test with vm- vm is exposet to all TCP conns

shireenf-ibm · shireenf-ibm · commit ebcf91a8e8fd · 2025-05-06T11:03:25.000+03:00
diff --git a/pkg/netpol/connlist/connlist_test.go b/pkg/netpol/connlist/connlist_test.go
@@ -2155,6 +2155,11 @@ var goodPathTests = []struct {
 		testDirName:   "virtual_machines_example",
 		outputFormats: ValidFormats,
 	},
+	{
+		// a test with UDN having a VM and Ingress-Controller; external ingress ports to a service in a UDN are allowed to the VM
+		testDirName:   "udn_with_vm_and_ingress_controller",
+		outputFormats: ValidFormats,
+	},
 }
 
 func runParsedResourcesConnlistTests(t *testing.T, testList []examples.ParsedResourcesTest) {
diff --git a/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go b/pkg/netpol/connlist/internal/ingressanalyzer/ingress_analyzer.go
@@ -385,8 +385,10 @@ func (ia *IngressAnalyzer) getIngressPeerConnection(peer eval.Peer, actualServic
 				return nil, err
 			}
 			// only TCP ports are acceptable for Ingress resource
+			// Note that: if the current peer is a virtual-machine then named-ports will always have no match and be skipped;
+			// since virtual-machine does not specify any ports in its spec; so named-port can not be converted
 			if protocol != string(corev1.ProtocolTCP) || portInt < 0 { // no matching port for the given named port
-				continue
+				continue // skip
 			}
 			portNum = int(portInt)
 		}
diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go
@@ -18,6 +18,7 @@ import (
 	"github.com/np-guard/models/pkg/netset"
 
 	"github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors"
+	"github.com/np-guard/netpol-analyzer/pkg/manifests/parser"
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s"
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/alerts"
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common"
@@ -175,6 +176,10 @@ func GetPeerExposedTCPConnections(peer Peer) *common.ConnectionSet {
 	case *k8s.IPBlockPeer:
 		return nil
 	case *k8s.WorkloadPeer:
+		// since virtual-machine specs does not contain Ports field(s); assuming it is exposed on all TCP conns
+		if currentPeer.Kind() == parser.VirtualMachine {
+			return common.GetAllTCPConnections()
+		}
 		return currentPeer.Pod.PodExposedTCPConnections()
 	case *k8s.PodPeer:
 		return currentPeer.Pod.PodExposedTCPConnections()
diff --git a/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.csv b/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.csv
@@ -0,0 +1,4 @@
+src,dst,conn
+0.0.0.0-255.255.255.255[External],green[udn]/vm-a[VirtualMachine],All Connections
+green[udn]/vm-a[VirtualMachine],0.0.0.0-255.255.255.255[External],All Connections
+{ingress-controller},green[udn]/vm-a[VirtualMachine],"TCP 8000,8090"
diff --git a/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.dot b/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.dot
@@ -0,0 +1,13 @@
+digraph {
+	subgraph "cluster_green[udn]" {
+		color="black"
+		fontcolor="black"
+		"green[udn]/vm-a[VirtualMachine]" [label="vm-a[VirtualMachine]" color="blue" fontcolor="blue"]
+		label="green[udn]"
+	}
+	"0.0.0.0-255.255.255.255[External]" [label="0.0.0.0-255.255.255.255[External]" color="red2" fontcolor="red2"]
+	"{ingress-controller}" [label="{ingress-controller}" color="blue" fontcolor="blue"]
+	"0.0.0.0-255.255.255.255[External]" -> "green[udn]/vm-a[VirtualMachine]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5]
+	"green[udn]/vm-a[VirtualMachine]" -> "0.0.0.0-255.255.255.255[External]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1]
+	"{ingress-controller}" -> "green[udn]/vm-a[VirtualMachine]" [label="TCP 8000,8090" color="gold2" fontcolor="darkgreen" weight=1]
+}
diff --git a/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.dot.png b/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.dot.png
diff --git a/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.json b/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.json
@@ -0,0 +1,17 @@
+[
+  {
+    "src": "0.0.0.0-255.255.255.255[External]",
+    "dst": "green[udn]/vm-a[VirtualMachine]",
+    "conn": "All Connections"
+  },
+  {
+    "src": "green[udn]/vm-a[VirtualMachine]",
+    "dst": "0.0.0.0-255.255.255.255[External]",
+    "conn": "All Connections"
+  },
+  {
+    "src": "{ingress-controller}",
+    "dst": "green[udn]/vm-a[VirtualMachine]",
+    "conn": "TCP 8000,8090"
+  }
+]
diff --git a/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.md b/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.md
@@ -0,0 +1,5 @@
+| src | dst | conn |
+|-----|-----|------|
+| 0.0.0.0-255.255.255.255[External] | green[udn]/vm-a[VirtualMachine] | All Connections |
+| green[udn]/vm-a[VirtualMachine] | 0.0.0.0-255.255.255.255[External] | All Connections |
+| {ingress-controller} | green[udn]/vm-a[VirtualMachine] | TCP 8000,8090 |
diff --git a/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.svg b/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.svg
@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
+ "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<!-- Generated by graphviz version 2.46.0 (20210118.1747)
+ -->
+<!-- Pages: 1 -->
+<svg width="328pt" height="239pt"
+ viewBox="0.00 0.00 327.89 239.00" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
+<g id="graph0" class="graph" transform="scale(1 1) rotate(0) translate(4 235)">
+<polygon fill="white" stroke="transparent" points="-4,4 -4,-235 323.89,-235 323.89,4 -4,4"/>
+<g id="clust1" class="cluster">
+<title>cluster_green[udn]</title>
+<polygon fill="none" stroke="black" points="36.89,-79 36.89,-154 230.89,-154 230.89,-79 36.89,-79"/>
+<text text-anchor="middle" x="133.89" y="-138.8" font-family="Times New Roman,serif" font-size="14.00">green[udn]</text>
+</g>
+<!-- green[udn]/vm&#45;a[VirtualMachine] -->
+<g id="node1" class="node">
+<title>green[udn]/vm&#45;a[VirtualMachine]</title>
+<ellipse fill="none" stroke="blue" cx="133.89" cy="-105" rx="89.08" ry="18"/>
+<text text-anchor="middle" x="133.89" y="-101.3" font-family="Times New Roman,serif" font-size="14.00" fill="blue">vm&#45;a[VirtualMachine]</text>
+</g>
+<!-- 0.0.0.0&#45;255.255.255.255[External] -->
+<g id="node2" class="node">
+<title>0.0.0.0&#45;255.255.255.255[External]</title>
+<ellipse fill="none" stroke="#ee0000" cx="133.89" cy="-18" rx="133.78" ry="18"/>
+<text text-anchor="middle" x="133.89" y="-14.3" font-family="Times New Roman,serif" font-size="14.00" fill="#ee0000">0.0.0.0&#45;255.255.255.255[External]</text>
+</g>
+<!-- green[udn]/vm&#45;a[VirtualMachine]&#45;&gt;0.0.0.0&#45;255.255.255.255[External] -->
+<g id="edge2" class="edge">
+<title>green[udn]/vm&#45;a[VirtualMachine]&#45;&gt;0.0.0.0&#45;255.255.255.255[External]</title>
+<path fill="none" stroke="#eec900" d="M132.13,-86.93C131.62,-81.23 131.14,-74.85 130.89,-69 130.57,-61.64 130.79,-53.69 131.23,-46.33"/>
+<polygon fill="#eec900" stroke="#eec900" points="134.74,-46.35 131.99,-36.12 127.76,-45.83 134.74,-46.35"/>
+<text text-anchor="middle" x="176.39" y="-57.8" font-family="Times New Roman,serif" font-size="14.00" fill="darkgreen">All Connections</text>
+</g>
+<!-- 0.0.0.0&#45;255.255.255.255[External]&#45;&gt;green[udn]/vm&#45;a[VirtualMachine] -->
+<g id="edge1" class="edge">
+<title>0.0.0.0&#45;255.255.255.255[External]&#45;&gt;green[udn]/vm&#45;a[VirtualMachine]</title>
+<path fill="none" stroke="#eec900" d="M201.76,-33.6C222.4,-41.41 237.03,-52.84 225.89,-69 220.55,-76.75 213.24,-82.78 205.07,-87.48"/>
+<polygon fill="#eec900" stroke="#eec900" points="203.28,-84.46 195.92,-92.08 206.42,-90.72 203.28,-84.46"/>
+<text text-anchor="middle" x="274.39" y="-57.8" font-family="Times New Roman,serif" font-size="14.00" fill="darkgreen">All Connections</text>
+</g>
+<!-- {ingress&#45;controller} -->
+<g id="node3" class="node">
+<title>{ingress&#45;controller}</title>
+<ellipse fill="none" stroke="blue" cx="133.89" cy="-213" rx="82.59" ry="18"/>
+<text text-anchor="middle" x="133.89" y="-209.3" font-family="Times New Roman,serif" font-size="14.00" fill="blue">{ingress&#45;controller}</text>
+</g>
+<!-- {ingress&#45;controller}&#45;&gt;green[udn]/vm&#45;a[VirtualMachine] -->
+<g id="edge3" class="edge">
+<title>{ingress&#45;controller}&#45;&gt;green[udn]/vm&#45;a[VirtualMachine]</title>
+<path fill="none" stroke="#eec900" d="M133.89,-194.97C133.89,-178.38 133.89,-152.88 133.89,-133.43"/>
+<polygon fill="#eec900" stroke="#eec900" points="137.39,-133.34 133.89,-123.34 130.39,-133.34 137.39,-133.34"/>
+<text text-anchor="middle" x="178.39" y="-165.8" font-family="Times New Roman,serif" font-size="14.00" fill="darkgreen">TCP 8000,8090</text>
+</g>
+</g>
+</svg>
diff --git a/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.txt b/test_outputs/connlist/udn_with_vm_and_ingress_controller_connlist_output.txt
@@ -0,0 +1,5 @@
+
+green[udn]:
+0.0.0.0-255.255.255.255[External] => green[udn]/vm-a[VirtualMachine] : All Connections
+green[udn]/vm-a[VirtualMachine] => 0.0.0.0-255.255.255.255[External] : All Connections
+{ingress-controller} => green[udn]/vm-a[VirtualMachine] : TCP 8000,8090
diff --git a/tests/udn_with_vm_and_ingress_controller/green_ns_udn.yaml b/tests/udn_with_vm_and_ingress_controller/green_ns_udn.yaml
@@ -0,0 +1,21 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: green
+  labels:
+    k8s.ovn.org/primary-user-defined-network: ""
+---
+apiVersion: k8s.ovn.org/v1
+kind: UserDefinedNetwork
+metadata:
+  name: namespace-scoped
+  namespace: green
+spec:
+  topology: Layer2
+  layer2:
+    role: Primary
+    subnets:
+      - 203.203.0.0/16
+    ipam:
+      lifecycle: Persistent
diff --git a/tests/udn_with_vm_and_ingress_controller/ingress_multiple_rules.yaml b/tests/udn_with_vm_and_ingress_controller/ingress_multiple_rules.yaml
@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ingress-world
+  namespace: green
+spec:
+  rules:
+  - host: ingress.nginx.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vm-service
+            port:
+              number: 8090
+  - host: ingress-2.nginx.example.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: vm-service
+            port:
+              number: 8000           
diff --git a/tests/udn_with_vm_and_ingress_controller/vm.yaml b/tests/udn_with_vm_and_ingress_controller/vm.yaml
@@ -0,0 +1,67 @@
+
+apiVersion: kubevirt.io/v1
+kind: VirtualMachine
+metadata:
+  labels:
+    kubevirt.io/vm: vm-a
+  name: vm-a
+  namespace: green
+spec:
+  runStrategy: Always
+  template:
+    metadata:
+      name: vm-a
+      namespace: green
+      labels:
+        app: ingress-world
+    spec:
+      domain:
+        devices:
+          disks:
+          - disk:
+              bus: virtio
+            name: containerdisk
+          - disk:
+              bus: virtio
+            name: cloudinitdisk
+          interfaces:
+          - name: isolated-namespace
+            binding:
+              name: l2bridge
+          rng: {}
+        resources:
+          requests:
+            memory: 2048M
+      networks:
+      - pod: {}
+        name: isolated-namespace
+      terminationGracePeriodSeconds: 0
+      volumes:
+      - containerDisk:
+          image: quay.io/kubevirt/fedora-with-test-tooling-container-disk:v1.4.0
+        name: containerdisk
+      - cloudInitNoCloud:
+          userData: |-
+            #cloud-config
+            password: fedora
+            chpasswd: { expire: False }
+        name: cloudinitdisk
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: vm-service
+  namespace: green
+spec:
+  ports:
+    - protocol: TCP
+      port: 8000
+      targetPort: 8000
+    - protocol: TCP
+      port: 8050
+      targetPort: 8050
+    - protocol: TCP
+      port: 8090
+      targetPort: 8090
+  selector:
+    app: ingress-world

Original file line number	Diff line number	Diff line change
`@@ -385,8 +385,10 @@ func (ia *IngressAnalyzer) getIngressPeerConnection(peer eval.Peer, actualServic`
`385`	`385`	`return nil, err`
`386`	`386`	`}`
`387`	`387`	`// only TCP ports are acceptable for Ingress resource`
	`388`	`+ // Note that: if the current peer is a virtual-machine then named-ports will always have no match and be skipped;`
	`389`	`+ // since virtual-machine does not specify any ports in its spec; so named-port can not be converted`
`388`	`390`	`if protocol != string(corev1.ProtocolTCP) \|\| portInt < 0 { // no matching port for the given named port`
`389`		`- continue`
	`391`	`+ continue // skip`
`390`	`392`	`}`
`391`	`393`	`portNum = int(portInt)`
`392`	`394`	`}`