULES | PEER | PORT/PROTOCOL |
188
- +---------+---------------+------------------------+---------------------+--------------------------+
189
- | Ingress | namespace: y | y/allow-label-to-label | no ips | no ports, no protocols |
190
- | | Match labels: | y/deny-all-for-label | | |
191
- | | pod: a | | | |
192
- + + + +---------------------+--------------------------+
193
- | | | | namespace: y | all ports, all protocols |
194
- | | | | pods: Match labels: | |
195
- | | | | pod: c | |
196
- + +---------------+------------------------+---------------------+ +
197
- | | namespace: y | y/allow-all-for-label | all pods, all ips | |
198
- | | Match labels: | | | |
199
- | | pod: b | | | |
200
- + +---------------+------------------------+---------------------+--------------------------+
201
- | | namespace: y | y/allow-by-ip | ports for all IPs | no ports, no protocols |
202
- | | Match labels: | | | |
203
- | | pod: c | | | |
204
- + + + +---------------------+--------------------------+
205
- | | | | 0.0.0.0/24 | all ports, all protocols |
206
- | | | | except [] | |
207
- | | | | | |
208
- + + + +---------------------+--------------------------+
209
- | | | | no pods | no ports, no protocols |
210
- | | | | | |
211
- | | | | | |
212
- + +---------------+------------------------+---------------------+ +
213
- | | namespace: y | y/deny-all | no pods, no ips | |
214
- | | all pods | | | |
215
- +---------+---------------+------------------------+---------------------+--------------------------+
216
- ```
217
-
218
- #### Which policy rules apply to a pod?
219
-
220
- This takes the previous command a step further: it combines the rules from all the targets that apply
221
- to a pod.
222
-
223
- ```
224
- cyclonus analyze \
225
- --mode query-target \
226
- --policy-path ./networkpolicies/simple-example/ \
227
- --target-pod-path ./examples/targets.json
228
-
229
- pod in ns y with labels map[pod:a]:
230
- +---------+---------------+-----------------------------+---------------------+--------------------------+
231
- | TYPE | TARGET | SOURCE RULES | PEER | PORT/PROTOCOL |
232
- +---------+---------------+-----------------------------+---------------------+--------------------------+
233
- | Ingress | namespace: y | y/allow-label-to-label | no ips | no ports, no protocols |
234
- | | Match labels: | y/deny-all-for-label | | |
235
- | | pod: a | y/deny-all | | |
236
- + + + +---------------------+--------------------------+
237
- | | | | namespace: y | all ports, all protocols |
238
- | | | | pods: Match labels: | |
239
- | | | | pod: c | |
240
- +---------+---------------+-----------------------------+---------------------+--------------------------+
241
- | | | | | |
242
- +---------+---------------+-----------------------------+---------------------+--------------------------+
243
- | Egress | namespace: y | y/deny-all-egress | all pods, all ips | all ports, all protocols |
244
- | | Match labels: | y/allow-all-egress-by-label | | |
245
- | | pod: a | | | |
246
- +---------+---------------+-----------------------------+---------------------+--------------------------+
247
- ```
248
-
249
-
250
- #### Will policies allow or block traffic?
251
-
252
- Given arbitrary traffic examples (from a source to a destination, including labels, over a port and protocol),
253
- this command parses network policies and determines if the traffic is allowed or not.
254
-
255
- ```
256
- cyclonus analyze \
257
- --mode query-traffic \
258
- --policy-path ./networkpolicies/simple-example/ \
259
- --traffic-path ./examples/traffic.json
260
-
261
- Traffic:
262
- +--------------------------+-------------+---------------+-----------+-----------+------------+
263
- | PORT/PROTOCOL | SOURCE/DEST | POD IP | NAMESPACE | NS LABELS | POD LABELS |
264
- +--------------------------+-------------+---------------+-----------+-----------+------------+
265
- | 80 (serve-80-tcp) on TCP | source | 192.168.1.99 | y | ns: y | app: c |
266
- + +-------------+---------------+ + +------------+
267
- | | destination | 192.168.1.100 | | | pod: b |
268
- +--------------------------+-------------+---------------+-----------+-----------+------------+
269
-
270
- Is traffic allowed?
271
- +-------------+--------+---------------+
272
- | TYPE | ACTION | TARGET |
273
- +-------------+--------+---------------+
274
- | Ingress | Allow | namespace: y |
275
- | | | Match labels: |
276
- | | | pod: b |
277
- + +--------+---------------+
278
- | | Deny | namespace: y |
279
- | | | all pods |
280
- +-------------+--------+---------------+
281
- | | | |
282
- +-------------+--------+---------------+
283
- | Egress | Deny | namespace: y |
284
- | | | all pods |
285
- +-------------+--------+---------------+
286
- | IS ALLOWED? | FALSE |
287
- +-------------+--------+---------------+
288
- ```
289
-
290
- #### Simulated probe
111
+ - [ run a single network policy test on a cluster] ( ./docs/probe.md )
112
+ - [ run network policy conformance tests on a cluster] ( ./docs/generator.md )
113
+ - [ analyze network policies] ( ./docs/analyze.md ) .
291
114
292
- Runs a simulated connectivity probe against a set of network policies, without using a kubernetes cluster.
293
-
294
- ```
295
- cyclonus analyze \
296
- --mode probe \
297
- --policy-path ./networkpolicies/simple-example/ \
298
- --probe-path ./examples/probe.json
299
-
300
- Combined:
301
- +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
302
- | | X/A | X/B | X/C | Y/A | Y/B | Y/C | Z/A | Z/B | Z/C |
303
- +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
304
- | x/a | . | . | . | X | . | X | . | . | . |
305
- | x/b | . | . | . | X | . | X | . | . | . |
306
- | x/c | . | . | . | X | . | X | . | . | . |
307
- | y/a | . | . | . | X | . | X | . | . | . |
308
- | y/b | . | . | . | X | . | X | . | . | . |
309
- | y/c | X | X | X | X | X | X | X | X | X |
310
- | z/a | . | . | . | X | . | X | . | . | . |
311
- | z/b | . | . | . | X | . | X | . | . | . |
312
- | z/c | . | . | . | X | . | X | . | . | . |
313
- +-----+-----+-----+-----+-----+-----+-----+-----+-----+-----+
314
- ```
315
-
316
- #### Linter
317
-
318
- Checks network policies for common problems.
319
-
320
- ```
321
- cyclonus analyze \
322
- --mode lint \
323
- --policy-path ./networkpolicies/simple-example
324
-
325
- +-----------------+------------------------------+-------------------+-----------------------------+
326
- | SOURCE/RESOLVED | TYPE | TARGET | SOURCE POLICIES |
327
- +-----------------+------------------------------+-------------------+-----------------------------+
328
- | Resolved | CheckTargetAllEgressAllowed | namespace: y | y/allow-all-egress-by-label |
329
- | | | | |
330
- | | | pod selector: | |
331
- | | | matchExpressions: | |
332
- | | | - key: pod | |
333
- | | | operator: In | |
334
- | | | values: | |
335
- | | | - a | |
336
- | | | - b | |
337
- | | | | |
338
- +-----------------+------------------------------+-------------------+-----------------------------+
339
- | Resolved | CheckDNSBlockedOnTCP | namespace: y | y/deny-all-egress |
340
- | | | | |
341
- | | | pod selector: | |
342
- | | | {} | |
343
- | | | | |
344
- +-----------------+------------------------------+-------------------+-----------------------------+
345
- | Resolved | CheckDNSBlockedOnUDP | namespace: y | y/deny-all-egress |
346
- | | | | |
347
- | | | pod selector: | |
348
- | | | {} | |
349
- | | | | |
350
- +-----------------+------------------------------+-------------------+-----------------------------+
351
- ```
352
115
353
116
## Sonobuoy plugin
354
117
0 commit comments