红帽全球峰会8.3. Identifying the differences in allowed connections between project versions
This command helps you understand the differences in allowed connections between two project versions. It analyses the workload and Kubernetes network policy manifests located in each version’s directory and creates a representation of the differences in text format.
You can view connectivity difference reports in a variety of output formats, including text, md, dot, and csv.
Generate a report on connectivity differences between two sets of Kubernetes manifests, including network policies by using the roxctl netpol connectivity diff command .
Prerequisites
-
You have two folders,
dir1anddir2, each containing Kubernetes manifests, including network policies.
Procedure
To find the connectivity differences between the Kubernetes manifests in the specified directories, run the following command:
$ roxctl netpol connectivity diff --dir1=<folder_path_1> --dir2=<folder_path_2> [flags]Specify the path to the folders, which can include sub-folders that contain YAML resources and network policies for analysis. The command scans the entire sub-folder trees for both the directories.
For example,
<folder_path_1>isnetpol-analysis-example-minimal/and<folder_path_2>isnetpol-diff-example-minimal/. Optionally, you can also specify parameters to change the behavior of the command.注意The command considers all YAML files that you can accept by using
kubectl apply -f, and the YAML files then become valid inputs for yourroxctl netpol connectivity diffcommand.Expand 表 8.3. Example output diff-type source destination dir 1 dir 2 workloads-diff-info changed
default/frontend[Deployment]
default/backend[Deployment]
TCP 9090
TCP 9090,UDP 53
added
0.0.0.0-255.255.255.255
default/backend[Deployment]
No Connections
TCP 9090
The semantic difference report gives you an overview of the connections that were changed, added, or removed in
dir2compared to the connections allowed indir1. When you review the output, each line represents one allowed connection that was added, removed, or changed indir2compared todir1.If applicable, the
workloads-diff-infoprovides additional details about added or removed workloads related to the added or removed connection.For example, if a connection from workload
Ato workloadBis removed because workloadBwas deleted, theworkloads-diff-infoindicates that workloadBwas removed. However, if such a connection was removed only because of network policy changes and neither workloadAnorBwas deleted, theworkloads-diff-infois empty.
In the following example, dir1 is netpol-analysis-example-minimal/, and dir2 is netpol-diff-example-minimal/. The difference between the directories is a small change in the network policy backend-netpol.
Example policy from dir1:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
creationTimestamp: null
name: backend-netpol
spec:
ingress:
- from:
- podSelector:
matchLabels:
app: frontend
ports:
- port: 9090
protocol: TCP
podSelector:
matchLabels:
app: backendservice
policyTypes:
- Ingress
- Egress
status: {}
The change in dir2 is an added - before the ports attribute, which produces a difference output.
8.3.2.1. Syntactic difference output
Procedure
Run the following command to compare the contents of the
netpols.yamlfiles in the two specified directories:$ diff netpol-diff-example-minimal/netpols.yaml netpol-analysis-example-minimal/netpols.yamlExample output
12c12 < - ports: --- > ports:
8.3.2.2. Semantic difference output
Procedure
Run the following command to analyze the connectivity differences between the Kubernetes manifests and network policies in the two specified directories:
$ roxctl netpol connectivity diff --dir1=roxctl/netpol/connectivity/diff/testdata/netpol-analysis-example-minimal/ --dir2=roxctl/netpol/connectivity/diff/testdata/netpol-diff-example-minimalExample output
Connectivity diff: diff-type: changed, source: default/frontend[Deployment], destination: default/backend[Deployment], dir1: TCP 9090, dir2: TCP 9090,UDP 53 diff-type: added, source: 0.0.0.0-255.255.255.255, destination: default/backend[Deployment], dir1: No Connections, dir2: TCP 9090
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}