An analyzer for Network Policies and other connectivity-configuration resources
Project description
Network Config Analyzer
An analyzer for Network Policies and other connectivity-configuration resources
Usage (requires Python 3.8 or above)
python nca.py [--scheme <scheme_file>]
where scheme_file is a yaml file describing what to verify.
Scheme file structure is specified here. See an example scheme file here.
Running without a scheme file
Various predefined queries can be performed without providing a scheme file, using the following command line configurations.
--sanity <NetworkPolicy set>
Running several sanity checks on the given set of NetworkPolicies--equiv <NetworkPolicy set> [--base_np_list <NetworkPolicy set>]
Semantically comparing two sets of NetworkPolicy sets to decide whether they allow exactly the same traffic--interferes <NetworkPolicy set> [--base_np_list <NetworkPolicy set>]
Checking whether the given set of NetworkPolicies interferes with the base set of NetworkPolicies (allows more traffic between relevant endpoints)--permits <NetworkPolicy set> [--base_np_list <NetworkPolicy set>]
Checking whether the base set of NetworkPolicies permits the traffic explicitly specified in the given set of NetworkPolicies--forbids <NetworkPolicy set> [--base_np_list <NetworkPolicy set>]
Checking whether the base set of NetworkPolicies forbids the traffic explicitly specified in the given set of NetworkPolicies--connectivity <NetworkPolicy set>
Get the list of allowed connections as firewall rules on the given set of NetworkPolicies--semantic_diff <NetworkPolicy set> [--base_np_list <NetworkPolicy set>]
Get the connectivity semantic difference as firewall rules between two sets of NetworkPolicy sets
<NetworkPolicy set>
should be one of:
- a path to a yaml/json file defining NetworkPolicies
- a path to a directory with files containing NetworkPolicies
- a url of a GHE repository/dir/file with NetworkPolicies
- The string
k8s
, instructing the tool to take all NetworkPolicies from a Kubernetes cluster (usingkubectl
) - The string
calico
, instructing the tool to take all NetworkPolicies from a Calico cluster (usingcalicoctl
) - The string
istio
, instructing the tool to take all AuthorizationPolicies from a Kubernetes cluster (usingkubectl
)
Running with no command-line options at all is like running nca.py --sanity k8s
.
Additional command-line switches:
--base_np_list <path to file or 'k8s'>
The set of NetworkPolicies to compare against in--equiv
,--interferes
,--permits
,--forbids
and--semantic_diff
default: The result ofkubectl get netpol -A
shorthand:-b
--ns_list <path to file or 'k8s'>
Allows specifying a file to take the list of namespaces from
default: the result ofkubectl get ns
shorthand:-n
--pod_list <path to a file, 'calico' or 'k8s'>
Specifies where to take the list of pods/endpoints from
default: the result ofkubectl get pods -A
shorthand:-p
--base_ns_list <path to file or 'k8s'>
Specifies a file with list of namespaces to compare against in--semantic_diff
--base_pod_list <path to a file, 'calico' or 'k8s'>
Specifies a file with list of pods/endpoints to compare against in--semantic_diff
--ghe_token <token>
A valid token to access a GHE repository--period <minutes>
Run NCA with given arguments every specified number of minutes--daemon
Run NCA as a daemon. Send and receive data using a REST API.--output_format <format>
Output format specification (txt/yaml/csv/md/dot).
default: txt
shorthand:-o
--file_out <file name>
A file path to redirect output into.
shorthand-f
--expected_output <file name>
A file path to the expected query output (for connectivity or semantic_diff queries).\--pr_url <URL>
Write output as GitHub PR comment. URL points to the relevant comments resource in the GitHub API.
e.g., https://api.github.com/repos/shift-left-netconfig/online-boutique/issues/1/comments--output_endpoints
Choose endpoints type in output (pods/deployments).
default: deployments
Exit Code Meaning:
The exit value of running a command-line without a scheme is combined from two factors:
- The result of running the query (0/1) as specified here
- The result of comparing the query output with the expected output file contents (if given)
And it can be in the range 0 to 3 as followed:
- 0 : query result is 0, output comparison passed.
- 1 : query result is 1, output comparison passed.
- 2 : query result is 0, output comparison failed.
- 3 : query result is 1, output comparison failed.
Installation
git clone https://github.com/IBM/network-config-analyzer.git
cd network-config-analyzer
python3 -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python network-config-analyzer/nca.py -h
Supported platforms
- Kubernetes
- Calico
- Istio (see what is supported here.)
Contributing
If you have any questions or issues you can create a new issue here.
Pull requests are very welcome! Make sure your patches are well tested. Ideally create a topic branch for every separate change you make. For example:
- Fork the repo
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Added some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request
License
All source files must include a Copyright and License header. The SPDX license header is preferred because it can be easily scanned.
If you would like to see the detailed LICENSE click here.
#
# Copyright 2020- IBM Inc. All rights reserved
# SPDX-License-Identifier: Apache2.0
#
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for network-config-analyzer-1.3.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | ad5a4e611b9a23656272e55f3de0b7cf1e1b0cab06e3d059ef8ee12b65ded5d1 |
|
MD5 | 0ab4c21bc7180e56d5b6f75c39515c4b |
|
BLAKE2b-256 | a8387f789dfa3db6d02fd2b4253d1b0bd0017cce8c5dbf8d6288fdead770374a |
Hashes for network_config_analyzer-1.3.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 45c30885a5f175b7ba1854a5fe5f277f3ae709595403fc15866e252e507068cb |
|
MD5 | 1daf56cec3618ea09874c522dc399c9e |
|
BLAKE2b-256 | 0c528cfd7eae89bbbccfee48ba84a644090a88b1d43d46c46d971bcd50a43f31 |