Documentation ¶
Overview ¶
The controller package of cluster-topology-analyzer discovers the connectivity of a Kubernetes application by analyzing its YAML manifests and looking for network addresses that match. It can output a set of discovered connections or even Kubernetes NetworkPolicies to allow only these connections. For more information, see https://github.com/np-guard/cluster-topology-analyzer.
Index ¶
- Constants
- func NetpolListFromNetpolSlice(netpols []*network.NetworkPolicy) network.NetworkPolicyList
- type ConfigMapKeyNotFoundError
- type ConfigMapNotFoundError
- type DefaultLogger
- type FailedAccessingDirError
- type FailedReadingFileError
- type FailedScanningResource
- type FileProcessingError
- func (e *FileProcessingError) DocumentID() (int, error)
- func (e *FileProcessingError) Error() error
- func (e *FileProcessingError) File() string
- func (e *FileProcessingError) IsFatal() bool
- func (e *FileProcessingError) IsSevere() bool
- func (e *FileProcessingError) LineNo() int
- func (e *FileProcessingError) Location() string
- type Logger
- type MalformedYamlDocError
- type NoK8sResourcesFoundError
- type NoYamlsFoundError
- type NotK8sResourceError
- type PoliciesSynthesizer
- func (ps *PoliciesSynthesizer) ConnectionsFromFolderPath(dirPath string) ([]*common.Connections, error)
- func (ps *PoliciesSynthesizer) ConnectionsFromFolderPaths(dirPaths []string) ([]*common.Connections, error)
- func (ps *PoliciesSynthesizer) Errors() []FileProcessingError
- func (ps *PoliciesSynthesizer) PoliciesFromFolderPath(dirPath string) ([]*networking.NetworkPolicy, error)
- func (ps *PoliciesSynthesizer) PoliciesFromFolderPaths(dirPaths []string) ([]*networking.NetworkPolicy, error)
- type PoliciesSynthesizerOption
- type Verbosity
- type WalkFunction
Examples ¶
Constants ¶
const (
DefaultDNSPort = 53
)
Variables ¶
This section is empty.
Functions ¶
func NetpolListFromNetpolSlice ¶ added in v1.3.0
func NetpolListFromNetpolSlice(netpols []*network.NetworkPolicy) network.NetworkPolicyList
NetpolListFromNetpolSlice converts a slice of Kubernetes NetworkPolicies to a Kubernetes NetworkPolicyList containing all the policies in the slice.
Types ¶
type ConfigMapKeyNotFoundError ¶ added in v1.6.0
type ConfigMapKeyNotFoundError struct {
// contains filtered or unexported fields
}
func (*ConfigMapKeyNotFoundError) Error ¶ added in v1.6.0
func (err *ConfigMapKeyNotFoundError) Error() string
type ConfigMapNotFoundError ¶ added in v1.6.0
type ConfigMapNotFoundError struct {
// contains filtered or unexported fields
}
func (*ConfigMapNotFoundError) Error ¶ added in v1.6.0
func (err *ConfigMapNotFoundError) Error() string
type DefaultLogger ¶ added in v1.3.0
type DefaultLogger struct {
// contains filtered or unexported fields
}
DefaultLogger is the package's built-in logger. It uses log.Default() as the underlying logger.
func (*DefaultLogger) Debugf ¶ added in v1.3.0
func (df *DefaultLogger) Debugf(format string, o ...interface{})
Debugf writes a debug message to the log (only if DefaultLogger verbosity is set to HighVerbosity)
func (*DefaultLogger) Errorf ¶ added in v1.3.0
func (df *DefaultLogger) Errorf(err error, format string, o ...interface{})
Errorf writes an error message to the log (regardless of DefaultLogger's verbosity)
func (*DefaultLogger) Infof ¶ added in v1.3.0
func (df *DefaultLogger) Infof(format string, o ...interface{})
Infof writes an informative message to the log (only if DefaultLogger verbosity is set to HighVerbosity)
func (*DefaultLogger) Warnf ¶ added in v1.3.0
func (df *DefaultLogger) Warnf(format string, o ...interface{})
Warnf writes a warning message to the log (unless DefaultLogger verbosity is set to LowVerbosity)
type FailedAccessingDirError ¶ added in v1.6.0
type FailedAccessingDirError struct {
// contains filtered or unexported fields
}
func (*FailedAccessingDirError) Error ¶ added in v1.6.0
func (err *FailedAccessingDirError) Error() string
func (*FailedAccessingDirError) Unwrap ¶ added in v1.6.0
func (err *FailedAccessingDirError) Unwrap() error
type FailedReadingFileError ¶ added in v1.6.0
type FailedReadingFileError struct {
// contains filtered or unexported fields
}
func (*FailedReadingFileError) Error ¶ added in v1.6.0
func (err *FailedReadingFileError) Error() string
func (*FailedReadingFileError) Unwrap ¶ added in v1.6.0
func (err *FailedReadingFileError) Unwrap() error
type FailedScanningResource ¶ added in v1.6.0
type FailedScanningResource struct {
// contains filtered or unexported fields
}
func (*FailedScanningResource) Error ¶ added in v1.6.0
func (err *FailedScanningResource) Error() string
func (*FailedScanningResource) Unwrap ¶ added in v1.6.0
func (err *FailedScanningResource) Unwrap() error
type FileProcessingError ¶ added in v1.3.0
type FileProcessingError struct {
// contains filtered or unexported fields
}
FileProcessingError holds all information about a single error/warning that occurred during the discovery and processing of the connectivity of a given K8s-app.
func (*FileProcessingError) DocumentID ¶ added in v1.3.0
func (e *FileProcessingError) DocumentID() (int, error)
DocumentID returns the file's YAML document ID (0-based) in which the error occurred (or an error if not applicable)
func (*FileProcessingError) Error ¶ added in v1.3.0
func (e *FileProcessingError) Error() error
Error returns the actual error
func (*FileProcessingError) File ¶ added in v1.3.0
func (e *FileProcessingError) File() string
File returns the file in which the error occurred (or an empty string if no file context is available)
func (*FileProcessingError) IsFatal ¶ added in v1.3.0
func (e *FileProcessingError) IsFatal() bool
IsFatal returns whether the error is considered fatal (no further processing is possible)
func (*FileProcessingError) IsSevere ¶ added in v1.3.0
func (e *FileProcessingError) IsSevere() bool
IsSevere returns whether the error is considered severe (further processing is possible, but results may not be useable)
func (*FileProcessingError) LineNo ¶ added in v1.3.0
func (e *FileProcessingError) LineNo() int
LineNo returns the file's line-number in which the error occurred (or 0 if not applicable)
func (*FileProcessingError) Location ¶ added in v1.3.0
func (e *FileProcessingError) Location() string
Location returns file location (filename, line-number, document ID) of an error (or an empty string if not applicable)
type Logger ¶ added in v1.3.0
type Logger interface { Debugf(format string, o ...interface{}) Infof(format string, o ...interface{}) Warnf(format string, o ...interface{}) Errorf(err error, format string, o ...interface{}) }
The Logger interface defines the API for loggers in this package.
func NewDefaultLogger ¶ added in v1.3.0
func NewDefaultLogger() Logger
NewDefaultLogger creates an instance of DefaultLogger with the highest verbosity.
func NewDefaultLoggerWithVerbosity ¶ added in v1.3.1
NewDefaultLoggerWithVerbosity creates an instance of DefaultLogger with a user-defined verbosity.
type MalformedYamlDocError ¶ added in v1.6.0
type MalformedYamlDocError struct {
// contains filtered or unexported fields
}
func (*MalformedYamlDocError) Error ¶ added in v1.6.0
func (err *MalformedYamlDocError) Error() string
func (*MalformedYamlDocError) Unwrap ¶ added in v1.6.0
func (err *MalformedYamlDocError) Unwrap() error
type NoK8sResourcesFoundError ¶ added in v1.6.0
type NoK8sResourcesFoundError struct { }
func (*NoK8sResourcesFoundError) Error ¶ added in v1.6.0
func (err *NoK8sResourcesFoundError) Error() string
type NoYamlsFoundError ¶ added in v1.6.0
type NoYamlsFoundError struct { }
func (*NoYamlsFoundError) Error ¶ added in v1.6.0
func (err *NoYamlsFoundError) Error() string
type NotK8sResourceError ¶ added in v1.6.0
type NotK8sResourceError struct {
// contains filtered or unexported fields
}
func (*NotK8sResourceError) Error ¶ added in v1.6.0
func (err *NotK8sResourceError) Error() string
func (*NotK8sResourceError) Unwrap ¶ added in v1.6.0
func (err *NotK8sResourceError) Unwrap() error
type PoliciesSynthesizer ¶ added in v1.3.0
type PoliciesSynthesizer struct {
// contains filtered or unexported fields
}
A PoliciesSynthesizer provides API to recursively scan a directory for Kubernetes resources and extract the required connectivity between the workloads of the K8s application managed in this directory. It is possible to get either a slice with all the discovered connections or a slice with K8s NetworkPolicies that allow only the discovered connections and nothing more.
Example ¶
package main import ( "encoding/json" "fmt" "os" "github.com/np-guard/cluster-topology-analyzer/pkg/controller" ) func main() { logger := controller.NewDefaultLogger() synth := controller.NewPoliciesSynthesizer(controller.WithLogger(logger)) netpols, err := synth.PoliciesFromFolderPath("../../tests/k8s_wordpress_example") if err != nil { fmt.Fprintf(os.Stderr, "Error synthesizing policies: %v\n", err) os.Exit(1) } buf, _ := json.MarshalIndent(netpols, "", " ") fmt.Printf("%v\n", string(buf)) }
Output: [ { "kind": "NetworkPolicy", "apiVersion": "networking.k8s.io/v1", "metadata": { "name": "wordpress-netpol", "creationTimestamp": null }, "spec": { "podSelector": { "matchLabels": { "app": "wordpress", "tier": "frontend" } }, "ingress": [ { "ports": [ { "protocol": "TCP", "port": 80 } ] } ], "egress": [ { "ports": [ { "protocol": "TCP", "port": 3306 } ], "to": [ { "podSelector": { "matchLabels": { "app": "wordpress", "tier": "mysql" } } } ] }, { "ports": [ { "protocol": "UDP", "port": 53 } ], "to": [ { "namespaceSelector": {} } ] } ], "policyTypes": [ "Ingress", "Egress" ] } }, { "kind": "NetworkPolicy", "apiVersion": "networking.k8s.io/v1", "metadata": { "name": "wordpress-mysql-netpol", "creationTimestamp": null }, "spec": { "podSelector": { "matchLabels": { "app": "wordpress", "tier": "mysql" } }, "ingress": [ { "ports": [ { "protocol": "TCP", "port": 3306 } ], "from": [ { "podSelector": { "matchLabels": { "app": "wordpress", "tier": "frontend" } } } ] } ], "policyTypes": [ "Ingress", "Egress" ] } }, { "kind": "NetworkPolicy", "apiVersion": "networking.k8s.io/v1", "metadata": { "name": "default-deny-in-namespace", "creationTimestamp": null }, "spec": { "podSelector": {}, "policyTypes": [ "Ingress", "Egress" ] } } ]
func NewPoliciesSynthesizer ¶ added in v1.3.0
func NewPoliciesSynthesizer(options ...PoliciesSynthesizerOption) *PoliciesSynthesizer
NewPoliciesSynthesizer creates a new instance of PoliciesSynthesizer, and applies the provided functional options.
func (*PoliciesSynthesizer) ConnectionsFromFolderPath ¶ added in v1.3.0
func (ps *PoliciesSynthesizer) ConnectionsFromFolderPath(dirPath string) ([]*common.Connections, error)
ConnectionsFromFolderPath returns a slice of Connections, listing the connections discovered while processing K8s resources under the provided directory or one of its subdirectories (recursively).
func (*PoliciesSynthesizer) ConnectionsFromFolderPaths ¶ added in v1.6.0
func (ps *PoliciesSynthesizer) ConnectionsFromFolderPaths(dirPaths []string) ([]*common.Connections, error)
ConnectionsFromFolderPath returns a slice of Connections, listing the connections discovered while processing K8s resources under the provided directories or one of their subdirectories (recursively).
func (*PoliciesSynthesizer) Errors ¶ added in v1.3.0
func (ps *PoliciesSynthesizer) Errors() []FileProcessingError
Errors returns a slice of FileProcessingError with all warnings and errors encountered during processing.
func (*PoliciesSynthesizer) PoliciesFromFolderPath ¶ added in v1.3.0
func (ps *PoliciesSynthesizer) PoliciesFromFolderPath(dirPath string) ([]*networking.NetworkPolicy, error)
PoliciesFromFolderPath returns a slice of Kubernetes NetworkPolicies that allow only the connections discovered while processing K8s resources under the provided directory or one of its subdirectories (recursively).
func (*PoliciesSynthesizer) PoliciesFromFolderPaths ¶ added in v1.6.0
func (ps *PoliciesSynthesizer) PoliciesFromFolderPaths(dirPaths []string) ([]*networking.NetworkPolicy, error)
PoliciesFromFolderPath returns a slice of Kubernetes NetworkPolicies that allow only the connections discovered while processing K8s resources under the provided directories or one of their subdirectories (recursively).
type PoliciesSynthesizerOption ¶ added in v1.3.0
type PoliciesSynthesizerOption func(*PoliciesSynthesizer)
PoliciesSynthesizerOption is the type for specifying options for PoliciesSynthesizer, using Golang's Options Pattern (https://golang.cafe/blog/golang-functional-options-pattern.html).
func WithDNSPort ¶ added in v1.7.0
func WithDNSPort(dnsPort int) PoliciesSynthesizerOption
func WithLogger ¶ added in v1.3.0
func WithLogger(logger Logger) PoliciesSynthesizerOption
WithLogger is a functional option which sets the logger for a PoliciesSynthesizer to use. The provided logger must conform with the package's Logger interface.
func WithStopOnError ¶ added in v1.3.0
func WithStopOnError() PoliciesSynthesizerOption
WithStopOnError is a functional option which directs PoliciesSynthesizer to stop any processing after the first severe error.
func WithWalkFn ¶ added in v1.5.0
func WithWalkFn(walkFn WalkFunction) PoliciesSynthesizerOption
WithWalkFn is a functional option, allowing user to provide their own dir-scanning function. The function will be used when searching for YAML files; it must have the same signature as filepath.WalkDir.
type Verbosity ¶ added in v1.3.1
type Verbosity int
Verbosity is an enumerated type for defining the level of verbosity.
type WalkFunction ¶ added in v1.5.0
type WalkFunction func(root string, fn fs.WalkDirFunc) error
Walk function is a function for recursively scanning a directory, in the spirit of Go's native filepath.WalkDir() See https://pkg.go.dev/path/filepath#WalkDir for full description on how such a function should work