├── .gitattributes ├── .github ├── actions │ └── setup-nca-env │ │ └── action.yml ├── dco.yml └── workflows │ ├── codeql-analysis.yml │ ├── make-github-and-docker-release.yml │ ├── reset-tests-expected-runtime.yml │ ├── scorecard.yml │ ├── test-push.yml │ ├── update-tests-expected-output.yml │ └── update-tests-expected-runtime.yml ├── .gitignore ├── CODE_OF_CONDUCT.md ├── CONTRIBUTING.md ├── Dockerfile ├── Dockerfile.ubi ├── LICENSE ├── MAINTAINERS.md ├── MANIFEST.in ├── README.md ├── SECURITY.md ├── docs ├── CmdLineQueriesResults.md ├── CommonQueryPatterns.md ├── IstioSupport.md ├── SchemeFileFormat.md └── SimulatingLiveClusterMissingResources.md ├── nca ├── CoreDS │ ├── CanonicalHyperCubeSet.py │ ├── CanonicalIntervalSet.py │ ├── ConnectivityCube.py │ ├── ConnectivityProperties.py │ ├── DimensionsManager.py │ ├── MethodSet.py │ ├── MinDFA.py │ ├── Peer.py │ ├── PortSet.py │ ├── ProtocolNameResolver.py │ ├── ProtocolSet.py │ └── __init__.py ├── FWRules │ ├── ClusterInfo.py │ ├── ConnectivityGraph.py │ ├── DotGraph.py │ ├── FWRule.py │ ├── InteractiveConnectivityGraph.py │ ├── MinimizeCsFWRules.py │ ├── MinimizeFWRules.py │ ├── __init__.py │ └── interactiveJsCode.js ├── FileScanners │ ├── DirScanner.py │ ├── GenericTreeScanner.py │ ├── GitScanner.py │ ├── HelmScanner.py │ └── __init__.py ├── NetworkConfig │ ├── LiveSim │ │ ├── dns │ │ │ └── dns_pods.yaml │ │ ├── ingress_controller │ │ │ └── ingress_controller.yaml │ │ └── istio_gateway │ │ │ ├── istio_custom_gateway.yaml │ │ │ ├── istio_egress_gateway.yaml │ │ │ └── istio_ingress_gateway.yaml │ ├── NetworkConfig.py │ ├── NetworkConfigQuery.py │ ├── NetworkConfigQueryRunner.py │ ├── NetworkLayer.py │ ├── PeerContainer.py │ ├── PoliciesFinder.py │ ├── QueryOutputHandler.py │ ├── ResourcesHandler.py │ ├── TopologyObjectsFinder.py │ └── __init__.py ├── Parsers │ ├── CalicoPolicyYamlParser.py │ ├── GenericGatewayYamlParser.py │ ├── GenericYamlParser.py │ ├── IngressPolicyYamlParser.py │ ├── IstioGatewayPolicyGenerator.py │ ├── IstioGatewayYamlParser.py │ ├── IstioGenericYamlParser.py │ ├── IstioPolicyYamlParser.py │ ├── IstioServiceEntryYamlParser.py │ ├── IstioSidecarYamlParser.py │ ├── IstioVirtualServiceYamlParser.py │ ├── K8sPolicyYamlParser.py │ ├── K8sServiceYamlParser.py │ └── __init__.py ├── Resources │ ├── OtherResources │ │ ├── Gateway.py │ │ ├── K8sNamespace.py │ │ ├── K8sService.py │ │ ├── VirtualService.py │ │ └── __init__.py │ ├── PolicyResources │ │ ├── CalicoNetworkPolicy.py │ │ ├── GatewayPolicy.py │ │ ├── IstioNetworkPolicy.py │ │ ├── IstioSidecar.py │ │ ├── K8sNetworkPolicy.py │ │ ├── NetworkPolicy.py │ │ └── __init__.py │ └── __init__.py ├── SchemeRunner.py ├── Utils │ ├── CmdlineRunner.py │ ├── ExplTracker.py │ ├── NcaLogger.py │ ├── OutputConfiguration.py │ ├── OutputFilesFlags.py │ ├── Utils.py │ └── __init__.py ├── VERSION.txt ├── __init__.py ├── __main__.py └── nca_cli.py ├── pyproject.toml ├── requirements.txt ├── setup.cfg ├── tekton ├── README.md ├── netpol-diff-plr.yaml ├── netpol-diff-task.yaml ├── netpol-report-plr.yaml └── netpol-report-task.yaml └── tests ├── all_tests_spec.yaml ├── bad_yamls ├── list_of_strings.json ├── single_bracket.json └── tab_in_json.json ├── calico_testcases ├── README.md ├── example_podlist │ ├── hep_and_wep.json │ ├── hep_and_wep_2.json │ ├── ns_list.json │ ├── ns_list_wdc.json │ ├── pods_list.json │ ├── service_and_ingress_resources │ │ ├── ns_list.json │ │ ├── pods_list.json │ │ └── services_list.yaml │ ├── wdc_wep.json │ └── wdc_wep2.json ├── example_policies │ ├── calico-demo │ │ ├── comparsion-scheme.yaml │ │ ├── demo-allow-all-wdc-wep-profiles.yaml │ │ ├── demo-comparsionNew.yaml │ │ ├── demo-comparsionOld.yaml │ │ ├── demo-deny-all-wdc-wep-profiles.yaml │ │ ├── demo-forbids-scheme.yaml │ │ ├── demo-interfere1.yaml │ │ ├── demo-interfere2.yaml │ │ ├── demo-permits-forbids-cnc-fe-not-helm-open.yaml │ │ ├── demo-permits-forbids-cnc-kt-open.yaml │ │ ├── demo-permits-forbids-cnc-nlp-open.yaml │ │ ├── demo-permits-forbids-deny-all-profiles.yaml │ │ ├── demo-permits-forbids-global-blacklist-ports.yaml │ │ ├── demo-permits-forbids-global-to-from-outside.yaml │ │ ├── demo-permits-forbids-traffic-between-cnc-evaluation-service-also-out.yaml │ │ ├── demo-permits-forbids-traffic-between-cnc-evaluation-service-no-out.yaml │ │ ├── demo-permits-forbids-traffic-between-compare-and-comply.yaml │ │ ├── demo-permits-scheme.yaml │ │ ├── demo-sanity1-emptySelector.yaml │ │ ├── demo-sanity2-typo-selector-no-effect.yaml │ │ ├── demo-sanity3-redundancy.yaml │ │ ├── interferes-scheme.yaml │ │ ├── sanity1-scheme.yaml │ │ ├── sanity2-scheme.yaml │ │ └── sanity3-scheme.yaml │ ├── common-policies │ │ ├── policy-allow-all.yaml │ │ └── policy-deny-all.yaml │ ├── testcase1 │ │ ├── networkpolicy-with-ns-selector-bad-path-test.yaml │ │ ├── testcase1-different-protocol-nonequiv.yaml │ │ ├── testcase1-empty-globalNetworkpolicy.yaml │ │ ├── testcase1-empty-policy.yaml │ │ ├── testcase1-equiv-global-networkpolicy.yaml │ │ ├── testcase1-equiv-networkpolicy.yaml │ │ ├── testcase1-for-disjointness.yaml │ │ ├── testcase1-nonequiv-global-networkpolicy-with-ns-selector.yaml │ │ ├── testcase1-nonequiv-networkpolicy.yaml │ │ ├── testcase1-open-all-globalNetworkpolicy.yaml │ │ ├── testcase1-open-default.yaml │ │ └── testcase1-scheme.yaml │ ├── testcase10 │ │ ├── testcase10-global-networkpolicies.yaml │ │ ├── testcase10-local-networkpolicies-allow-default.yaml │ │ ├── testcase10-local-networkpolicies-allow-kube-system.yaml │ │ ├── testcase10-local-networkpolicies.yaml │ │ └── testcase10-scheme.yaml │ ├── testcase11 │ │ ├── testcase11-allowFirstDefaultAllow.yaml │ │ ├── testcase11-allowFirstDefaultDeny.yaml │ │ ├── testcase11-denyFirstAlsoEgressDefaultAllow.yaml │ │ ├── testcase11-denyFirstAlsoEgressDefaultDeny.yaml │ │ ├── testcase11-denyFirstDefaultAllow.yaml │ │ ├── testcase11-denyFirstDefaultDeny.yaml │ │ └── testcase11-scheme.yaml │ ├── testcase12-interference │ │ ├── testcase12-interference-scheme.yaml │ │ ├── testcase12-kube-system-policies.yaml │ │ └── testcase12-open-kube-system.yaml │ ├── testcase13-protocol │ │ ├── testcase13-also-with-deny.yaml │ │ ├── testcase13-kube-system-different-protocols.yaml │ │ ├── testcase13-kube-system-match-not-protocol.yaml │ │ ├── testcase13-kube-system-match-protocol.yaml │ │ ├── testcase13-kube-system-no-match-not-protocol.yaml │ │ ├── testcase13-open-default-TCP.yaml │ │ └── testcase13-scheme.yaml │ ├── testcase14-icmp │ │ ├── testcase14-default-icmp-no-type.yaml │ │ ├── testcase14-kube-system-match-default-also-within-icmp.yaml │ │ ├── testcase14-kube-system-match-default-only-out-icmp.yaml │ │ ├── testcase14-kube-system-match-notICMP.yaml │ │ ├── testcase14-kube-system-match-within.yaml │ │ ├── testcase14-kube-system-no-match-notICMP.yaml │ │ ├── testcase14-kube-system-non-match-icmp.yaml │ │ ├── testcase14-open-default-also-within-icmp.yaml │ │ ├── testcase14-open-default-only-out-icmp.yaml │ │ └── testcase14-scheme.yaml │ ├── testcase15-ports │ │ ├── ingress_list.yaml │ │ ├── testcase15-equiv-games1.yaml │ │ ├── testcase15-equiv-games2.yaml │ │ ├── testcase15-equiv-games3.yaml │ │ ├── testcase15-equiv-games4.yaml │ │ ├── testcase15-global-not-simple.yaml │ │ ├── testcase15-global-simple.yaml │ │ ├── testcase15-named-ports-rectangles.yaml │ │ ├── testcase15-named-ports.yaml │ │ ├── testcase15-scheme.yaml │ │ └── testcase15-with-ingress-scheme.yaml │ ├── testcase16-nets │ │ ├── testcase16-containment-games.yaml │ │ ├── testcase16-different-ranges-writing-equiv.yaml │ │ └── testcase16-scheme.yaml │ ├── testcase17-sanity │ │ ├── testcase17-conflict1.yaml │ │ ├── testcase17-conflict2.yaml │ │ ├── testcase17-containments-only-deny.yaml │ │ ├── testcase17-empty-globalNetworkpolicy.yaml │ │ ├── testcase17-empty-policy.yaml │ │ ├── testcase17-equiv-global-networkpolicy.yaml │ │ ├── testcase17-equiv-networkpolicy-makes-different-last-denys.yaml │ │ ├── testcase17-equiv-networkpolicy-redundant-denys.yaml │ │ ├── testcase17-equiv-networkpolicy.yaml │ │ ├── testcase17-nonequiv-networkpolicy.yaml │ │ ├── testcase17-open-default.yaml │ │ ├── testcase17-scheme.yaml │ │ ├── testcase17-various-containment-between-policies1.yaml │ │ └── testcase17-various-containment-between-policies2.yaml │ ├── testcase18-pass │ │ ├── new_topology │ │ │ └── topology1.yaml │ │ ├── testcase18-pods-based-policies-new.yaml │ │ ├── testcase18-pods-based-policies.yaml │ │ ├── testcase18-ports-based-policies-new.yaml │ │ ├── testcase18-ports-based-policies.yaml │ │ ├── testcase18-scheme.yaml │ │ └── testscase18-new-scheme.yaml │ ├── testcase19-profiles │ │ ├── testcase19-0-1-empty-policy.yaml │ │ ├── testcase19-0-2-allow-all-profiles.yaml │ │ ├── testcase19-0-deny-all-profiles.yaml │ │ ├── testcase19-1-cnc-fe-allow-egress.yaml │ │ ├── testcase19-1-cnc-fe-allow-ingress.yaml │ │ ├── testcase19-10-open-within-cnc-kt-with-policy.yaml │ │ ├── testcase19-11-0-profiles-with-apply-all-cnc-kt.yaml │ │ ├── testcase19-11-open-within-cnc-kt-with-global-labels-apply.yaml │ │ ├── testcase19-12-deny-allow-ingress-namespaces-games-no-egress.yaml │ │ ├── testcase19-13-deny-allow-ingress-namespaces-games-open-egress.yaml │ │ ├── testcase19-14-ingress-allow-deny-pass-games-within-namespace.yaml │ │ ├── testcase19-15-ingress-allow-deny-witoutpass-games-within-namespace.yaml │ │ ├── testcase19-2-policy-cnc-fe-egress-allow.yaml │ │ ├── testcase19-3-profile-kns-cnc-fe-egress-allow.yaml │ │ ├── testcase19-4-policy-cnc-ntsgin-egress-ingress-within-namespace-partly-allow.yaml │ │ ├── testcase19-5-policy-cnc-ntsgin-egress-ingress-within-namespace-partly-allow.yaml │ │ ├── testcase19-5-profiles-cnc-ntsgin-egress-ingress-within-namespace-partly-allow.yaml │ │ ├── testcase19-6-2nd-profiles-cnc-ntsgin-egress-ingress-within-namespace-allow.yaml │ │ ├── testcase19-7-policy-cnc-ntsgin-egress-ingress-within-namespace-all-allow.yaml │ │ ├── testcase19-7-profiles-cnc-ntsgin-egress-ingress-within-namespace-all-allow.yaml │ │ ├── testcase19-8-0-specific-egress-between-namespaces-with-profiles.yaml │ │ ├── testcase19-8-1-specific-ingress-between-namespaces-with-policies.yaml │ │ ├── testcase19-9-0-1-specific-egress-with-profiles-missing-apply-labels.yaml │ │ ├── testcase19-9-0-specific-egress-with-profiles-based-on-apply-labels.yaml │ │ ├── testcase19-9-1-specific-ingress-with-policies-based-apply-lables.yaml │ │ └── testcase19-scheme.yaml │ ├── testcase2 │ │ ├── testcase2-global-networkpolicy.yaml │ │ ├── testcase2-networkpolicy.yaml │ │ ├── testcase2-open-vendor-system.yaml │ │ └── testcase2-scheme.yaml │ ├── testcase20-hostendpoint │ │ ├── testcase20-0-gnps.yaml │ │ ├── testcase20-1-empty-globalNetworkpolicy.yaml │ │ ├── testcase20-2-outbound-hep-all-ep.yaml │ │ ├── testcase20-3-outbound-hep-only-to-wep.yaml │ │ ├── testcase20-4-outbound-hep-all-namespaceselector.yaml │ │ ├── testcase20-profiles.yaml │ │ └── testcase20-scheme.yaml │ ├── testcase21-with_k8s │ │ ├── testcase21-Calico-allowAll-globalNetworkpolicy.yaml │ │ ├── testcase21-Calico-allowSpecific-kube-system.yaml │ │ ├── testcase21-k8s-emptyPodSelector.yaml │ │ ├── testcase21-k8s-sanity-allowSpecific-kube-system.yaml │ │ └── testcase21-scheme.yaml │ ├── testcase22-forbids-permits │ │ ├── testcase22-0-allow-all-profiles.yaml │ │ ├── testcase22-0-cnc-evaluation-service-open.yaml │ │ ├── testcase22-0-cnc-fe-not-helm-open.yaml │ │ ├── testcase22-0-cnc-kt-open.yaml │ │ ├── testcase22-0-cnc-nlp-open.yaml │ │ ├── testcase22-0-deny-all-profiles.yaml │ │ ├── testcase22-0-global-blacklist-ports.yaml │ │ ├── testcase22-0-global-to-from-outside.yaml │ │ ├── testcase22-1-traffic-between-cnc-evaluation-service-also-out.yaml │ │ ├── testcase22-2-traffic-between-cnc-evaluation-service-no-out.yaml │ │ ├── testcase22-3-traffic-between-compare-and-comply-no-out.yaml │ │ ├── testcase22-4-empty-policy.yaml │ │ └── testcase22-scheme.yaml │ ├── testcase23-NetworkSet │ │ ├── testcase23-networkpolicy-allow-nets.yaml │ │ ├── testcase23-networkpolicy-global-allow-nets.yaml │ │ ├── testcase23-networkpolicy-globalnetworkset.yaml │ │ ├── testcase23-networkpolicy-networkset.yaml │ │ ├── testcase23-profiles.yaml │ │ └── testcase23-scheme.yaml │ ├── testcase24-selector-expression │ │ ├── testcase24-a.yaml │ │ ├── testcase24-b.yaml │ │ ├── testcase24-c.yaml │ │ ├── testcase24-new-scheme.yaml │ │ ├── testcase24-profiles.yaml │ │ └── testcase24-scheme.yaml │ ├── testcase25-mix-k8s-calico-policies │ │ ├── testcase25-networkpolicy-calico-k8s.yaml │ │ └── testcase25-scheme.yaml │ ├── testcase26-multi-layer-policies │ │ ├── hep.yaml │ │ ├── test_documentation.md │ │ ├── testcase26-empty-networkpolicies.yaml │ │ ├── testcase26-ingress-resource-policy.yaml │ │ ├── testcase26-multi-layer-allcaptured-scheme.yaml │ │ ├── testcase26-multi-layer-connectivity-scheme.yaml │ │ ├── testcase26-multi-layer-disjointness-scheme.yaml │ │ ├── testcase26-multi-layer-forbids-scheme.yaml │ │ ├── testcase26-multi-layer-permits-scheme.yaml │ │ ├── testcase26-multi-layer-reduncancy-scheme.yaml │ │ ├── testcase26-multi-layer-semanticdiff-scheme.yaml │ │ ├── testcase26-multi-layer-vacuity-scheme.yaml │ │ ├── testcase26-networkpolicy-calico-allow-all-pods-without-hep.yaml │ │ ├── testcase26-networkpolicy-calico-nginx.yaml │ │ ├── testcase26-networkpolicy-calico-productpage-ingress-from-ratings-tcp-only.yaml │ │ ├── testcase26-networkpolicy-calico-productpage-ingress-from-ratings.yaml │ │ ├── testcase26-networkpolicy-istio-default-allow-productpage.yaml │ │ ├── testcase26-networkpolicy-istio-default-allow.yaml │ │ ├── testcase26-networkpolicy-istio-default-deny.yaml │ │ ├── testcase26-networkpolicy-istio-deny-productpage-ingress-from-ratings.yaml │ │ ├── testcase26-networkpolicy-istio-productpage-ingress-from-ratings.yaml │ │ ├── testcase26-networkpolicy-k8s-default-deny.yaml │ │ ├── testcase26-networkpolicy-k8s-details-open-ingress.yaml │ │ ├── testcase26-networkpolicy-k8s-ratings-egress-to-productpage-udp-only.yaml │ │ ├── testcase26-networkpolicy-k8s-ratings-egress-to-productpage.yaml │ │ └── topology │ │ │ ├── default_pods_list.yaml │ │ │ ├── ingress-nginx-pods.yaml │ │ │ ├── istio-system_pods_list.yaml │ │ │ └── services.yaml │ ├── testcase2tag │ │ ├── testcase2tag-global-networkpolicy.yaml │ │ ├── testcase2tag-networkpolicy.yaml │ │ └── testcase2tag-scheme.yaml │ ├── testcase3 │ │ ├── testcase3-networkpolicy-FirstDenySubset.yaml │ │ ├── testcase3-networkpolicy-firstAllowSuperSet.yaml │ │ ├── testcase3-networkpolicy-onlyAllow.yaml │ │ └── testcase3-scheme.yaml │ ├── testcase4 │ │ ├── testcase4-global-networkpolicy1.yaml │ │ ├── testcase4-global-networkpolicy2.yaml │ │ └── testcase4-scheme.yaml │ ├── testcase5 │ │ ├── testcase5-allowFirst.yaml │ │ ├── testcase5-denyFirst.yaml │ │ └── testcase5-scheme.yaml │ ├── testcase6 │ │ ├── testcase6-scheme.yaml │ │ ├── testcase6-subAllow.yaml │ │ ├── testcase6-subDeny.yaml │ │ ├── testcase6-superAllow.yaml │ │ └── testcase6-superDeny.yaml │ ├── testcase7 │ │ ├── testcase7-combined-peercontainer-scheme.yaml │ │ ├── testcase7-globalNetworkpolicy.yaml │ │ └── testcase7-scheme.yaml │ ├── testcase8 │ │ ├── testcase8-networkpolicy.yaml │ │ └── testcase8-scheme.yaml │ └── testcase9 │ │ ├── testcase9-networkpolicy.yaml │ │ └── testcase9-scheme.yaml └── expected_output │ ├── disjointness-various-policies-full-explanation.json │ ├── disjointness-various-policies-full-explanation.txt │ ├── disjointness-various-policies-full-explanation.yaml │ ├── equiv-all-range1.json │ ├── equiv-all-range1.yaml │ ├── global-interferes-local-print-all-pairs.json │ ├── global-interferes-local-print-all-pairs.txt │ ├── global-interferes-local-print-all-pairs.yaml │ ├── multi-layer-all-captured-1.json │ ├── multi-layer-all-captured-1.txt │ ├── multi-layer-all-captured-1.yaml │ ├── sup-allow-and-sub-deny-not-equiv-all-peer-pairs.json │ ├── sup-allow-and-sub-deny-not-equiv-all-peer-pairs.txt │ ├── sup-allow-and-sub-deny-not-equiv-all-peer-pairs.yaml │ ├── testcase10-has-redundancy.txt │ ├── testcase15_with_ingress_connectivity_map.txt │ ├── testcase16-scheme_output.txt │ ├── testcase18-scheme-pair-wise-interferes-different-ranges-writing-additional-port.txt │ ├── testcase18_connectivity_map.txt │ ├── testcase19-connectivity_map_with_labels_to_apply.txt │ ├── testcase19-deny-all-profiles-connectivity.txt │ ├── testcase25_mix_k8s_calico_connectivity_map.txt │ ├── testcase25_mix_k8s_calico_connectivity_map_1.txt │ ├── testcase25_mix_k8s_calico_connectivity_map_2.txt │ ├── testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt │ ├── testcase26-config-1-k8s-calico-istio-ingress-2_connectivity_map.txt │ ├── testcase26-config-1-k8s-calico-istio-ingress_connectivity_map.txt │ ├── testcase26-config-1-k8s-calico-istio_connectivity_map.txt │ ├── testcase26-config-1-k8s-istio-ingress_connectivity_map.txt │ ├── testcase26-config-no-policies-connectivity-map.txt │ ├── testcase26-semanticDiff-config-1-calico-ingress-config-allow-all.txt │ ├── testcase8-semantic-diff-query.txt │ ├── vacuous-policy-new.json │ ├── vacuous-policy-new.txt │ └── vacuous-policy-new.yaml ├── classes_unit_tests ├── testCanonicalHyperCubeSet.py ├── testCanonicalHyperCubeSetNew.py ├── testCanonicalIntervalSet.py ├── testConnectivityPropertiesNamedPorts.py ├── testMinDFA.py └── testPeerSet.py ├── cmdline_live_istio_tests.yaml ├── cmdline_live_k8s_tests.yaml ├── different_topologies ├── ns_list_a.json ├── ns_list_b.json ├── pods_list_a.json └── pods_list_b.json ├── example_workload_resources ├── cronJob.yaml ├── daemonSet.yaml ├── deployment.yaml ├── job.yaml ├── multiple-workloads.yaml ├── namespaceList.yaml ├── podList.yaml ├── replicaSet.yaml ├── replicationController.yaml └── statefulSet.yaml ├── expected_cmdline_output_files ├── all_subset_mix_query_output.txt ├── basic_connectivity_csv_query_output.txt ├── basic_connectivity_dot_query_output.txt ├── basic_connectivity_expl_output.txt ├── basic_connectivity_md_query_output.txt ├── basic_connectivity_specific_nodes_expl_output.txt ├── basic_connectivity_txt_query_output.txt ├── basic_connectivity_yaml_query_output.txt ├── basic_semantic_diff_csv_query_output.txt ├── basic_semantic_diff_md_query_output.txt ├── basic_semantic_diff_query_output.txt ├── basic_semantic_diff_yaml_query_output.txt ├── basic_subset_deployment_query_output.txt ├── basic_subset_label_query_output.txt ├── basic_subset_namespace_query_output.txt ├── different_topologies_semantic_diff_query_output.txt ├── helm_test_multi_chart.txt ├── helm_test_one_chart.txt ├── helm_test_resolved_yaml_in_template_dir.txt ├── helm_test_resolved_yaml_inside_chart.txt ├── helm_test_resolved_yaml_next_to_chart.txt ├── helm_test_resolved_yaml_next_to_multi_charts.txt ├── livesim_test_all_dot.dot ├── livesim_test_all_txt.txt ├── poc1_expl_output.txt ├── subset_deployment_expl_output.txt ├── subset_label2_query_output.txt ├── subset_label_query_output.txt ├── test25_expl_output.txt └── test4_expl_output.txt ├── expected_runtime ├── calico_tests_expected_runtime.csv ├── istio_tests_expected_runtime.csv └── k8s_tests_expected_runtime.csv ├── fw_rules_tests ├── podlist │ ├── bank_ns_list.json │ ├── bank_pod_list.json │ ├── bookinfo_ns_list.json │ ├── bookinfo_pods_list.json │ ├── cyclonus_ns_list.json │ ├── cyclonus_pod_list.json │ ├── hep_and_wep.json │ ├── kubernetes-manifests-new.yaml │ ├── kubernetes-manifests-new1.yaml │ ├── kubernetes-manifests.yaml │ ├── label_expr_test_ns_list.json │ ├── label_expr_test_pod_list.json │ ├── ns_list.json │ ├── ns_list_1.json │ ├── ns_list_2.json │ ├── ns_list_a.json │ ├── ns_list_b.json │ ├── ns_list_orig.json │ ├── ns_list_wdc.json │ ├── poc_ns_list.json │ ├── pods_list.json │ ├── pods_list_2.json │ ├── pods_list_3.json │ ├── pods_list_4.json │ ├── pods_list_5.json │ ├── pods_list_6.json │ ├── pods_list_7.json │ ├── pods_list_8.json │ ├── pods_list_a.json │ ├── pods_list_b.json │ ├── pods_list_orig.json │ ├── test_fw_rules_pod_list.yaml │ └── test_subset_topology.yaml └── policies │ ├── calico-policy-deny-all.yaml │ ├── calico-testcase13-open-default-TCP.yaml │ ├── calico-testcase13-scheme.yaml │ ├── calico-testcase14-kube-system-match-default-also-within-icmp.yaml │ ├── calico-testcase14-scheme.yaml │ ├── calico-testcase15-ports-rectangles.yaml │ ├── calico-testcase15-scheme.yaml │ ├── calico-testcase20-0-gnps.yaml │ ├── calico-testcase20-1-empty-globalNetworkpolicy.yaml │ ├── calico-testcase20-2-outbound-hep-all-ep.yaml │ ├── calico-testcase20-3-outbound-hep-only-to-wep.yaml │ ├── calico-testcase20-4-outbound-hep-all-namespaceselector.yaml │ ├── calico-testcase20-profiles.yaml │ ├── calico-testcase20-scheme.yaml │ ├── calico-testcase3-networkpolicy-FirstDenySubset.yaml │ ├── calico-testcase3-networkpolicy-firstAllowSuperSet.yaml │ ├── calico-testcase3-networkpolicy-onlyAllow.yaml │ ├── calico-testcase3-scheme.yaml │ ├── calico-testcase5-allowFirst.yaml │ ├── calico-testcase5-denyFirst.yaml │ ├── calico-testcase5-scheme.yaml │ ├── cyclonus-allow-all-egress-by-label.yaml │ ├── cyclonus-allow-all-for-label.yaml │ ├── cyclonus-allow-by-ip.yaml │ ├── cyclonus-allow-label-to-label.yaml │ ├── cyclonus-deny-all-egress.yaml │ ├── cyclonus-deny-all-for-label.yaml │ ├── cyclonus-deny-all.yaml │ ├── cyclonus-simple-example-scheme.yaml │ ├── empty_net_pols.yaml │ ├── expected_output │ ├── calico-testcase13-scheme_output.txt │ ├── calico-testcase13-scheme_output.yaml │ ├── calico-testcase14-scheme_output.txt │ ├── calico-testcase14-scheme_output.yaml │ ├── calico-testcase15-scheme_output.txt │ ├── calico-testcase15-scheme_output.yaml │ ├── calico-testcase20-Eran_gnps_query_output.txt │ ├── calico-testcase20-Eran_gnps_query_output.yaml │ ├── calico-testcase20-np_1_globalEmpty_with_profiles_query_output.txt │ ├── calico-testcase20-np_1_globalEmpty_with_profiles_query_output.yaml │ ├── calico-testcase20-np_2_all_outbound_hep_query_output.txt │ ├── calico-testcase20-np_2_all_outbound_hep_query_output.yaml │ ├── calico-testcase20-np_3_outbound_hep_to_wep_query_output.txt │ ├── calico-testcase20-np_3_outbound_hep_to_wep_query_output.yaml │ ├── calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.txt │ ├── calico-testcase20-np_4_outbound_all_namespaceSelector_query_output.yaml │ ├── calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt │ ├── calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml │ ├── calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt │ ├── calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.yaml │ ├── calico-testcase3_connectivity_map_onlyAllow_query_output.txt │ ├── calico-testcase3_connectivity_map_onlyAllow_query_output.yaml │ ├── calico-testcase5_connectivity_map_allowFirst_query_output.txt │ ├── calico-testcase5_connectivity_map_allowFirst_query_output.yaml │ ├── calico-testcase5_connectivity_map_denyFirst_query_output.txt │ ├── calico-testcase5_connectivity_map_denyFirst_query_output.yaml │ ├── cyclonus-simple-example-scheme_output.txt │ ├── cyclonus-simple-example-scheme_output.yaml │ ├── istio-allow-all-scheme_output.txt │ ├── istio-allow-all-scheme_output.yaml │ ├── istio-allow-nothing-1_query_output.txt │ ├── istio-allow-nothing-1_query_output.yaml │ ├── istio-allow-nothing-2_query_output.txt │ ├── istio-allow-nothing-2_query_output.yaml │ ├── istio-allow-nothing-3_query_output.txt │ ├── istio-allow-nothing-3_query_output.yaml │ ├── istio-bookinfo-connectivity_test_methods_basic_1_query_output.txt │ ├── istio-bookinfo-connectivity_test_methods_basic_1_query_output.yaml │ ├── istio-bookinfo-connectivity_test_methods_basic_2_query_output.txt │ ├── istio-bookinfo-connectivity_test_methods_basic_2_query_output.yaml │ ├── istio-bookinfo-connectivity_test_methods_paths_1_query_output.txt │ ├── istio-bookinfo-connectivity_test_methods_paths_1_query_output.yaml │ ├── istio-bookinfo-connectivity_test_operation_allow_1_query_output.txt │ ├── istio-bookinfo-connectivity_test_operation_allow_1_query_output.yaml │ ├── istio-bookinfo-connectivity_test_operation_deny_1_query_output.txt │ ├── istio-bookinfo-connectivity_test_operation_deny_1_query_output.yaml │ ├── istio-deny-all-scheme_output.txt │ ├── istio-deny-all-scheme_output.yaml │ ├── istio-test1-scheme_query1_output.txt │ ├── istio-test1-scheme_query1_output.yaml │ ├── istio-test1-scheme_query2_output.txt │ ├── istio-test1-scheme_query2_output.yaml │ ├── label_expr_test_1-test_app_label_query_output.json │ ├── label_expr_test_1-test_app_label_query_output.txt │ ├── label_expr_test_1-test_app_label_query_output.yaml │ ├── label_expr_test_1-test_tier_and_app_label_query_output.txt │ ├── label_expr_test_1-test_tier_and_app_label_query_output.yaml │ ├── poc1-scheme_output.csv │ ├── poc1-scheme_output.dot │ ├── poc1-scheme_output.md │ ├── poc1-scheme_output.txt │ ├── poc1-scheme_output.yaml │ ├── poc2-scheme_output.txt │ ├── poc2-scheme_output.yaml │ ├── poc3-scheme_output.txt │ ├── poc3-scheme_output.yaml │ ├── poc4_scheme_connectivity_map_query_output.txt │ ├── poc4_scheme_connectivity_map_query_output.yaml │ ├── poc4_scheme_semantic_diff_poc4_poc3_query_output.txt │ ├── poc4_scheme_semantic_diff_poc4_poc3_query_output.yaml │ ├── port_aggregation-scheme_output.txt │ ├── port_aggregation-scheme_output.yaml │ ├── semantic_diff_a_to_b_query_output.csv │ ├── semantic_diff_a_to_b_query_output.dot │ ├── semantic_diff_a_to_b_query_output.md │ ├── semantic_diff_a_to_b_query_output.txt │ ├── semantic_diff_a_to_b_query_output.yaml │ ├── semantic_diff_a_to_b_with_ipBlock_query_output.csv │ ├── semantic_diff_a_to_b_with_ipBlock_query_output.md │ ├── semantic_diff_a_to_b_with_ipBlock_query_output.txt │ ├── semantic_diff_a_to_b_with_ipBlock_query_output.yaml │ ├── semantic_diff_b_to_a_query_output.csv │ ├── semantic_diff_b_to_a_query_output.md │ ├── semantic_diff_b_to_a_query_output.txt │ ├── semantic_diff_b_to_a_query_output.yaml │ ├── semantic_diff_disjoint_old1_config_a_query_output.csv │ ├── semantic_diff_disjoint_old1_config_a_query_output.md │ ├── semantic_diff_disjoint_old1_config_a_query_output.txt │ ├── semantic_diff_disjoint_old1_config_a_query_output.yaml │ ├── semantic_diff_identical_query_output.csv │ ├── semantic_diff_identical_query_output.dot │ ├── semantic_diff_identical_query_output.md │ ├── semantic_diff_identical_query_output.txt │ ├── semantic_diff_identical_query_output.yaml │ ├── semantic_diff_ipblocks__np1_np4_query_output.csv │ ├── semantic_diff_ipblocks__np1_np4_query_output.md │ ├── semantic_diff_ipblocks__np1_np4_query_output.txt │ ├── semantic_diff_ipblocks__np1_np4_query_output.yaml │ ├── semantic_diff_ipblocks__np4_with_itself_query_output.txt │ ├── semantic_diff_ipblocks_equivalence_query_output.csv │ ├── semantic_diff_ipblocks_equivalence_query_output.md │ ├── semantic_diff_ipblocks_equivalence_query_output.txt │ ├── semantic_diff_ipblocks_equivalence_query_output.yaml │ ├── semantic_diff_ipblocks_np1_np2_query_output.csv │ ├── semantic_diff_ipblocks_np1_np2_query_output.md │ ├── semantic_diff_ipblocks_np1_np2_query_output.txt │ ├── semantic_diff_ipblocks_np1_np2_query_output.yaml │ ├── semantic_diff_named_ports_np1_and_np2_by_pods_query_output.txt │ ├── semantic_diff_named_ports_np1_and_np2_query_output.csv │ ├── semantic_diff_named_ports_np1_and_np2_query_output.dot │ ├── semantic_diff_named_ports_np1_and_np2_query_output.md │ ├── semantic_diff_named_ports_np1_and_np2_query_output.txt │ ├── semantic_diff_named_ports_np1_and_np2_query_output.yaml │ ├── semantic_diff_named_ports_np3_and_np4_query_output.txt │ ├── semantic_diff_np1_np2_query_output.csv │ ├── semantic_diff_np1_np2_query_output.md │ ├── semantic_diff_np1_np2_query_output.txt │ ├── semantic_diff_np1_np2_query_output.yaml │ ├── semantic_diff_old1_new1_query_output.csv │ ├── semantic_diff_old1_new1_query_output.dot │ ├── semantic_diff_old1_new1_query_output.md │ ├── semantic_diff_old1_new1_query_output.txt │ ├── semantic_diff_old1_new1_query_output.yaml │ ├── semantic_diff_old1_new1a_query_output.csv │ ├── semantic_diff_old1_new1a_query_output.md │ ├── semantic_diff_old1_new1a_query_output.txt │ ├── semantic_diff_old1_new1a_query_output.yaml │ ├── semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt │ ├── semantic_diff_old2_new2_query_output.csv │ ├── semantic_diff_old2_new2_query_output.json │ ├── semantic_diff_old2_new2_query_output.md │ ├── semantic_diff_old2_new2_query_output.txt │ ├── semantic_diff_old2_new2_query_output.yaml │ ├── semantic_diff_old3_new3_query_output.txt │ ├── semantic_diff_poc-scheme_output.csv │ ├── semantic_diff_poc-scheme_output.md │ ├── semantic_diff_poc-scheme_output.txt │ ├── semantic_diff_poc-scheme_output.yaml │ ├── subset_deployment_fullname_and_global_subset_dot.dot │ ├── subset_deployment_fullname_and_global_subset_endpoints_deployments_dot.dot │ ├── subset_deployment_fullname_and_global_subset_endpoints_deployments_txt.txt │ ├── subset_deployment_fullname_and_global_subset_txt.txt │ ├── subset_deployment_fullname_subset_dot.dot │ ├── subset_deployment_fullname_subset_endpoints_deployments_dot.dot │ ├── subset_deployment_fullname_subset_endpoints_deployments_txt.txt │ ├── subset_deployment_fullname_subset_txt.txt │ ├── subset_deployment_in_subset_dot.dot │ ├── subset_deployment_in_subset_endpoints_deployments_dot.dot │ ├── subset_deployment_in_subset_endpoints_deployments_txt.txt │ ├── subset_deployment_in_subset_txt.txt │ ├── subset_deployment_no_subset_txt.txt │ ├── subset_labels2_dot.dot │ ├── subset_labels2_endpoints_deployments_dot.dot │ ├── subset_labels2_endpoints_deployments_txt.txt │ ├── subset_labels2_txt.txt │ ├── subset_labels3_dot.dot │ ├── subset_labels3_endpoints_deployments_dot.dot │ ├── subset_labels3_endpoints_deployments_txt.txt │ ├── subset_labels3_txt.txt │ ├── subset_labels4_dot.dot │ ├── subset_labels4_endpoints_deployments_dot.dot │ ├── subset_labels4_endpoints_deployments_txt.txt │ ├── subset_labels4_txt.txt │ ├── subset_labels6_dot.dot │ ├── subset_labels6_endpoints_deployments_dot.dot │ ├── subset_labels6_endpoints_deployments_txt.txt │ ├── subset_labels6_txt.txt │ ├── subset_labels_dot.dot │ ├── subset_labels_endpoints_deployments_dot.dot │ ├── subset_labels_endpoints_deployments_txt.txt │ ├── subset_labels_txt.txt │ ├── subset_mix_endpoints_deployments_txt.txt │ ├── subset_namespace_in_subset_dot.dot │ ├── subset_namespace_in_subset_endpoints_deployments_dot.dot │ ├── subset_namespace_in_subset_endpoints_deployments_txt.txt │ ├── subset_namespace_in_subset_txt.txt │ ├── subset_no_subset_dot.dot │ ├── subset_no_subset_endpoints_deployments_dot.dot │ ├── subset_no_subset_endpoints_deployments_txt.txt │ ├── test1-scheme_output.txt │ ├── test1-scheme_output.yaml │ ├── test10-scheme_output.txt │ ├── test10-scheme_output.yaml │ ├── test11-scheme_output.txt │ ├── test11-scheme_output.yaml │ ├── test12-scheme_output.txt │ ├── test12-scheme_output.yaml │ ├── test13-scheme_output.txt │ ├── test13-scheme_output.yaml │ ├── test14-scheme_output.txt │ ├── test14-scheme_output.yaml │ ├── test15-scheme_output.txt │ ├── test15-scheme_output.yaml │ ├── test16-scheme_output.txt │ ├── test16-scheme_output.yaml │ ├── test18-scheme_output.txt │ ├── test18-scheme_output.yaml │ ├── test19-scheme_output.txt │ ├── test19-scheme_output.yaml │ ├── test2-scheme_output.txt │ ├── test2-scheme_output.yaml │ ├── test20-scheme_output.txt │ ├── test20-scheme_output.yaml │ ├── test21-scheme_output.txt │ ├── test21-scheme_output.yaml │ ├── test22-scheme_output.txt │ ├── test22-scheme_output.yaml │ ├── test23-scheme_output.txt │ ├── test23-scheme_output.yaml │ ├── test24-scheme_output.txt │ ├── test24-scheme_output.yaml │ ├── test25-scheme_connectivity_map_by_deployments_csv.csv │ ├── test25-scheme_connectivity_map_by_deployments_dot.dot │ ├── test25-scheme_connectivity_map_by_deployments_txt.txt │ ├── test25-scheme_connectivity_map_by_deployments_yaml.yaml │ ├── test25-scheme_connectivity_map_by_pods_csv.csv │ ├── test25-scheme_connectivity_map_by_pods_dot.dot │ ├── test25-scheme_connectivity_map_by_pods_txt.txt │ ├── test25-scheme_connectivity_map_by_pods_yaml.yaml │ ├── test3-scheme_output.txt │ ├── test3-scheme_output.yaml │ ├── test4-scheme_query_connectivity_map_3_output.csv │ ├── test4-scheme_query_connectivity_map_3_output.dot │ ├── test4-scheme_query_connectivity_map_3_output.md │ ├── test4-scheme_query_connectivity_map_3_output.txt │ ├── test4-scheme_query_connectivity_map_3_output.yaml │ ├── test4-scheme_query_connectivity_map_4_output.csv │ ├── test4-scheme_query_connectivity_map_4_output.dot │ ├── test4-scheme_query_connectivity_map_4_output.md │ ├── test4-scheme_query_connectivity_map_4_output.txt │ ├── test4-scheme_query_connectivity_map_4_output.yaml │ ├── test6-scheme_output.txt │ ├── test6-scheme_output.yaml │ ├── test7-scheme_output.json │ ├── test7-scheme_output.txt │ ├── test7-scheme_output.yaml │ ├── test8-scheme_output.txt │ ├── test8-scheme_output.yaml │ ├── test9-scheme_output.txt │ └── test9-scheme_output.yaml │ ├── istio-allow-all-policy.yaml │ ├── istio-allow-all-scheme.yaml │ ├── istio-allow-nothing-policy-3.yaml │ ├── istio-allow-nothing-policy.yaml │ ├── istio-allow-nothing-policy2.yaml │ ├── istio-allow-nothing-scheme.yaml │ ├── istio-bookinfo-policy-test-methods-1.yaml │ ├── istio-bookinfo-policy-test-methods-2.yaml │ ├── istio-bookinfo-policy-test-methods-paths.yaml │ ├── istio-bookinfo-policy-test-operation-allow-example-1.yaml │ ├── istio-bookinfo-policy-test-operation-deny-example.yaml │ ├── istio-bookinfo-test-request-attrs-scheme.yaml │ ├── istio-deny-all-policy.yaml │ ├── istio-deny-all-scheme.yaml │ ├── istio-test1-policy1.yaml │ ├── istio-test1-policy2.yaml │ ├── istio-test1-scheme.yaml │ ├── label_expr_test_1-scheme.yaml │ ├── label_expr_test_policy1.yaml │ ├── label_expr_test_policy10.yaml │ ├── label_expr_test_policy2.yaml │ ├── label_expr_test_policy3.yaml │ ├── label_expr_test_policy4.yaml │ ├── label_expr_test_policy5.yaml │ ├── label_expr_test_policy6.yaml │ ├── label_expr_test_policy7.yaml │ ├── label_expr_test_policy8.yaml │ ├── label_expr_test_policy9.yaml │ ├── microservices-netpols-new.yaml │ ├── microservices-netpols.yaml │ ├── namedPorts-policy1.yaml │ ├── namedPorts-policy2.yaml │ ├── namedPorts-policy3.yaml │ ├── namedPorts-policy4.yaml │ ├── namedPorts-policy5.yaml │ ├── new1.yaml │ ├── new1a.yaml │ ├── new2.yaml │ ├── new3.yaml │ ├── old1.yaml │ ├── old2.yaml │ ├── old3.yaml │ ├── poc1-scheme.yaml │ ├── poc2-scheme.yaml │ ├── poc3-scheme.yaml │ ├── poc4-scheme.yaml │ ├── policy_a.yaml │ ├── policy_a_ipBlock.yaml │ ├── policy_b.yaml │ ├── policy_b_ipBlock.yaml │ ├── port_aggregation-networkpolicy.yaml │ ├── port_aggregation-scheme.yaml │ ├── semantic_diff_computeDiff-scheme.yaml │ ├── semantic_diff_namedPorts-scheme.yaml │ ├── semantic_diff_poc-scheme.yaml │ ├── semantic_diff_withIpBlock-scheme.yaml │ ├── semantic_diff_with_different_topologies-scheme.yaml │ ├── subset-deployment-scheme.yaml │ ├── test1-networkpolicy.yaml │ ├── test1-scheme.yaml │ ├── test10-networkpolicy.yaml │ ├── test10-scheme.yaml │ ├── test11-networkpolicy.yaml │ ├── test11-scheme.yaml │ ├── test12-networkpolicy.yaml │ ├── test12-scheme.yaml │ ├── test13-networkpolicy.yaml │ ├── test13-scheme.yaml │ ├── test14-networkpolicy.yaml │ ├── test14-scheme.yaml │ ├── test15-networkpolicy.yaml │ ├── test15-scheme.yaml │ ├── test16-networkpolicy.yaml │ ├── test16-scheme.yaml │ ├── test18-networkpolicy.yaml │ ├── test18-scheme.yaml │ ├── test19-networkpolicy.yaml │ ├── test19-scheme.yaml │ ├── test2-networkpolicy.yaml │ ├── test2-scheme.yaml │ ├── test20-networkpolicy.yaml │ ├── test20-scheme.yaml │ ├── test21-networkpolicy.yaml │ ├── test21-scheme.yaml │ ├── test22-networkpolicy.yaml │ ├── test22-scheme.yaml │ ├── test23-networkpolicy.yaml │ ├── test23-scheme.yaml │ ├── test24-networkpolicy.yaml │ ├── test24-scheme.yaml │ ├── test25-networkpolicy.yaml │ ├── test25-scheme.yaml │ ├── test3-networkpolicy.yaml │ ├── test3-scheme.yaml │ ├── test4-networkpolicy.yaml │ ├── test4-scheme.yaml │ ├── test6-networkpolicy.yaml │ ├── test6-scheme.yaml │ ├── test7-networkpolicy.yaml │ ├── test7-scheme.yaml │ ├── test8-networkpolicy.yaml │ ├── test8-scheme.yaml │ ├── test9-networkpolicy.yaml │ ├── test9-scheme.yaml │ ├── withIpBlock-networkpolicy1.yaml │ ├── withIpBlock-networkpolicy2.yaml │ ├── withIpBlock-networkpolicy3.yaml │ └── withIpBlock-networkpolicy4.yaml ├── helm_tests ├── helm_test1 │ ├── redis │ │ ├── .helmignore │ │ ├── Chart.lock │ │ ├── Chart.yaml │ │ ├── charts │ │ │ └── common │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── README.md │ │ │ │ ├── templates │ │ │ │ ├── _affinities.tpl │ │ │ │ ├── _capabilities.tpl │ │ │ │ ├── _errors.tpl │ │ │ │ ├── _images.tpl │ │ │ │ ├── _ingress.tpl │ │ │ │ ├── _labels.tpl │ │ │ │ ├── _names.tpl │ │ │ │ ├── _secrets.tpl │ │ │ │ ├── _storage.tpl │ │ │ │ ├── _tplvalues.tpl │ │ │ │ ├── _utils.tpl │ │ │ │ ├── _warnings.tpl │ │ │ │ └── validations │ │ │ │ │ ├── _cassandra.tpl │ │ │ │ │ ├── _mariadb.tpl │ │ │ │ │ ├── _mongodb.tpl │ │ │ │ │ ├── _postgresql.tpl │ │ │ │ │ ├── _redis.tpl │ │ │ │ │ └── _validations.tpl │ │ │ │ └── values.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── configmap.yaml │ │ │ ├── headless-svc.yaml │ │ │ ├── health-configmap.yaml │ │ │ ├── master │ │ │ │ ├── application.yaml │ │ │ │ └── service.yaml │ │ │ ├── metrics-svc.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── replicas │ │ │ │ ├── service.yaml │ │ │ │ └── statefulset.yaml │ │ │ ├── scripts-configmap.yaml │ │ │ ├── secret.yaml │ │ │ └── serviceaccount.yaml │ │ ├── values.schema.json │ │ └── values.yaml │ └── test_description.txt ├── helm_test2 │ ├── grafana │ │ ├── .helmignore │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── ci │ │ │ ├── default-values.yaml │ │ │ ├── with-affinity-values.yaml │ │ │ ├── with-dashboard-json-values.yaml │ │ │ ├── with-dashboard-values.yaml │ │ │ ├── with-image-renderer-values.yaml │ │ │ └── with-persistence.yaml │ │ ├── dashboards │ │ │ └── custom-dashboard.json │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── _pod.tpl │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── configmap-dashboard-provider.yaml │ │ │ ├── configmap.yaml │ │ │ ├── dashboards-json-configmap.yaml │ │ │ ├── deployment.yaml │ │ │ ├── ingress.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── podsecuritypolicy.yaml │ │ │ ├── role.yaml │ │ │ ├── rolebinding.yaml │ │ │ ├── secret-env.yaml │ │ │ ├── secret.yaml │ │ │ ├── service.yaml │ │ │ ├── serviceaccount.yaml │ │ │ └── tests │ │ │ │ ├── test-configmap.yaml │ │ │ │ ├── test-podsecuritypolicy.yaml │ │ │ │ ├── test-role.yaml │ │ │ │ ├── test-rolebinding.yaml │ │ │ │ ├── test-serviceaccount.yaml │ │ │ │ └── test.yaml │ │ └── values.yaml │ ├── prometheus │ │ ├── .helmignore │ │ ├── Chart.lock │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── charts │ │ │ └── kube-state-metrics │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── README.md │ │ │ │ ├── templates │ │ │ │ ├── NOTES.txt │ │ │ │ ├── _helpers.tpl │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── deployment.yaml │ │ │ │ ├── role.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ │ └── values.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── alertmanager │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── cm.yaml │ │ │ │ ├── deploy.yaml │ │ │ │ ├── ingress.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ ├── node-exporter │ │ │ │ ├── daemonset.yaml │ │ │ │ ├── serviceaccount.yaml │ │ │ │ └── svc.yaml │ │ │ ├── pushgateway │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── deploy.yaml │ │ │ │ ├── ingress.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── serviceaccount.yaml │ │ │ └── server │ │ │ │ ├── clusterrole.yaml │ │ │ │ ├── clusterrolebinding.yaml │ │ │ │ ├── cm.yaml │ │ │ │ ├── deploy.yaml │ │ │ │ ├── ingress.yaml │ │ │ │ ├── pvc.yaml │ │ │ │ ├── service.yaml │ │ │ │ └── serviceaccount.yaml │ │ └── values.yaml │ ├── redis │ │ ├── .helmignore │ │ ├── Chart.lock │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── charts │ │ │ └── common │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── README.md │ │ │ │ ├── templates │ │ │ │ ├── _affinities.tpl │ │ │ │ ├── _capabilities.tpl │ │ │ │ ├── _errors.tpl │ │ │ │ ├── _images.tpl │ │ │ │ ├── _ingress.tpl │ │ │ │ ├── _labels.tpl │ │ │ │ ├── _names.tpl │ │ │ │ ├── _secrets.tpl │ │ │ │ ├── _storage.tpl │ │ │ │ ├── _tplvalues.tpl │ │ │ │ ├── _utils.tpl │ │ │ │ ├── _warnings.tpl │ │ │ │ └── validations │ │ │ │ │ ├── _cassandra.tpl │ │ │ │ │ ├── _mariadb.tpl │ │ │ │ │ ├── _mongodb.tpl │ │ │ │ │ ├── _postgresql.tpl │ │ │ │ │ ├── _redis.tpl │ │ │ │ │ └── _validations.tpl │ │ │ │ └── values.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── configmap.yaml │ │ │ ├── headless-svc.yaml │ │ │ ├── health-configmap.yaml │ │ │ ├── master │ │ │ │ ├── application.yaml │ │ │ │ └── service.yaml │ │ │ ├── metrics-svc.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── replicas │ │ │ │ ├── service.yaml │ │ │ │ └── statefulset.yaml │ │ │ ├── scripts-configmap.yaml │ │ │ ├── secret.yaml │ │ │ └── serviceaccount.yaml │ │ ├── values.schema.json │ │ └── values.yaml │ └── test_description.txt ├── helm_test3 │ ├── redis │ │ ├── .helmignore │ │ ├── Chart.lock │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── charts │ │ │ └── common │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── README.md │ │ │ │ ├── templates │ │ │ │ ├── _affinities.tpl │ │ │ │ ├── _capabilities.tpl │ │ │ │ ├── _errors.tpl │ │ │ │ ├── _images.tpl │ │ │ │ ├── _ingress.tpl │ │ │ │ ├── _labels.tpl │ │ │ │ ├── _names.tpl │ │ │ │ ├── _secrets.tpl │ │ │ │ ├── _storage.tpl │ │ │ │ ├── _tplvalues.tpl │ │ │ │ ├── _utils.tpl │ │ │ │ ├── _warnings.tpl │ │ │ │ └── validations │ │ │ │ │ ├── _cassandra.tpl │ │ │ │ │ ├── _mariadb.tpl │ │ │ │ │ ├── _mongodb.tpl │ │ │ │ │ ├── _postgresql.tpl │ │ │ │ │ ├── _redis.tpl │ │ │ │ │ └── _validations.tpl │ │ │ │ └── values.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── configmap.yaml │ │ │ ├── headless-svc.yaml │ │ │ ├── health-configmap.yaml │ │ │ ├── master │ │ │ │ ├── application.yaml │ │ │ │ └── service.yaml │ │ │ ├── metrics-svc.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── replicas │ │ │ │ ├── service.yaml │ │ │ │ └── statefulset.yaml │ │ │ ├── scripts-configmap.yaml │ │ │ ├── secret.yaml │ │ │ └── serviceaccount.yaml │ │ ├── values.schema.json │ │ └── values.yaml │ ├── resolved_yaml.yaml │ └── test_description.txt ├── helm_test4 │ ├── redis │ │ ├── .helmignore │ │ ├── Chart.lock │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── charts │ │ │ └── common │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── README.md │ │ │ │ ├── templates │ │ │ │ ├── _affinities.tpl │ │ │ │ ├── _capabilities.tpl │ │ │ │ ├── _errors.tpl │ │ │ │ ├── _images.tpl │ │ │ │ ├── _ingress.tpl │ │ │ │ ├── _labels.tpl │ │ │ │ ├── _names.tpl │ │ │ │ ├── _secrets.tpl │ │ │ │ ├── _storage.tpl │ │ │ │ ├── _tplvalues.tpl │ │ │ │ ├── _utils.tpl │ │ │ │ ├── _warnings.tpl │ │ │ │ └── validations │ │ │ │ │ ├── _cassandra.tpl │ │ │ │ │ ├── _mariadb.tpl │ │ │ │ │ ├── _mongodb.tpl │ │ │ │ │ ├── _postgresql.tpl │ │ │ │ │ ├── _redis.tpl │ │ │ │ │ └── _validations.tpl │ │ │ │ └── values.yaml │ │ ├── resolved_yaml.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── configmap.yaml │ │ │ ├── headless-svc.yaml │ │ │ ├── health-configmap.yaml │ │ │ ├── master │ │ │ │ ├── application.yaml │ │ │ │ └── service.yaml │ │ │ ├── metrics-svc.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── replicas │ │ │ │ ├── service.yaml │ │ │ │ └── statefulset.yaml │ │ │ ├── scripts-configmap.yaml │ │ │ ├── secret.yaml │ │ │ └── serviceaccount.yaml │ │ ├── values.schema.json │ │ └── values.yaml │ └── test_description.txt ├── helm_test5 │ ├── redis │ │ ├── .helmignore │ │ ├── Chart.lock │ │ ├── Chart.yaml │ │ ├── README.md │ │ ├── charts │ │ │ └── common │ │ │ │ ├── .helmignore │ │ │ │ ├── Chart.yaml │ │ │ │ ├── README.md │ │ │ │ ├── templates │ │ │ │ ├── _affinities.tpl │ │ │ │ ├── _capabilities.tpl │ │ │ │ ├── _errors.tpl │ │ │ │ ├── _images.tpl │ │ │ │ ├── _ingress.tpl │ │ │ │ ├── _labels.tpl │ │ │ │ ├── _names.tpl │ │ │ │ ├── _secrets.tpl │ │ │ │ ├── _storage.tpl │ │ │ │ ├── _tplvalues.tpl │ │ │ │ ├── _utils.tpl │ │ │ │ ├── _warnings.tpl │ │ │ │ └── validations │ │ │ │ │ ├── _cassandra.tpl │ │ │ │ │ ├── _mariadb.tpl │ │ │ │ │ ├── _mongodb.tpl │ │ │ │ │ ├── _postgresql.tpl │ │ │ │ │ ├── _redis.tpl │ │ │ │ │ └── _validations.tpl │ │ │ │ └── values.yaml │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── configmap.yaml │ │ │ ├── headless-svc.yaml │ │ │ ├── health-configmap.yaml │ │ │ ├── master │ │ │ │ ├── application.yaml │ │ │ │ └── service.yaml │ │ │ ├── metrics-svc.yaml │ │ │ ├── networkpolicy.yaml │ │ │ ├── replicas │ │ │ │ ├── service.yaml │ │ │ │ └── statefulset.yaml │ │ │ ├── resolved_yaml.yaml │ │ │ ├── scripts-configmap.yaml │ │ │ ├── secret.yaml │ │ │ └── serviceaccount.yaml │ │ ├── values.schema.json │ │ └── values.yaml │ └── test_description.txt └── helm_test6 │ ├── grafana │ ├── .helmignore │ ├── Chart.yaml │ ├── README.md │ ├── ci │ │ ├── default-values.yaml │ │ ├── with-affinity-values.yaml │ │ ├── with-dashboard-json-values.yaml │ │ ├── with-dashboard-values.yaml │ │ ├── with-image-renderer-values.yaml │ │ └── with-persistence.yaml │ ├── dashboards │ │ └── custom-dashboard.json │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── _pod.tpl │ │ ├── clusterrole.yaml │ │ ├── clusterrolebinding.yaml │ │ ├── configmap-dashboard-provider.yaml │ │ ├── configmap.yaml │ │ ├── dashboards-json-configmap.yaml │ │ ├── deployment.yaml │ │ ├── ingress.yaml │ │ ├── networkpolicy.yaml │ │ ├── podsecuritypolicy.yaml │ │ ├── role.yaml │ │ ├── rolebinding.yaml │ │ ├── secret-env.yaml │ │ ├── secret.yaml │ │ ├── service.yaml │ │ ├── serviceaccount.yaml │ │ └── tests │ │ │ ├── test-configmap.yaml │ │ │ ├── test-podsecuritypolicy.yaml │ │ │ ├── test-role.yaml │ │ │ ├── test-rolebinding.yaml │ │ │ ├── test-serviceaccount.yaml │ │ │ └── test.yaml │ └── values.yaml │ ├── prometheus │ ├── .helmignore │ ├── Chart.lock │ ├── Chart.yaml │ ├── README.md │ ├── charts │ │ └── kube-state-metrics │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── README.md │ │ │ ├── templates │ │ │ ├── NOTES.txt │ │ │ ├── _helpers.tpl │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── deployment.yaml │ │ │ ├── role.yaml │ │ │ ├── service.yaml │ │ │ └── serviceaccount.yaml │ │ │ └── values.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── alertmanager │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── cm.yaml │ │ │ ├── deploy.yaml │ │ │ ├── ingress.yaml │ │ │ ├── pvc.yaml │ │ │ ├── service.yaml │ │ │ └── serviceaccount.yaml │ │ ├── node-exporter │ │ │ ├── daemonset.yaml │ │ │ ├── serviceaccount.yaml │ │ │ └── svc.yaml │ │ ├── pushgateway │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── deploy.yaml │ │ │ ├── ingress.yaml │ │ │ ├── service.yaml │ │ │ └── serviceaccount.yaml │ │ └── server │ │ │ ├── clusterrole.yaml │ │ │ ├── clusterrolebinding.yaml │ │ │ ├── cm.yaml │ │ │ ├── deploy.yaml │ │ │ ├── ingress.yaml │ │ │ ├── pvc.yaml │ │ │ ├── service.yaml │ │ │ └── serviceaccount.yaml │ └── values.yaml │ ├── redis │ ├── .helmignore │ ├── Chart.lock │ ├── Chart.yaml │ ├── README.md │ ├── charts │ │ └── common │ │ │ ├── .helmignore │ │ │ ├── Chart.yaml │ │ │ ├── README.md │ │ │ ├── templates │ │ │ ├── _affinities.tpl │ │ │ ├── _capabilities.tpl │ │ │ ├── _errors.tpl │ │ │ ├── _images.tpl │ │ │ ├── _ingress.tpl │ │ │ ├── _labels.tpl │ │ │ ├── _names.tpl │ │ │ ├── _secrets.tpl │ │ │ ├── _storage.tpl │ │ │ ├── _tplvalues.tpl │ │ │ ├── _utils.tpl │ │ │ ├── _warnings.tpl │ │ │ └── validations │ │ │ │ ├── _cassandra.tpl │ │ │ │ ├── _mariadb.tpl │ │ │ │ ├── _mongodb.tpl │ │ │ │ ├── _postgresql.tpl │ │ │ │ ├── _redis.tpl │ │ │ │ └── _validations.tpl │ │ │ └── values.yaml │ ├── templates │ │ ├── NOTES.txt │ │ ├── _helpers.tpl │ │ ├── configmap.yaml │ │ ├── headless-svc.yaml │ │ ├── health-configmap.yaml │ │ ├── master │ │ │ ├── application.yaml │ │ │ └── service.yaml │ │ ├── metrics-svc.yaml │ │ ├── networkpolicy.yaml │ │ ├── replicas │ │ │ ├── service.yaml │ │ │ └── statefulset.yaml │ │ ├── scripts-configmap.yaml │ │ ├── secret.yaml │ │ └── serviceaccount.yaml │ ├── values.schema.json │ └── values.yaml │ ├── resolved_yaml.yaml │ └── test_description.txt ├── istio_testcases ├── example_podlist │ ├── bookinfo_deployments.yaml │ ├── bookinfo_ns_list.json │ ├── bookinfo_pods_list.json │ └── bookinfo_services.yaml ├── example_policies │ ├── bookinfo-demo │ │ ├── bookinfo-policy-equiv-principals-by-condition-1.yaml │ │ ├── bookinfo-policy-equiv-principals-by-condition-2.yaml │ │ ├── bookinfo-policy-equiv-principals-by-condition-3.yaml │ │ ├── bookinfo-policy-test-enum-regex-match.yaml │ │ ├── bookinfo-policy-test-equiv-properties-cubes.yaml │ │ ├── bookinfo-policy-test-methods-1.yaml │ │ ├── bookinfo-policy-test-methods-2.yaml │ │ ├── bookinfo-policy-test-methods-3-differently-written.yaml │ │ ├── bookinfo-policy-test-methods-3.yaml │ │ ├── bookinfo-policy-test-methods-4.yaml │ │ ├── bookinfo-policy-test-methods-paths.yaml │ │ ├── bookinfo-policy-test-ns-no-match.yaml │ │ ├── bookinfo-policy-test-operation-allow-example-1.yaml │ │ ├── bookinfo-policy-test-operation-deny-example.yaml │ │ ├── bookinfo-policy-test-operation-regex.yaml │ │ ├── bookinfo-policy-test-pircipals-no-match.yaml │ │ ├── bookinfo-policy-test-principals-1.yaml │ │ ├── bookinfo-policy-test-principals-2.yaml │ │ ├── bookinfo-policy-test-principals-3.yaml │ │ ├── bookinfo-test-equiv-scheme.yaml │ │ ├── bookinfo-test-principals-scheme.yaml │ │ ├── bookinfo-test-request-attrs-scheme.yaml │ │ └── sidecar_examples │ │ │ ├── bookinfo-default-sidecar-1.yaml │ │ │ ├── bookinfo-default-sidecar-2.yaml │ │ │ ├── bookinfo-productpage-sidecar-1.yaml │ │ │ ├── bookinfo-productpage-sidecar-2.yaml │ │ │ ├── bookinfo-reviews-sidecar.yaml │ │ │ ├── bookinfo-select-nothing-sidecar.yaml │ │ │ ├── bookinfo-sidecar-tests-scheme.yaml │ │ │ ├── bookinfo-test-sidecar-connectivity-scheme.yaml │ │ │ ├── bookinfo-topology │ │ │ ├── bookinfo_deployments.yaml │ │ │ ├── bookinfo_ns_list.json │ │ │ └── bookinfo_services.yaml │ │ │ ├── containments-w-sidecar-and-service-entry-scheme.yaml │ │ │ ├── default-sidecar-allow-any.yaml │ │ │ ├── equivalence-with-sidecars-scheme.yaml │ │ │ ├── forbids-and-interferes-with-sidecars-tests-scheme.yaml │ │ │ ├── global-sidecar-from-istio-ref.yaml │ │ │ ├── global-sidecar-permits-test-scheme.yaml │ │ │ ├── global-sidecar.yaml │ │ │ ├── sanity-vacuity-emptiness-redundancy-w-sidecar-scheme.yaml │ │ │ ├── semantic-diff-with-sidecars-and-service-entries-tests-scheme.yaml │ │ │ ├── service_entry_resources │ │ │ ├── bookinfo-service-entry-1.yaml │ │ │ ├── external-https-services-less-hosts-and-different-port.yaml │ │ │ └── external-https-wildcard-services.yaml │ │ │ ├── sidecar-allows-all-in-registery-only.yaml │ │ │ ├── sidecar-allows-any.yaml │ │ │ ├── sidecar-w-general-host.yaml │ │ │ ├── sidecar-w-internal-external-services-registry-only.yaml │ │ │ ├── sidecar-w-internal-external-services.yaml │ │ │ ├── sidecar-w-pods-only.yaml │ │ │ ├── sidecar-w-specific-host.yaml │ │ │ └── sidecar-with-local-hosts-only.yaml │ ├── bookinfo-from-live-cluster │ │ ├── auth_policies.yaml │ │ ├── connectivity-map-by-deployments-scheme.yaml │ │ ├── policies_0.yaml │ │ ├── policies_1.yaml │ │ ├── policies_2.yaml │ │ ├── policies_3.yaml │ │ ├── policies_4.yaml │ │ ├── policies_5.yaml │ │ ├── topology │ │ │ ├── default_pods_list.yaml │ │ │ └── istio-system_pods_list.yaml │ │ └── topology_full │ │ │ ├── default_pods_list.yaml │ │ │ └── istio-system_pods_list_full.yaml │ ├── complex-ingress-test │ │ ├── added_resources │ │ │ ├── ingress-nginx-deployment.yaml │ │ │ ├── ingress-nginx-service.yaml │ │ │ └── istio-ingress-gateway-deployment.yaml │ │ ├── complex-istio-and-k8s-ingress-test-scheme.yaml │ │ ├── complex-istio-ingress-test-scheme.yaml │ │ ├── complex-k8s-ingress-all-test-scheme.yaml │ │ ├── complex-k8s-ingress-cluster-test-scheme.yaml │ │ ├── complex-k8s-ingress-test-scheme.yaml │ │ └── resources │ │ │ ├── aaaa-deployment.yaml │ │ │ ├── aaaa-service.yaml │ │ │ ├── bbbb-deployment.yaml │ │ │ ├── bbbb-service.yaml │ │ │ ├── cccc-deployment.yaml │ │ │ ├── cccc-service.yaml │ │ │ ├── dddd-deployment.yaml │ │ │ ├── dddd-service.yaml │ │ │ ├── eeee-deployment.yaml │ │ │ ├── eeee-service.yaml │ │ │ ├── ffff-deployment.yaml │ │ │ ├── ffff-service.yaml │ │ │ ├── gggg-deployment.yaml │ │ │ ├── gggg-service.yaml │ │ │ ├── hhhh-deployment.yaml │ │ │ ├── hhhh-service.yaml │ │ │ ├── iiii-deployment.yaml │ │ │ ├── iiii-service.yaml │ │ │ ├── ingress.yaml │ │ │ ├── ingress_cluster.yaml │ │ │ ├── istio-ingress-gateway.yaml │ │ │ ├── istio-ingress-virtualservice.yaml │ │ │ ├── jjjj-deployment.yaml │ │ │ └── jjjj-service.yaml │ ├── fly-istio-ingress-test │ │ ├── fly-istio-ingress-test-scheme.yaml │ │ └── resources │ │ │ ├── fly-deployment.yaml │ │ │ ├── fly-gateway.yaml │ │ │ ├── fly-service.yaml │ │ │ └── istio-ingress-gateway-deployment.yaml │ ├── istio-egress-test-partial-flow1 │ │ ├── istio-egress-test-partial-flow1-scheme.yaml │ │ └── resources │ │ │ ├── gateway.yaml │ │ │ ├── pods_list.json │ │ │ ├── services.yaml │ │ │ └── virtual_services.yaml │ ├── istio-egress-test-partial-flow2 │ │ ├── istio-egress-test-partial-flow2-scheme.yaml │ │ └── resources │ │ │ ├── gateway.yaml │ │ │ ├── pods_list.json │ │ │ ├── services.yaml │ │ │ └── virtual_services.yaml │ ├── istio-egress-test │ │ ├── istio-egress-test-scheme.yaml │ │ └── resources │ │ │ ├── gateway.yaml │ │ │ ├── pods_list.json │ │ │ ├── services.yaml │ │ │ └── virtual_services.yaml │ ├── istio-ingress-test │ │ ├── istio-ingress-test-scheme.yaml │ │ └── resources │ │ │ ├── bookinfo_pods_list.json │ │ │ ├── gateway.yaml │ │ │ ├── services.yaml │ │ │ └── virtual_services.yaml │ ├── multi-layer-tests │ │ ├── istio-gateways.yaml │ │ ├── onlineboutique-multi-layer-tests-scheme.yaml │ │ └── onlineboutique-resources │ │ │ ├── adservice.yaml │ │ │ ├── cartservice.yaml │ │ │ ├── checkoutservice.yaml │ │ │ ├── currencyservice.yaml │ │ │ ├── emailservice.yaml │ │ │ ├── frontend.yaml │ │ │ ├── loadgenerator.yaml │ │ │ ├── namespace.yaml │ │ │ ├── paymentservice.yaml │ │ │ ├── productcatalogservice.yaml │ │ │ ├── recommendationservice.yaml │ │ │ └── shippingservice.yaml │ ├── online_boutique │ │ ├── connectivity-scheme.yaml │ │ ├── new_online_boutique_manifests_istio │ │ │ ├── all_auth_policies.yaml │ │ │ └── all_deployments.yaml │ │ ├── online-boutique-with-sa-istio-auth-policies-restrict_access_to_payment-baseline.yaml │ │ └── synthesis_res_istio_new_online_boutique_with_sa.yaml │ ├── online_boutique_multi_layer_from_live_cluster_test │ │ ├── connectivity-map-of-onlineboutique.jpg │ │ ├── connectivity_map_onlineboutique_multi_layer_from_live_cluster.txt │ │ ├── istio-gateways.yaml │ │ ├── network_policies.yaml │ │ ├── onlineboutique-multi-layer-from-live-cluster-test-scheme.yaml │ │ ├── onlineboutique-resources │ │ │ ├── all_depl.yaml │ │ │ ├── all_services.yaml │ │ │ └── ns_list.yaml │ │ └── sidecars.yaml │ ├── sidecar_examples_w_onlineboutique │ │ ├── frontend_tests │ │ │ ├── frontend-sidecar-test-scheme.yaml │ │ │ └── frontend-sidecar.yaml │ │ ├── general_sidecar_examples_from_istio_ref │ │ │ ├── istio-sidecar-1.yaml │ │ │ ├── istio-sidecar-2.yaml │ │ │ └── istio-sidecar-3.yaml │ │ ├── invalid_sidecars │ │ │ ├── sidecar-invalid-egress.yaml │ │ │ ├── sidecar-invalid-host-1.yaml │ │ │ ├── sidecar-invalid-host-10.yaml │ │ │ ├── sidecar-invalid-host-2.yaml │ │ │ ├── sidecar-invalid-host-3.yaml │ │ │ ├── sidecar-invalid-host-4.yaml │ │ │ ├── sidecar-invalid-host-5.yaml │ │ │ ├── sidecar-invalid-host-6.yaml │ │ │ ├── sidecar-invalid-host-7.yaml │ │ │ ├── sidecar-invalid-host-8.yaml │ │ │ ├── sidecar-invalid-host-9.yaml │ │ │ └── sidecar-missing-spec.yaml │ │ ├── istio-gateways.yaml │ │ ├── onlineboutique-services.yaml │ │ ├── onlineboutique-sidecars.yaml │ │ ├── sidecar_disables_egress │ │ │ ├── sidecar-disable-egress1.yaml │ │ │ ├── sidecar-disable-egress2.yaml │ │ │ └── sidecars-disable-egress-scheme.yaml │ │ ├── sidecars-and-gateways-test-scheme.yaml │ │ └── sidecars-syntax-tests-scheme.yaml │ ├── test-istio-scheme-files-options │ │ ├── empty_ns.yaml │ │ ├── policy-allow-nothing.yaml │ │ ├── policy-productpage-viewer.yaml │ │ ├── scheme-test-from-live-cluster.yaml │ │ ├── scheme-test-np-from-git-repo-tutorial.yaml │ │ ├── scheme-test-np-from-git-repo.yaml │ │ ├── test-np-from-dir-scheme.yaml │ │ └── tutorial_deployments.yaml │ ├── testcase1 │ │ ├── testcase1-allow-all-policy.yaml │ │ ├── testcase1-allow-all-test-policy.yaml │ │ ├── testcase1-allow-nothing-policy-2.yaml │ │ ├── testcase1-allow-nothing-policy.yaml │ │ ├── testcase1-deny-all-policy.yaml │ │ ├── testcase1-istio-scheme.yaml │ │ ├── testcase1-new-policy.yaml │ │ ├── testcase1-policy.yaml │ │ ├── testcase1-redundant-rule.yaml │ │ ├── testcase1-sanity-test-2.yaml │ │ ├── testcase1-sanity-test-3.yaml │ │ ├── testcase1-sanity-test-4.yaml │ │ ├── testcase1-sanity-test-5.yaml │ │ └── testcase1-sanity-test.yaml │ ├── testcase2 │ │ ├── testcase2-istio-scheme.yaml │ │ ├── testcase2-policy-1.yaml │ │ ├── testcase2-policy-2.yaml │ │ ├── testcase2-policy-3.yaml │ │ ├── testcase2-policy-4.yaml │ │ ├── testcase2-policy-5.yaml │ │ ├── testcase2-policy-6.yaml │ │ ├── testcase2-policy-7.yaml │ │ └── testcase2-policy-8.yaml │ └── testcase3 │ │ ├── testcase3-istio-scheme.yaml │ │ ├── testcase3-parse-error-condition-empty-values-2.yaml │ │ ├── testcase3-parse-error-condition-empty-values.yaml │ │ ├── testcase3-parse-error-condition-values-null.yaml │ │ ├── testcase3-parse-error-deny-without-rules.yaml │ │ ├── testcase3-parse-error-from-is-empty.yaml │ │ ├── testcase3-parse-error-from-is-null.yaml │ │ ├── testcase3-parse-error-key-is-empty.yaml │ │ ├── testcase3-parse-error-namespaces-is-null.yaml │ │ ├── testcase3-parse-error-operation-is-empty.yaml │ │ ├── testcase3-parse-error-operation-is-null.yaml │ │ ├── testcase3-parse-error-ports-is-null.yaml │ │ ├── testcase3-parse-error-rule-is-null.yaml │ │ ├── testcase3-parse-error-source-is-empty-2.yaml │ │ ├── testcase3-parse-error-source-is-empty.yaml │ │ ├── testcase3-parse-error-to-is-empty.yaml │ │ ├── testcase3-parse-error-when-is-null.yaml │ │ ├── testcase3-valid-syntax-source-not-empty.yaml │ │ └── testcase3-valid-syntax-when-is-empty.yaml ├── expected_output │ ├── complex-istio-and-k8s-ingress-test-connectivity-map-missing-resources.dot │ ├── complex-istio-and-k8s-ingress-test-connectivity-map.dot │ ├── complex-istio-ingress-test-connectivity-map-missing-resources.dot │ ├── complex-istio-ingress-test-connectivity-map.dot │ ├── complex-k8s-ingress-all-test-connectivity-map-missing-resources.dot │ ├── complex-k8s-ingress-all-test-connectivity-map.dot │ ├── complex-k8s-ingress-cluster-test-connectivity-map-missing-resources.dot │ ├── complex-k8s-ingress-cluster-test-connectivity-map.dot │ ├── complex-k8s-ingress-test-connectivity-map-with-missing-resources.dot │ ├── complex-k8s-ingress-test-connectivity-map.dot │ ├── connectivity-bookinfo-demo-by-deployments.dot │ ├── connectivity-bookinfo-demo-by-pods.dot │ ├── connectivity_bookinfo_ratings_allow_any_sidecar.txt │ ├── connectivity_bookinfo_ratings_allow_any_sidecar_multiple_service_entries.txt │ ├── connectivity_internal_external_sidecar.txt │ ├── connectivity_internal_external_sidecar_registry_only.txt │ ├── connectivity_map_bookinfo_adding_default_sidecar_after_specific.txt │ ├── connectivity_map_bookinfo_default_sidecar.txt │ ├── connectivity_map_bookinfo_multiple_sidecar_overrides.txt │ ├── connectivity_map_bookinfo_productpage_sidecar.txt │ ├── connectivity_map_bookinfo_sidecars_with_different_selectors.txt │ ├── connectivity_map_bookinfo_specific_sidecar_overrides_default_sidecar.txt │ ├── connectivity_map_bookinfo_specific_sidecar_overrides_global_sidecar.txt │ ├── connectivity_map_bookinfo_two_different_sidecars_override_default_sidecar.txt │ ├── connectivity_map_configs_w_sidecars_different_outbound_mode.txt │ ├── connectivity_map_global_sidecar_from_istio_ref.txt │ ├── connectivity_map_of_onlineboutique_resources.txt │ ├── connectivity_map_of_onlineboutique_resources_with_istio_gateways.txt │ ├── connectivity_map_online_boutique_frontend_sidecar.txt │ ├── connectivity_map_online_boutique_frontend_sidecar_disable_egress.txt │ ├── connectivity_sidecar_host_name_contains_service_entry_hosts.txt │ ├── connectivity_sidecar_host_name_does_not_contain_se_hosts.txt │ ├── containment_configs_w_sidecars_different_outbound_mode.txt │ ├── equiv_configs_w_sidecars_different_hosts.txt │ ├── equiv_configs_w_sidecars_different_outbound_mode.txt │ ├── fly_istio_ingress_test_connectivity_map.txt │ ├── forbids_configs_w_sidecars_different_hosts_types.txt │ ├── interferes_configs_w_sidecars_different_hosts_types.txt │ ├── istio_egress_test_connectivity_map.txt │ ├── istio_egress_test_partial_flow1_connectivity_map.txt │ ├── istio_egress_test_partial_flow2_connectivity_map.txt │ ├── istio_ingress_test_connectivity_map.txt │ ├── new_online_boutique_connectivity_map.txt │ ├── new_online_boutique_synth_res_connectivity_map.txt │ ├── new_online_boutique_synth_res_connectivity_map_with_baseline_rule.txt │ ├── new_online_boutique_synth_res_connectivity_map_wo_fw_rules.txt │ ├── pair_wise_interferes_configs_w_sidecars_different_hosts_types.txt │ ├── permits_configs_w_sidecars_different_outbound_mode.txt │ ├── semantic_diff_online_boutique_new_input_vs_synth_res.txt │ ├── semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt │ ├── semantic_diff_sidecars_added_conns_test.txt │ ├── semantic_diff_sidecars_lost_conns_test.txt │ ├── sidecars-and-gateways-test-connectivity-map.txt │ ├── strong_equiv_configs_w_sidecars_different_outbound_mode.txt │ ├── two_way_containment_configs_allow_any.txt │ ├── two_way_containment_configs_w_sidecars_different_hosts_types.txt │ └── two_way_containment_configs_w_sidecars_different_outbound_mode.txt └── scan-dir-test-scheme.yaml ├── k8s_cmdline_tests.yaml ├── k8s_testcases ├── all_resources_in_same_dir │ ├── all-resources-in-one-dir-scheme.yaml │ ├── ns_list.json │ ├── pods_list.json │ └── some-captured-tests-networkpolicy.yaml ├── example_podlist │ ├── bank_ns_list.json │ ├── bank_pod_list.json │ ├── ns_list.json │ ├── ns_list_for_testcase10.json │ ├── pods_list.json │ └── services1 │ │ ├── ns_list.yaml │ │ ├── pods_list.yaml │ │ ├── policies.yaml │ │ └── services_list.yaml ├── example_policies │ ├── all-captured-tests │ │ ├── captured-tests-scheme.yaml │ │ ├── other-captured-tests-networkpolicy.yaml │ │ └── some-captured-tests-networkpolicy.yaml │ ├── andOrCombinations │ │ ├── andOrCombinations-networkpolicy1.yaml │ │ ├── andOrCombinations-networkpolicy2.yaml │ │ ├── andOrCombinations-readme.yaml │ │ └── andOrCombinations-scheme.yaml │ ├── demo │ │ ├── README.md │ │ ├── interferes │ │ │ ├── interferes-networkpolicy1.yaml │ │ │ ├── interferes-networkpolicy2.yaml │ │ │ ├── interferes-networkpolicy3.yaml │ │ │ ├── interferes-networkpolicy4.yaml │ │ │ ├── interferes-readme.yaml │ │ │ └── interferes-scheme.yaml │ │ ├── regression │ │ │ ├── regression-no-ports-restriction-old.yaml │ │ │ ├── regression-podSelector-new.yaml │ │ │ ├── regression-podSelector-old.yaml │ │ │ ├── regression-readme.yaml │ │ │ ├── regression-scheme.yaml │ │ │ ├── regression-withIpBlock-new.yaml │ │ │ └── regression-withIpBlock-old.yaml │ │ └── sanity │ │ │ ├── sanity-label-mistake-networkpolicy.yaml │ │ │ ├── sanity-misconception-podSelector-namespaceSelector.yaml │ │ │ ├── sanity-readme.yaml │ │ │ ├── sanity-redundant-dash-networkpolicy.yaml │ │ │ ├── sanity-scheme.yaml │ │ │ └── sanity-typoNotIn-networkpolicy.yaml │ ├── demo_readme.md │ ├── demo_readme.yaml │ ├── demo_short │ │ ├── demo1-scheme.yaml │ │ ├── demo1-topology-resourcelist-scheme.yaml │ │ ├── demo2-pods-resourcelist-scheme.yaml │ │ ├── demo2-scheme.yaml │ │ ├── demo3-ns-resourcelist-scheme.yaml │ │ ├── demo3-scheme.yaml │ │ ├── interferes-networkpolicy.yaml │ │ ├── sanity1-networkpolicy.yaml │ │ └── sanity2-networkpolicy.yaml │ ├── emptinessTests │ │ ├── emptinessTests-networkpolicy1.yaml │ │ └── emptinessTests-scheme.yaml │ ├── ipblockstest │ │ ├── netpols.yaml │ │ ├── ns.yaml │ │ ├── pods.yaml │ │ └── test-scheme.yaml │ ├── k8s-ingress-test │ │ ├── k8s-ingress-policies.yaml │ │ ├── k8s-ingress-test-scheme.yaml │ │ └── topology │ │ │ ├── default_pods_list.yaml │ │ │ ├── ingress-nginx-pods.yaml │ │ │ ├── istio-system_pods_list.yaml │ │ │ └── services.yaml │ ├── namedPorts │ │ ├── namedPorts-policy1.yaml │ │ ├── namedPorts-policy2.yaml │ │ ├── namedPorts-policy3.yaml │ │ ├── namedPorts-policy4.yaml │ │ ├── namedPorts-policy5.yaml │ │ └── namedPorts-scheme.yaml │ ├── network-policy-checks │ │ ├── checks-network-policy.yaml │ │ └── network-policy-check-scheme.yaml │ ├── online_boutique │ │ ├── connectivity-scheme.yaml │ │ ├── new_online_boutique_manifests │ │ │ ├── all_deplopyments.yaml │ │ │ └── all_network_policies.yaml │ │ ├── orig_online_boutique_manifests │ │ │ ├── emailservice.yaml │ │ │ ├── istio-manifests.yaml │ │ │ └── kubernetes-manifests.yaml │ │ ├── synthesis_res_new_online_boutique.yaml │ │ └── synthesis_res_online_boutique.yaml │ ├── onlineboutique-test-connectivity-wo-fw-rules │ │ ├── kubernetes-manifests.yaml │ │ ├── netpols.yaml │ │ ├── ns.yaml │ │ └── test-no-fw-rules-scheme.yaml │ ├── resourcelist-one-path-example │ │ ├── resource-path-scheme.yaml │ │ └── resources-path.yaml │ ├── sample-app │ │ ├── sample-all-captured-scheme.yaml │ │ └── sample.yaml │ ├── scheme-readme.md │ ├── services1 │ │ ├── policies.yaml │ │ ├── services1-networkpolicy0.yaml │ │ ├── services1-networkpolicy1.yaml │ │ ├── services1-networkpolicy2.yaml │ │ └── services1-scheme.yaml │ ├── test_subset │ │ ├── subset_deployment-networkpolicy.yaml │ │ └── test_subset_deployment.yaml │ ├── testcase1 │ │ ├── testcase1-networkpolicy1.json │ │ ├── testcase1-networkpolicy1.yaml │ │ ├── testcase1-networkpolicy2.yaml │ │ ├── testcase1-readme.yaml │ │ ├── testcase1-scheme-demo.yaml │ │ └── testcase1-scheme.yaml │ ├── testcase10-json-version │ │ ├── json_dir │ │ │ └── np_json │ │ │ │ └── networkpolicies.json │ │ └── testcase10-json-version-scheme.yaml │ ├── testcase10-nameSpace-podSelector │ │ ├── testcase10-all-resources-in-one-key-scheme.yaml │ │ ├── testcase10-networkpolicy.yaml │ │ └── testcase10-scheme.yaml │ ├── testcase11-forbids-permits │ │ ├── testcase11-empty-networkpolicy.yaml │ │ ├── testcase11-partly-within-default.yaml │ │ ├── testcase11-scheme.yaml │ │ ├── testcase11-within-default.yaml │ │ └── testcase11-within-kube-system.yaml │ ├── testcase1_tag │ │ ├── testcase1tag-networkpolicy1.yaml │ │ ├── testcase1tag-networkpolicy2.yaml │ │ ├── testcase1tag-readme.yaml │ │ ├── testcase1tag-scheme-demo.yaml │ │ └── testcase1tag-scheme.yaml │ ├── testcase2 │ │ ├── testcase2-networkpolicy1.yaml │ │ ├── testcase2-networkpolicy2.yaml │ │ ├── testcase2-networkpolicy3.yaml │ │ ├── testcase2-readme.yaml │ │ ├── testcase2-scheme-demo.yaml │ │ └── testcase2-scheme.yaml │ ├── testcase3 │ │ ├── testcase3-networkpolicy1.yaml │ │ ├── testcase3-networkpolicy2.yaml │ │ ├── testcase3-readme.yaml │ │ └── testcase3-scheme.yaml │ ├── testcase4 │ │ ├── testcase4-networkpolicy1.yaml │ │ ├── testcase4-networkpolicy2.yaml │ │ ├── testcase4-networkpolicy3.yaml │ │ ├── testcase4-readme.yaml │ │ ├── testcase4-scheme-demo.yaml │ │ └── testcase4-scheme.yaml │ ├── testcase5 │ │ ├── testcase5-networkpolicy1.yaml │ │ ├── testcase5-networkpolicy2.yaml │ │ ├── testcase5-readme.yaml │ │ └── testcase5-scheme.yaml │ ├── testcase6 │ │ ├── testcase6-networkpolicy1.yaml │ │ ├── testcase6-networkpolicy2.yaml │ │ ├── testcase6-readme.yaml │ │ ├── testcase6-scheme-demo.yaml │ │ └── testcase6-scheme.yaml │ ├── testcase7 │ │ ├── testcase7-networkpolicy1.yaml │ │ ├── testcase7-networkpolicy2.yaml │ │ ├── testcase7-readme.yaml │ │ └── testcase7-scheme.yaml │ ├── testcase8 │ │ ├── testcase8-networkpolicy1.yaml │ │ ├── testcase8-scheme-demo.yaml │ │ └── testcase8-scheme.yaml │ ├── testcase9-sanity │ │ ├── testcase9-sanity-between-policies.yaml │ │ ├── testcase9-sanity-between-rules.yaml │ │ ├── testcase9-sanity-scheme.yaml │ │ └── testcase9-vacuous-policy.yaml │ ├── tests-different-topologies │ │ ├── containment-permits-different-topologies-scheme.yaml │ │ ├── namedPorts-policy1.yaml │ │ ├── namedPorts-policy2.yaml │ │ ├── namedPorts-policy3.yaml │ │ ├── namedPorts-policy4.yaml │ │ ├── namedPorts-policy5.yaml │ │ ├── namedPorts-scheme.yaml │ │ ├── new1.yaml │ │ ├── new1a.yaml │ │ ├── new2.yaml │ │ ├── new3.yaml │ │ ├── old1.yaml │ │ ├── old2.yaml │ │ ├── old3.yaml │ │ ├── podlist_example │ │ │ └── bank_pod_list_yaml_version.yml │ │ ├── policy_a.yaml │ │ ├── policy_a_ipBlock.yaml │ │ ├── policy_b.yaml │ │ ├── policy_b1.yaml │ │ ├── policy_b_ipBlock.yaml │ │ ├── semanticDiff-IpBlocks-different-topologies-scheme.yaml │ │ ├── semanticDiff-different-topologies-scheme.yaml │ │ ├── semanticDiff-multiple-resources-scheme.yaml │ │ └── semanticDiff-same-topologies-scheme.yaml │ ├── typoNotInTests │ │ ├── typoNotInTests-networkpolicy1.yaml │ │ └── typoNotInTests-scheme.yaml │ ├── withEndPort │ │ ├── withEndPort-networkpolicy1.yaml │ │ ├── withEndPort-networkpolicy2.yaml │ │ ├── withEndPort-networkpolicy3.yaml │ │ └── withEndPort-scheme.yaml │ ├── withIpBlock │ │ ├── withIpBlock-networkpolicy1.yaml │ │ ├── withIpBlock-networkpolicy2.yaml │ │ ├── withIpBlock-networkpolicy3.yaml │ │ ├── withIpBlock-networkpolicy4.yaml │ │ └── withIpBlock-scheme.yaml │ ├── withIpBlock2 │ │ ├── withIpBlock2-networkpolicy1.yaml │ │ ├── withIpBlock2-networkpolicy2-IPv6.yaml │ │ ├── withIpBlock2-networkpolicy2.yaml │ │ ├── withIpBlock2-networkpolicy3.yaml │ │ ├── withIpBlock2-networkpolicy4.yaml │ │ ├── withIpBlock2-networkpolicy5-IPv6.yaml │ │ ├── withIpBlock2-networkpolicy5.yaml │ │ └── withIpBlock2-scheme.yaml │ └── workload-resources-test │ │ ├── file-system-resource-test-scheme.yaml │ │ ├── git-resource-test-scheme.yaml │ │ └── workload-test-networkpolicy.yaml ├── expected_output │ ├── containment-np2-and-np1-all-pairs.json │ ├── containment-np2-and-np1-all-pairs.txt │ ├── containment-np2-and-np1-all-pairs.yaml │ ├── emptiness-in-np1.json │ ├── emptiness-in-np1.txt │ ├── emptiness-in-np1.yaml │ ├── forbids-empty-impl-default-spec-all-examples.json │ ├── forbids-empty-impl-default-spec-all-examples.txt │ ├── forbids-empty-impl-default-spec-all-examples.yaml │ ├── ipblocktest-conn-graph-no-fw-rules.txt │ ├── k8s_ingress_test_connectivity_map.txt │ ├── new_online_boutique_connectivity_map.txt │ ├── new_online_boutique_synthesis_res_connectivity_map.txt │ ├── no-strong-equivalence-all-peers-pairs.json │ ├── no-strong-equivalence-all-peers-pairs.txt │ ├── no-strong-equivalence-all-peers-pairs.yaml │ ├── onlineboutique-conn-graph-no-fw-rules.txt │ ├── orig_online_boutique_synthesis_res_connectivity_map.txt │ ├── permits-a-b-not-executed.json │ ├── permits-a-b-not-executed.yaml │ ├── permits-default-impl-kube-system-spec.json │ ├── permits-default-impl-kube-system-spec.txt │ ├── permits-default-impl-kube-system-spec.yaml │ ├── permits-partly-default-impl-default-spec-print-all-pairs.json │ ├── permits-partly-default-impl-default-spec-print-all-pairs.txt │ ├── permits-partly-default-impl-default-spec-print-all-pairs.yaml │ ├── redundancy-test-on-misconception-podSelector-namespaceSelector.json │ ├── redundancy-test-on-misconception-podSelector-namespaceSelector.txt │ ├── redundancy-test-on-misconception-podSelector-namespaceSelector.yaml │ ├── semantic_diff_a_to_b_different_topologies.txt │ ├── semantic_diff_online_boutique_new_synthesized_vs_orig_synthesized.txt │ ├── semantic_diff_online_boutique_new_vs_synthesized_new.txt │ ├── services1_connectivity_map.txt │ ├── two-way-containment-a-with-different-ipblock-policies-all-pairs.json │ ├── two-way-containment-a-with-different-ipblock-policies-all-pairs.txt │ └── two-way-containment-a-with-different-ipblock-policies-all-pairs.yaml ├── ingress-bad-path-test │ ├── sample-app │ │ └── sample.yaml │ └── test-ingress-bad-port-scheme.yaml └── network-policy-checks-bad-path │ ├── api_version_wrong_value.yaml │ ├── endport_cannot_be_defined.yaml │ ├── endport_cannot_be_defined2.yaml │ ├── endport_less_than_port.yaml │ ├── endport_wrong_range.yaml │ ├── endport_wrong_type.yaml │ ├── ipblock_bad_cidr.yaml │ ├── ipblock_bad_cidr_2.yaml │ ├── ipblock_bad_cidr_3.yaml │ ├── ipblock_cannot_be_defined.yaml │ ├── ipblock_cidr_is_none.yaml │ ├── ipblock_cidr_wrong_type.yaml │ ├── ipblock_empty.yaml │ ├── ipblock_except_wrong_type.yaml │ ├── ipblock_wrong_keys.yaml │ ├── ipblock_wrong_type.yaml │ ├── matchexpressions_key_does_not_exist.yaml │ ├── matchexpressions_key_has_no_value.yaml │ ├── matchexpressions_key_null.yaml │ ├── matchexpressions_key_wrong_type.yaml │ ├── matchexpressions_key_wrong_value_form.yaml │ ├── matchexpressions_key_wrong_value_form2.yaml │ ├── matchexpressions_operator_has_no_value.yaml │ ├── matchexpressions_operator_missing.yaml │ ├── matchexpressions_operator_null.yaml │ ├── matchexpressions_operator_wrong_type.yaml │ ├── matchexpressions_operator_wrong_value.yaml │ ├── matchexpressions_values_no_match_with_operator.yaml │ ├── matchexpressions_values_no_match_with_operator2.yaml │ ├── matchexpressions_values_wrong_form.yaml │ ├── matchexpressions_values_wrong_type.yaml │ ├── matchexpressions_wrong_keys.yaml │ ├── matchexpressions_wrong_type.yaml │ ├── matchlabels_empty_value_label.yaml │ ├── matchlabels_wrong_key_form.yaml │ ├── matchlabels_wrong_key_form2.yaml │ ├── matchlabels_wrong_type.yaml │ ├── matchlabels_wrong_value_label_form.yaml │ ├── matchlabels_wrong_value_label_form2.yaml │ ├── matchlabels_wrong_value_label_type.yaml │ ├── metadata_does_not_exist.yaml │ ├── metadata_empty_map.yaml │ ├── metadata_is_null.yaml │ ├── metadata_name_does_not_exist.yaml │ ├── metadata_name_has_no_value.yaml │ ├── metadata_name_long.yaml │ ├── metadata_name_null.yaml │ ├── metadata_name_wrong_type.yaml │ ├── metadata_namespace_wrong_type.yaml │ ├── metadata_with_no_value.yaml │ ├── metadata_wrong_form.yaml │ ├── metadata_wrong_keys.yaml │ ├── metadata_wrong_type.yaml │ ├── mixed_ipv4_cidr_ipv6_except.yaml │ ├── mixed_ipv4_ipv6_policy.yaml │ ├── mixed_ipv6_cidr_ipv4_except.yaml │ ├── network-policy-check-bad-path-scheme.yaml │ ├── networkPolicy_no_error.yaml │ ├── peer_namespaceselector_wrong_keys.yaml │ ├── peer_namespaceselector_wrong_type.yaml │ ├── peer_no_specified_fields.yaml │ ├── peer_podselector_wrong_keys.yaml │ ├── peer_podselector_wrong_type.yaml │ ├── peers_wrong_keys.yaml │ ├── peers_wrong_type.yaml │ ├── port_wrong_label_form1.yaml │ ├── port_wrong_label_form2.yaml │ ├── port_wrong_range.yaml │ ├── port_wrong_type.yaml │ ├── ports_wrong_keys.yaml │ ├── ports_wrong_type.yaml │ ├── protocol_wrong_type.yaml │ ├── protocol_wrong_value.yaml │ ├── spec_egress_wrong_keys.yaml │ ├── spec_egress_wrong_type.yaml │ ├── spec_empty_map.yaml │ ├── spec_ingress_wrong_keys.yaml │ ├── spec_ingress_wrong_type.yaml │ ├── spec_podselector_does_not_exist.yaml │ ├── spec_podselector_has_no_value.yaml │ ├── spec_podselector_null.yaml │ ├── spec_podselector_wrong_keys.yaml │ ├── spec_podselector_wrong_type.yaml │ ├── spec_policytypes_missing_egress.yaml │ ├── spec_policytypes_missing_ingress.yaml │ ├── spec_policytypes_wrong_type.yaml │ ├── spec_policytypes_wrong_values.yaml │ ├── spec_wrong_keys.yaml │ └── spec_wrong_type.yaml ├── livesim_tests └── livesim_topology.yaml ├── run_all_tests.py ├── run_unittests.py └── update_expected_runtime.py /.gitattributes: -------------------------------------------------------------------------------- 1 | *.dot diff= 2 | *.DOT diff= -------------------------------------------------------------------------------- /.github/actions/setup-nca-env/action.yml: -------------------------------------------------------------------------------- 1 | name: 'Setup NCA environment' 2 | description: 'Checks out NCA, then installs the required dependencies' 3 | runs: 4 | using: "composite" 5 | steps: 6 | - uses: actions/setup-python@82c7e631bb3cdc910f68e0081d67478d79c6982d # v5.1.0 7 | with: 8 | python-version: 3.9 9 | architecture: x64 10 | cache: pip 11 | - run: pip install -r requirements.txt 12 | shell: bash 13 | -------------------------------------------------------------------------------- /.github/dco.yml: -------------------------------------------------------------------------------- 1 | # This enables DCO bot for you, please take a look https://github.com/probot/dco 2 | # for more details. 3 | require: 4 | members: false 5 | -------------------------------------------------------------------------------- /MAINTAINERS.md: -------------------------------------------------------------------------------- 1 | # MAINTAINERS 2 | 3 | * Adi Sosnovich - adisos@il.ibm.com 4 | * Ziv Nevo - nevo@il.ibm.com 5 | * Shireen Falah - shireenf@il.ibm.com 6 | * Shai Doron - dshai@il.ibm.com 7 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include nca/VERSION.txt 2 | graft nca/NetworkConfig/LiveSim 3 | -------------------------------------------------------------------------------- /nca/CoreDS/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/CoreDS/__init__.py -------------------------------------------------------------------------------- /nca/FWRules/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/FWRules/__init__.py -------------------------------------------------------------------------------- /nca/FileScanners/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/FileScanners/__init__.py -------------------------------------------------------------------------------- /nca/NetworkConfig/LiveSim/dns/dns_pods.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kube-system 5 | labels: 6 | name: kube-system 7 | kubernetes.io/metadata.name: kube-system 8 | --- 9 | apiVersion: apps/v1 10 | kind: Pod 11 | metadata: 12 | name: kube-dns-livesim 13 | namespace: kube-system 14 | labels: 15 | k8s-app: kube-dns 16 | projectcalico.org/namespace: kube-system 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: kube-dns 21 | --- 22 | -------------------------------------------------------------------------------- /nca/NetworkConfig/LiveSim/istio_gateway/istio_custom_gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: custom-ingressgateway-livesim 5 | namespace: custom-gateways 6 | labels: 7 | istio: custom-ingressgateway 8 | spec: 9 | serviceAccountName: custom-ingressgateway-livesim 10 | containers: 11 | - name: istio-proxy 12 | image: auto 13 | --- 14 | -------------------------------------------------------------------------------- /nca/NetworkConfig/LiveSim/istio_gateway/istio_ingress_gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Pod 3 | metadata: 4 | name: istio-ingressgateway-livesim 5 | namespace: istio-system 6 | labels: 7 | app: istio-ingressgateway 8 | istio: ingressgateway 9 | spec: 10 | serviceAccountName: istio-ingressgateway 11 | containers: 12 | - name: istio-proxy 13 | image: auto 14 | --- -------------------------------------------------------------------------------- /nca/NetworkConfig/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/NetworkConfig/__init__.py -------------------------------------------------------------------------------- /nca/Parsers/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/Parsers/__init__.py -------------------------------------------------------------------------------- /nca/Resources/OtherResources/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/Resources/OtherResources/__init__.py -------------------------------------------------------------------------------- /nca/Resources/PolicyResources/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/Resources/PolicyResources/__init__.py -------------------------------------------------------------------------------- /nca/Resources/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/Resources/__init__.py -------------------------------------------------------------------------------- /nca/Utils/Utils.py: -------------------------------------------------------------------------------- 1 | # 2 | # Copyright 2022 - IBM Inc. All rights reserved 3 | # SPDX-License-Identifier: Apache2.0 4 | # 5 | 6 | 7 | class Singleton(type): 8 | """ 9 | A metaclass implementing singleton for NcaLogger 10 | """ 11 | _instances = {} 12 | 13 | def __call__(cls, *args, **kwargs): 14 | if cls not in cls._instances: 15 | cls._instances[cls] = super(Singleton, cls).__call__(*args, **kwargs) 16 | return cls._instances[cls] 17 | -------------------------------------------------------------------------------- /nca/Utils/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/Utils/__init__.py -------------------------------------------------------------------------------- /nca/VERSION.txt: -------------------------------------------------------------------------------- 1 | 1.9.6 2 | -------------------------------------------------------------------------------- /nca/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/nca/__init__.py -------------------------------------------------------------------------------- /nca/__main__.py: -------------------------------------------------------------------------------- 1 | import sys 2 | from .nca_cli import nca_main 3 | 4 | if __name__ == "__main__": 5 | sys.exit(nca_main()) 6 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [build-system] 2 | requires = ["setuptools>=42"] 3 | build-backend = "setuptools.build_meta" 4 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | ghapi==1.0.5 2 | PyYAML==6.0 3 | greenery==4.0.0 4 | networkx==3.2.1 5 | beautifulsoup4==4.12.3 6 | lxml==5.2.2 7 | -------------------------------------------------------------------------------- /tests/bad_yamls/list_of_strings.json: -------------------------------------------------------------------------------- 1 | [ 2 | "esnext.global-this", 3 | "esnext.promise.all-settled", 4 | "esnext.string.match-all" 5 | ] 6 | -------------------------------------------------------------------------------- /tests/bad_yamls/single_bracket.json: -------------------------------------------------------------------------------- 1 | { 2 | -------------------------------------------------------------------------------- /tests/bad_yamls/tab_in_json.json: -------------------------------------------------------------------------------- 1 | { 2 | "key": "value" 3 | } 4 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/calico-demo/demo-permits-forbids-cnc-kt-open.yaml: -------------------------------------------------------------------------------- 1 | # enables communication between all the pods that are part of the "cnc-evaluation-service" app 2 | apiVersion: projectcalico.org/v3 3 | kind: NetworkPolicy 4 | metadata: 5 | name: testcase17-equiv-local-networkpolicy 6 | namespace: cnc-kt 7 | spec: 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | egress: 14 | - action: Allow 15 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/calico-demo/demo-permits-forbids-cnc-nlp-open.yaml: -------------------------------------------------------------------------------- 1 | # enables communication between all the pods that are part of the "cnc-evaluation-service" app 2 | apiVersion: projectcalico.org/v3 3 | kind: NetworkPolicy 4 | metadata: 5 | name: testcase17-equiv-local-networkpolicy 6 | namespace: cnc-nlp 7 | spec: 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | egress: 14 | - action: Allow 15 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/calico-demo/sanity1-scheme.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list_wdc.json 2 | podList: ../../example_podlist/wdc_wep.json 3 | 4 | networkConfigList: 5 | - name: np_empty_selector 6 | networkPolicyList: 7 | - demo-sanity1-emptySelector.yaml 8 | - demo-allow-all-wdc-wep-profiles.yaml 9 | expectedWarnings: 1 10 | 11 | queries: 12 | - name: sanity_empty_selector 13 | sanity: 14 | - np_empty_selector 15 | expected: 1 16 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/calico-demo/sanity3-scheme.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list_wdc.json 2 | podList: ../../example_podlist/wdc_wep.json 3 | 4 | networkConfigList: 5 | - name: np_redundacy 6 | networkPolicyList: 7 | - demo-sanity3-redundancy.yaml 8 | - ../common-policies/policy-deny-all.yaml 9 | #- demo-deny-all-wdc-wep-profiles.yaml 10 | expectedWarnings: 0 11 | 12 | queries: 13 | - name: sanity_redundancy 14 | sanity: 15 | - np_redundacy 16 | expected: 3 17 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/common-policies/policy-allow-all.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: default-allow-all 5 | spec: 6 | types: 7 | - Ingress 8 | - Egress 9 | ingress: 10 | - action: Allow 11 | egress: 12 | - action: Allow -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/common-policies/policy-deny-all.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: default-deny 5 | spec: 6 | selector: all() 7 | types: 8 | - Ingress 9 | - Egress 10 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase1/networkpolicy-with-ns-selector-bad-path-test.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: bad-network-policy 5 | namespace: kube-system 6 | spec: 7 | selector: has(app) 8 | namespaceSelector: unique-label == 'defaultNameSpace' 9 | types: 10 | - Ingress 11 | - Egress 12 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase1/testcase1-empty-globalNetworkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase1-empty-globalNetworkpolicy 5 | spec: 6 | types: 7 | - Ingress 8 | - Egress 9 | 10 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase1/testcase1-open-all-globalNetworkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase1-empty-globalNetworkpolicy 5 | spec: 6 | types: 7 | - Ingress 8 | - Egress 9 | ingress: 10 | - action: Allow 11 | egress: 12 | - action: Allow -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase1/testcase1-open-default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase1-networkpolicy-open-default-namespace 5 | namespace: default 6 | spec: 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Allow 12 | egress: 13 | - action: Allow 14 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase12-interference/testcase12-open-kube-system.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-all 5 | namespace: kube-system 6 | spec: 7 | order: 4 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | egress: 14 | - action: Allow 15 | destination: 16 | selector: all() 17 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase13-protocol/testcase13-open-default-TCP.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase1-networkpolicy-open-default-namespace 5 | namespace: default 6 | spec: 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Allow 12 | protocol: TCP 13 | source: 14 | selector: all() 15 | egress: 16 | - action: Allow 17 | protocol: UDPLite 18 | destination: 19 | selector: all() -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase14-icmp/testcase14-open-default-also-within-icmp.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase1-networkpolicy-open-default 5 | namespace: default 6 | spec: 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Allow 12 | protocol: ICMP 13 | icmp: 14 | type: 105 15 | code: 54 16 | egress: 17 | - action: Allow 18 | protocol: ICMP 19 | icmp: 20 | type: 105 21 | code: 54 -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase17-sanity/testcase17-empty-globalNetworkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase17-empty-globalNetworkpolicy 5 | spec: 6 | types: 7 | - Ingress 8 | - Egress 9 | 10 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase17-sanity/testcase17-open-default.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase17-open-default-namespace 5 | namespace: default 6 | spec: 7 | order: 10 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | egress: 14 | - action: Allow 15 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase19-profiles/testcase19-0-1-empty-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase19-0-1-empty-policy 5 | namespace: cnc-fe 6 | spec: 7 | order: 105 8 | types: 9 | - Ingress 10 | - Egress 11 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase19-profiles/testcase19-1-cnc-fe-allow-egress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase19-policy-cnc-fe-egress-allow 5 | namespace: cnc-fe 6 | spec: 7 | order: 100 8 | types: 9 | - Egress 10 | egress: 11 | - action: Allow 12 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase19-profiles/testcase19-1-cnc-fe-allow-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase19-policy-cnc-fe-ingress-allow 5 | namespace: cnc-fe 6 | spec: 7 | order: 100 8 | types: 9 | - Ingress 10 | ingress: 11 | - action: Allow 12 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase19-profiles/testcase19-10-open-within-cnc-kt-with-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase19-10-local-open-within-cnc-kt-with-policy 5 | namespace: cnc-kt 6 | spec: 7 | order: 10 8 | types: 9 | - Egress 10 | - Ingress 11 | egress: 12 | - action: Allow 13 | ingress: 14 | - action: Allow -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase19-profiles/testcase19-11-open-within-cnc-kt-with-global-labels-apply.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase19-11-global-open-within-cnc-kt-with-labels 5 | spec: 6 | order: 10 7 | selector: for-cnc-kt-via-lables-to-apply == 'yes' 8 | types: 9 | - Egress 10 | - Ingress 11 | egress: 12 | - action: Allow 13 | ingress: 14 | - action: Allow -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase19-profiles/testcase19-2-policy-cnc-fe-egress-allow.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase19-policy-cnc-fe-egress-allow 5 | namespace: cnc-fe 6 | spec: 7 | order: 100 8 | types: 9 | - Egress 10 | egress: 11 | - action: Allow 12 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase19-profiles/testcase19-7-policy-cnc-ntsgin-egress-ingress-within-namespace-all-allow.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase19-policy-cnc-ntsgin-egress-ingress-within-namespace-all-allow.yaml 5 | namespace: cnc-ntsgin 6 | spec: 7 | order: 100 8 | types: 9 | - Egress 10 | - Ingress 11 | egress: 12 | - action: Allow 13 | ingress: 14 | - action: Allow 15 | protocol: TCP 16 | 17 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase19-profiles/testcase19-9-1-specific-ingress-with-policies-based-apply-lables.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase19-9-1-specific-ingress-with-policies-based-apply-labels 5 | namespace: cnc-fe 6 | spec: 7 | order: 1 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | source: 14 | namespaceSelector: all() 15 | selector: has(for-apply-labels-testing) 16 | 17 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase2/testcase2-global-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase2-global-networkpolicy 5 | spec: 6 | selector: has(tier) 7 | types: 8 | - Ingress 9 | ingress: 10 | - action: Allow 11 | protocol: TCP 12 | source: 13 | namespaceSelector: unique-label == 'vendor-systemNameSpace' 14 | 15 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase2/testcase2-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase2-networkpolicy 5 | namespace: kube-system 6 | spec: 7 | selector: has(tier) 8 | types: 9 | - Ingress 10 | ingress: 11 | - action: Allow 12 | protocol: TCP 13 | source: 14 | namespaceSelector: unique-label == 'vendor-systemNameSpace' 15 | 16 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase2/testcase2-open-vendor-system.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase1-networkpolicy-open-default-namespace 5 | namespace: vendor-system 6 | spec: 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Allow 12 | egress: 13 | - action: Allow 14 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase20-hostendpoint/testcase20-1-empty-globalNetworkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase20-empty-globalNetworkpolicy 5 | spec: 6 | types: 7 | - Ingress 8 | - Egress 9 | 10 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase21-with_k8s/testcase21-Calico-allowAll-globalNetworkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase21-Calico-allowAll 5 | spec: 6 | order: 1000 7 | types: 8 | - Ingress 9 | - Egress 10 | egress: 11 | - action: Allow 12 | ingress: 13 | - action: Allow 14 | 15 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase21-with_k8s/testcase21-k8s-emptyPodSelector.yaml: -------------------------------------------------------------------------------- 1 | 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: testcase21-k8s-empty-podselector 6 | namespace: default 7 | spec: 8 | podSelector: 9 | matchLabels: 10 | app: no_exist_app_label 11 | policyTypes: 12 | - Ingress 13 | - Egress 14 | 15 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase22-forbids-permits/testcase22-0-cnc-kt-open.yaml: -------------------------------------------------------------------------------- 1 | # enables communication between all the pods that are part of the "cnc-evaluation-service" app 2 | apiVersion: projectcalico.org/v3 3 | kind: NetworkPolicy 4 | metadata: 5 | name: testcase17-equiv-local-networkpolicy 6 | namespace: cnc-kt 7 | spec: 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | egress: 14 | - action: Allow 15 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase22-forbids-permits/testcase22-0-cnc-nlp-open.yaml: -------------------------------------------------------------------------------- 1 | # enables communication between all the pods that are part of the "cnc-evaluation-service" app 2 | apiVersion: projectcalico.org/v3 3 | kind: NetworkPolicy 4 | metadata: 5 | name: testcase17-equiv-local-networkpolicy 6 | namespace: cnc-nlp 7 | spec: 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | egress: 14 | - action: Allow 15 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase22-forbids-permits/testcase22-4-empty-policy.yaml: -------------------------------------------------------------------------------- 1 | # enables communication between all the pods that are part of the "cnc-evaluation-service" app 2 | apiVersion: projectcalico.org/v3 3 | kind: GlobalNetworkPolicy 4 | metadata: 5 | name: testcase22-4-empty-policy 6 | spec: 7 | selector: noLabel == 'noExist' 8 | types: 9 | - Ingress 10 | - Egress 11 | 12 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-empty-networkpolicies.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-empty-networkpolicies.yaml -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-networkpolicy-calico-allow-all-pods-without-hep.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: default-allow-all 5 | spec: 6 | selector: "!has(role)" 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Allow 12 | egress: 13 | - action: Allow -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-networkpolicy-calico-productpage-ingress-from-ratings-tcp-only.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase26-networkpolicy-calico-productpage-ingress-from-ratings-tcp-only 5 | namespace: default 6 | spec: 7 | order: 2000 8 | selector: app == 'productpage' 9 | types: 10 | - Ingress 11 | ingress: 12 | - action: Allow 13 | protocol: TCP 14 | source: 15 | selector: app == 'ratings' -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-networkpolicy-istio-default-allow-productpage.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-all-productpage 5 | namespace: default 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: productpage 10 | action: ALLOW 11 | rules: 12 | - {} -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-networkpolicy-istio-default-allow.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-all 5 | namespace: istio-config # root namespace 6 | spec: 7 | action: ALLOW 8 | rules: 9 | - {} -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-networkpolicy-istio-default-deny.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-nothing 5 | namespace: istio-config # root namespace 6 | spec: 7 | action: ALLOW 8 | # the rules field is not specified, and the policy will never match. -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-networkpolicy-k8s-default-deny.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: default-deny-all 5 | namespace: default 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-networkpolicy-k8s-details-open-ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase26-networkpolicy-k8s-details-open-ingress 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: details 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - namespaceSelector: {} -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase26-multi-layer-policies/testcase26-networkpolicy-k8s-ratings-egress-to-productpage.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase26-networkpolicy-k8s-ratings-egress-to-productpage 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: ratings 10 | policyTypes: 11 | - Egress 12 | egress: 13 | - to: 14 | - podSelector: 15 | matchLabels: 16 | app: productpage 17 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase2tag/testcase2tag-global-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase1-global-networkpolicy 5 | spec: 6 | selector: tier == 'frontend' 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Allow 12 | protocol: TCP 13 | source: 14 | selector: has(tier) 15 | egress: 16 | - action: Allow 17 | destination: 18 | selector: has(tier) -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase2tag/testcase2tag-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase1-networkpolicy 5 | namespace: kube-system 6 | spec: 7 | selector: tier == 'frontend' 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | protocol: TCP 14 | source: 15 | selector: has(tier) 16 | egress: 17 | - action: Allow 18 | destination: 19 | selector: has(tier) 20 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase3/testcase3-networkpolicy-onlyAllow.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase3-networkpolicy-onlyAllow 5 | namespace: kube-system 6 | spec: 7 | selector: has(tier) 8 | types: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - action: Allow 13 | protocol: TCP 14 | source: 15 | selector: has(app) 16 | egress: 17 | - action: Allow 18 | destination: 19 | selector: all() 20 | 21 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase5/testcase5-allowFirst.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase5-allowFirst 5 | namespace: kube-system 6 | spec: 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Allow 12 | source: 13 | selector: has(tier) 14 | - action: Deny 15 | protocol: TCP 16 | source: 17 | selector: "!has(app)" 18 | egress: 19 | - action: Allow 20 | -------------------------------------------------------------------------------- /tests/calico_testcases/example_policies/testcase5/testcase5-denyFirst.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase5-denyFirst 5 | namespace: kube-system 6 | spec: 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Deny 12 | protocol: TCP 13 | source: 14 | selector: "!has(app)" 15 | - action: Allow 16 | source: 17 | selector: has(tier) 18 | egress: 19 | - action: Allow 20 | -------------------------------------------------------------------------------- /tests/calico_testcases/expected_output/testcase10-has-redundancy.txt: -------------------------------------------------------------------------------- 1 | Redundancies found in np_global 2 | Policies that are redundant in np_global: 3 | testcase10-global-allowAll, testcase10-global-no-egress-rule, testcase10-global-no-ingress-rule, testcase10-global-onlyTypes 4 | -------------------------------------------------------------------------------- /tests/calico_testcases/expected_output/testcase19-deny-all-profiles-connectivity.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: deny-all-profiles-connectivity, config: deny-all-profiles: 2 | 3 | -------------------------------------------------------------------------------- /tests/calico_testcases/expected_output/testcase25_mix_k8s_calico_connectivity_map.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity, config: testcase25-config-1: 2 | src_ns: [kube-system] src_pods: [app=kube-fluentd] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} 3 | -------------------------------------------------------------------------------- /tests/calico_testcases/expected_output/testcase26-config-1-k8s-calico-istio-2_connectivity_map.txt: -------------------------------------------------------------------------------- 1 | For connections of type TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: 2 | src_ns: [default] src_pods: [ratings-v1-b6994bb9] dst_ns: [default] dst_pods: [productpage-v1-6b746f74dc] conn: {methods:GET} 3 | 4 | For connections of type non-TCP, final fw rules for query: connectivity-5, config: testcase26-config-1-k8s-calico-istio-2: 5 | 6 | -------------------------------------------------------------------------------- /tests/calico_testcases/expected_output/testcase26-config-no-policies-connectivity-map.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity-1, config: testcase26-config-no-policies: 2 | src: 0.0.0.0/0 dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections 3 | src_ns: [default,ingress-nginx,istio-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections 4 | src_ns: [default,ingress-nginx,istio-system] src_pods: [*] dst_ns: [default,ingress-nginx,istio-system] dst_pods: [*] conn: All connections 5 | -------------------------------------------------------------------------------- /tests/calico_testcases/expected_output/vacuous-policy-new.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "query": "vacuous_policy_new_json", 4 | "configs": [ 5 | "np_globalAllowAll" 6 | ], 7 | "numerical_result": 1, 8 | "textual_result": "Network configuration np_globalAllowAll is vacuous - it allows all default connections" 9 | } 10 | ] -------------------------------------------------------------------------------- /tests/calico_testcases/expected_output/vacuous-policy-new.txt: -------------------------------------------------------------------------------- 1 | Network configuration np_globalAllowAll is vacuous - it allows all default connections 2 | -------------------------------------------------------------------------------- /tests/calico_testcases/expected_output/vacuous-policy-new.yaml: -------------------------------------------------------------------------------- 1 | - query: vacuous_policy_new 2 | configs: 3 | - np_globalAllowAll 4 | numerical_result: 1 5 | textual_result: Network configuration np_globalAllowAll is vacuous - it allows all 6 | default connections 7 | -------------------------------------------------------------------------------- /tests/example_workload_resources/deployment.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: Deployment 3 | metadata: 4 | namespace: my-namespace 5 | name: nginx-deployment 6 | labels: 7 | app: nginx 8 | spec: 9 | replicas: 3 10 | selector: 11 | matchLabels: 12 | app: nginx 13 | template: 14 | metadata: 15 | labels: 16 | app: nginx 17 | spec: 18 | containers: 19 | - name: nginx 20 | image: nginx:1.14.2 21 | ports: 22 | - containerPort: 80 23 | --- 24 | -------------------------------------------------------------------------------- /tests/example_workload_resources/job.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: batch/v1 2 | kind: Job 3 | metadata: 4 | name: pi 5 | spec: 6 | parallelism: 100 7 | template: 8 | spec: 9 | containers: 10 | - name: pi 11 | image: perl 12 | command: ["perl", "-Mbignum=bpi", "-wle", "print bpi(2000)"] 13 | restartPolicy: Never 14 | backoffLimit: 4 15 | --- 16 | --- 17 | -------------------------------------------------------------------------------- /tests/example_workload_resources/replicaSet.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: apps/v1 2 | kind: ReplicaSet 3 | metadata: 4 | name: frontend 5 | labels: 6 | app: guestbook 7 | tier: frontend 8 | spec: 9 | selector: 10 | matchLabels: 11 | tier: frontend 12 | template: 13 | metadata: 14 | labels: 15 | tier: frontend 16 | spec: 17 | containers: 18 | - name: php-redis 19 | image: gcr.io/google_samples/gb-frontend:v3 20 | -------------------------------------------------------------------------------- /tests/example_workload_resources/replicationController.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ReplicationController 3 | metadata: 4 | name: nginx 5 | spec: 6 | replicas: 3 7 | selector: 8 | app: nginx 9 | template: 10 | metadata: 11 | name: nginx 12 | labels: 13 | app: nginx 14 | spec: 15 | containers: 16 | - name: nginx 17 | image: nginx 18 | ports: 19 | - containerPort: 80 20 | -------------------------------------------------------------------------------- /tests/expected_cmdline_output_files/basic_subset_deployment_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: , config: test_subset_topology.yaml: 2 | src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/expected_cmdline_output_files/basic_subset_label_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: , config: test_subset_topology.yaml: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [Pod8] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns3] src_pods: [Pod8] dst_ns: [default] dst_pods: [Pod4] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/expected_cmdline_output_files/helm_test_one_chart.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: , config: **: 2 | src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:6379,9121} 3 | src_ns: [default] src_pods: [*] dst: 0.0.0.0/0 conn: {protocols:UDP,dst_ports:53} 4 | src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: {protocols:TCP,dst_ports:6379} 5 | -------------------------------------------------------------------------------- /tests/expected_cmdline_output_files/subset_label2_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: , config: test_subset_topology.yaml: 2 | -------------------------------------------------------------------------------- /tests/expected_cmdline_output_files/subset_label_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: , config: test_subset_topology.yaml: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [Pod8] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns3] src_pods: [Pod8] dst_ns: [default] dst_pods: [Pod4] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/podlist/poc_ns_list.json: -------------------------------------------------------------------------------- 1 | [] 2 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/calico-policy-deny-all.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: default-deny 5 | spec: 6 | selector: all() 7 | types: 8 | - Ingress 9 | - Egress 10 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/calico-testcase20-1-empty-globalNetworkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: GlobalNetworkPolicy 3 | metadata: 4 | name: testcase20-empty-globalNetworkpolicy 5 | spec: 6 | types: 7 | - Ingress 8 | - Egress 9 | 10 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/calico-testcase5-allowFirst.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase5-allowFirst 5 | namespace: kube-system 6 | spec: 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Allow 12 | source: 13 | selector: has(tier) 14 | - action: Deny 15 | protocol: TCP 16 | source: 17 | selector: "!has(app)" 18 | egress: 19 | - action: Allow 20 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/calico-testcase5-denyFirst.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: projectcalico.org/v3 2 | kind: NetworkPolicy 3 | metadata: 4 | name: testcase5-denyFirst 5 | namespace: kube-system 6 | spec: 7 | types: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - action: Deny 12 | protocol: TCP 13 | source: 14 | selector: "!has(app)" 15 | - action: Allow 16 | source: 17 | selector: has(tier) 18 | egress: 19 | - action: Allow 20 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/cyclonus-allow-all-egress-by-label.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: allow-all-egress-by-label 5 | namespace: "y" 6 | spec: 7 | policyTypes: 8 | - Egress 9 | podSelector: 10 | matchExpressions: 11 | - key: pod 12 | operator: In 13 | values: [a, b] 14 | egress: 15 | - {} -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/cyclonus-allow-all-for-label.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: allow-all-for-label 5 | namespace: "y" 6 | spec: 7 | policyTypes: 8 | - Ingress 9 | podSelector: 10 | matchLabels: 11 | pod: b 12 | ingress: 13 | - {} -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/cyclonus-allow-by-ip.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: allow-by-ip 5 | namespace: "y" 6 | spec: 7 | policyTypes: 8 | - Ingress 9 | podSelector: 10 | matchLabels: 11 | pod: c 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | cidr: "0.0.0.0/24" -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/cyclonus-allow-label-to-label.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: allow-label-to-label 5 | namespace: "y" 6 | spec: 7 | policyTypes: 8 | - Ingress 9 | podSelector: 10 | matchLabels: 11 | pod: a 12 | # pod: b 13 | ingress: 14 | - from: 15 | - podSelector: 16 | matchLabels: 17 | pod: c -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/cyclonus-deny-all-egress.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: deny-all-egress 5 | namespace: "y" 6 | spec: 7 | policyTypes: 8 | - Egress 9 | podSelector: {} 10 | egress: [] -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/cyclonus-deny-all-for-label.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: deny-all-for-label 5 | namespace: "y" 6 | spec: 7 | policyTypes: 8 | - Ingress 9 | podSelector: 10 | matchLabels: 11 | pod: a 12 | ingress: [] -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/cyclonus-deny-all.yaml: -------------------------------------------------------------------------------- 1 | kind: NetworkPolicy 2 | apiVersion: networking.k8s.io/v1 3 | metadata: 4 | name: deny-all 5 | namespace: "y" 6 | spec: 7 | policyTypes: 8 | - Ingress 9 | podSelector: {} 10 | ingress: [] -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/empty_net_pols.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/fw_rules_tests/policies/empty_net_pols.yaml -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: open-default-TCP-test, config: open-default-TCP: 2 | src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All but {protocols:UDPLite} 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase13-scheme_output.yaml: -------------------------------------------------------------------------------- 1 | - query: open-default-TCP-test 2 | configs: 3 | - open-default-TCP 4 | numerical_result: 0 5 | explanation: 6 | - rules: 7 | - src_ns: 8 | - default 9 | src_pods: 10 | - '*' 11 | dst_ns: 12 | - default 13 | dst_pods: 14 | - '*' 15 | connection: 16 | - protocols: all but UDPLite 17 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase14-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: match-icmp-also-within-default-test, config: match-icmp-also-within-default: 2 | src_ns: [kube-system] src_pods: [app=keepalived-watcher] dst_ns: [kube-system] dst_pods: [app=keepalived-watcher] conn: {protocols:ICMP,icmp_type:100,icmp_code:230} 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_1_globalEmpty_with_profiles_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: np_1_globalEmpty_with_profiles, config: np_1_globalEmpty_with_profiles: 2 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase20-np_1_globalEmpty_with_profiles_query_output.yaml: -------------------------------------------------------------------------------- 1 | - query: np_1_globalEmpty_with_profiles_yaml 2 | configs: 3 | - np_1_globalEmpty_with_profiles 4 | numerical_result: 0 5 | explanation: 6 | - rules: [] 7 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np_FirstDenySubset: 2 | src_ns: [kube-system] src_pods: [app in (helm,keepalived-watcher,vpn)] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_FirstDenySubset_query_output.yaml: -------------------------------------------------------------------------------- 1 | - query: connectivity_map_yaml 2 | configs: 3 | - np_FirstDenySubset 4 | numerical_result: 0 5 | explanation: 6 | - rules: 7 | - src_ns: 8 | - kube-system 9 | src_pods: 10 | - app in (helm,keepalived-watcher,vpn) 11 | dst_ns: 12 | - kube-system 13 | dst_pods: 14 | - tier=frontend 15 | connection: 16 | - protocols: TCP 17 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_firstAllowSuperSet_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np_firstAllowSuperSet: 2 | src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np_onlyAllow: 2 | src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [tier=frontend] conn: {protocols:TCP} 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase3_connectivity_map_onlyAllow_query_output.yaml: -------------------------------------------------------------------------------- 1 | - query: connectivity_map_yaml 2 | configs: 3 | - np_onlyAllow 4 | numerical_result: 0 5 | explanation: 6 | - rules: 7 | - src_ns: 8 | - kube-system 9 | src_pods: 10 | - (has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1)) 11 | dst_ns: 12 | - kube-system 13 | dst_pods: 14 | - tier=frontend 15 | connection: 16 | - protocols: TCP 17 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_allowFirst_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np_allowFirst: 2 | src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections 3 | src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [*] conn: All connections 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/calico-testcase5_connectivity_map_denyFirst_query_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np_denyFirst: 2 | src_ns: [kube-system] src_pods: [(has(app) and app not in (kube-fluentd,public-cre08b89c167414305a1afb205d0bd346f-alb1))] dst_ns: [kube-system] dst_pods: [*] conn: All connections 3 | src_ns: [kube-system] src_pods: [*] dst: 0.0.0.0/0 conn: All connections 4 | src_ns: [kube-system] src_pods: [tier=frontend] dst_ns: [kube-system] dst_pods: [*] conn: All but {protocols:TCP} 5 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/cyclonus-simple-example-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: cyclonus-simple-example: 2 | src: 0.0.0.0/0 dst_ns: [y] dst_pods: [b] conn: All connections 3 | src: 0.0.0.0/24 dst_ns: [y] dst_pods: [c] conn: All connections 4 | src_ns: [y] src_pods: [pod!=c] dst: 0.0.0.0/0 conn: All connections 5 | src_ns: [y] src_pods: [pod!=c] dst_ns: [y] dst_pods: [b] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/poc4_scheme_semantic_diff_poc4_poc3_query_output.txt: -------------------------------------------------------------------------------- 1 | poc3 and poc4 are not semantically equivalent. 2 | 3 | Added connections between persistent peers (based on topology from config: poc4) : 4 | src_ns: [default] src_pods: [loadgenerator] dst_ns: [default] dst_pods: [frontend] conn: {protocols:TCP,dst_ports:23} 5 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_query_output.dot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/fw_rules_tests/policies/expected_output/semantic_diff_a_to_b_query_output.dot -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_identical_query_output.csv: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/fw_rules_tests/policies/expected_output/semantic_diff_identical_query_output.csv -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_identical_query_output.dot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/fw_rules_tests/policies/expected_output/semantic_diff_identical_query_output.dot -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_identical_query_output.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/fw_rules_tests/policies/expected_output/semantic_diff_identical_query_output.md -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_identical_query_output.txt: -------------------------------------------------------------------------------- 1 | no_policy and policy are semantically equivalent. 2 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_identical_query_output.yaml: -------------------------------------------------------------------------------- 1 | - query: semantic_diff_identical 2 | configs: 3 | - no_policy 4 | - policy 5 | numerical_result: 0 6 | textual_result: no_policy and policy are semantically equivalent. 7 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_ipblocks__np4_with_itself_query_output.txt: -------------------------------------------------------------------------------- 1 | np4 and np4 have the same network topology and the same set of policies. 2 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.dot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np1_and_np2_query_output.dot -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_named_ports_np3_and_np4_query_output.txt: -------------------------------------------------------------------------------- 1 | np3_named_ports and np4_named_ports are semantically equivalent. 2 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.dot: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1_query_output.dot -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_old1_new1a_txt_no_fw_rules_query_output.txt: -------------------------------------------------------------------------------- 1 | Added connections between persistent peers (based on topology from config: old1) : 2 | demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : {protocols:TCP,dst_ports:8080} 3 | demo/bank-ui[DaemonSet] => demo/account-command[DaemonSet] : All connections 4 | Removed connections between persistent peers (based on topology from config: new1a) : 5 | demo/account-query[DaemonSet] => demo/bank-ui[DaemonSet] : {protocols:UDP,dst_ports:8080} 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/semantic_diff_old3_new3_query_output.txt: -------------------------------------------------------------------------------- 1 | new3 and old3 are semantically equivalent. 2 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_deployment_fullname_and_global_subset_endpoints_deployments_txt, config: np25: 2 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_and_global_subset_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_deployment_fullname_and_global_subset_txt, config: np25: 2 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_deployment_fullname_subset_endpoints_deployments_txt, config: np25: 2 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 4 | src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_deployment_fullname_subset_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_deployment_fullname_subset_txt, config: np25: 2 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 4 | src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_deployment_in_subset_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_deployment_in_subset_endpoints_deployments_txt, config: np25: 2 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 4 | src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_deployment_in_subset_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_deployment_in_subset_txt, config: np25: 2 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 4 | src_ns: [ns2] src_pods: [dep=C] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels2_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels2_endpoints_deployments_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections 3 | src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections 4 | src_ns: [ns3] src_pods: [*] dst_ns: [default] dst_pods: [Pod4] conn: All connections 5 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels2_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels2_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod4] dst_ns: [ns1] dst_pods: [Pod2] conn: All connections 3 | src_ns: [default] src_pods: [Pod4] dst_ns: [ns2] dst_pods: [dep=D] conn: All connections 4 | src_ns: [ns3] src_pods: [*] dst_ns: [default] dst_pods: [Pod4] conn: All connections 5 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels3_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels3_endpoints_deployments_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [Pod8] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns3] src_pods: [Pod8] dst_ns: [default] dst_pods: [Pod4] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels3_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels3_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [Pod8] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns3] src_pods: [Pod8] dst_ns: [default] dst_pods: [Pod4] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels4_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels4_endpoints_deployments_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [Pod8] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns3] src_pods: [Pod8] dst_ns: [default] dst_pods: [Pod4] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels4_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels4_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [Pod8] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns3] src_pods: [Pod8] dst_ns: [default] dst_pods: [Pod4] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels6_dot.dot: -------------------------------------------------------------------------------- 1 | // The Connectivity Graph of subset_labels6_dot/np25 2 | digraph { 3 | label="Connectivity Graph of subset_labels6_dot/np25" labelloc = "t" 4 | fontsize=30 5 | fontcolor=maroon 6 | subgraph cluster_map_explanation { 7 | color=white 8 | labelloc = "b" 9 | fontsize=15 10 | fontcolor=maroon 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_dot.dot: -------------------------------------------------------------------------------- 1 | // The Connectivity Graph of subset_labels6_endpoints_deployments_dot/np25 2 | digraph { 3 | label="Connectivity Graph of subset_labels6_endpoints_deployments_dot/np25" labelloc = "t" 4 | fontsize=30 5 | fontcolor=maroon 6 | subgraph cluster_map_explanation { 7 | color=white 8 | labelloc = "b" 9 | fontsize=15 10 | fontcolor=maroon 11 | } 12 | } 13 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels6_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels6_endpoints_deployments_txt, config: np25: 2 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels6_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels6_txt, config: np25: 2 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels_endpoints_deployments_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [Pod8] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns3] src_pods: [Pod8] dst_ns: [default] dst_pods: [Pod4] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_labels_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_labels_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [Pod8] conn: All connections 3 | src_ns: [ns1] src_pods: [dep=A] dst_ns: [default] dst_pods: [dep=E] conn: All connections 4 | src_ns: [ns1] src_pods: [dep=B] dst_ns: [ns1] dst_pods: [dep=A] conn: All connections 5 | src_ns: [ns3] src_pods: [Pod8] dst_ns: [default] dst_pods: [Pod4] conn: All connections 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_namespace_in_subset_endpoints_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_namespace_in_subset_endpoints_deployments_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections 3 | src_ns: [ns3] src_pods: [*] dst_ns: [default] dst_pods: [Pod4] conn: All connections 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/subset_namespace_in_subset_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: subset_namespace_in_subset_txt, config: np25: 2 | src_ns: [default] src_pods: [Pod1] dst_ns: [ns3] dst_pods: [*] conn: All connections 3 | src_ns: [ns3] src_pods: [*] dst_ns: [default] dst_pods: [Pod4] conn: All connections 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test19-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np19: 2 | src_ns: [dlaas,ibm-system-new] src_pods: [*] dst_ns: [kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections 3 | src_ns: [ibm-system-new,kube-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test20-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np20: 2 | src_ns: [default] src_pods: [*] dst_ns: [ibm-system-new,kube-system-new] dst_pods: [*] conn: All connections 3 | src_ns: [kube-system-new-dummy-to-ignore] src_pods: [*] dst_ns: [dlaas,ibm-system-new] dst_pods: [*] conn: All connections 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test21-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np21: 2 | src_ns: [dlaas,ibm-system-new] src_pods: [*] dst_ns: [kube-system-new-dummy-to-ignore] dst_pods: [*] conn: All connections 3 | src_ns: [ibm-system-new,kube-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test22-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np22: 2 | src_ns: [default] src_pods: [test!=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test22-scheme_output.yaml: -------------------------------------------------------------------------------- 1 | - query: connectivity_map 2 | configs: 3 | - np22 4 | numerical_result: 0 5 | explanation: 6 | - rules: 7 | - src_ns: 8 | - default 9 | src_pods: 10 | - test!=C 11 | dst_ns: 12 | - default 13 | dst_pods: 14 | - app=skydive 15 | connection: 16 | - All connections 17 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test23-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np23: 2 | src_ns: [default] src_pods: [*] dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:UDP,dst_ports:53} 3 | src_ns: [default] src_pods: [test=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test24-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np24: 2 | src_ns: [default] src_pods: [test in (A,B)] dst_ns: [default] dst_pods: [app=skydive] conn: {protocols:UDP,dst_ports:53} 3 | src_ns: [default] src_pods: [test=C] dst_ns: [default] dst_pods: [app=skydive] conn: All connections 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_csv.csv: -------------------------------------------------------------------------------- 1 | "query","src_ns","src_pods","dst_ns","dst_pods","connection", 2 | "connectivity_map_by_deployments_csv, config: np25","","","","","", 3 | "","[default]","[my-test-deployment-C]","[default]","[app=B]","All connections", 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map_by_deployments_txt, config: np25: 2 | src_ns: [default] src_pods: [my-test-deployment-C] dst_ns: [default] dst_pods: [app=B] conn: All connections 3 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_deployments_yaml.yaml: -------------------------------------------------------------------------------- 1 | - query: connectivity_map_by_deployments_yaml 2 | configs: 3 | - np25 4 | numerical_result: 0 5 | explanation: 6 | - rules: 7 | - src_ns: 8 | - default 9 | src_pods: 10 | - my-test-deployment-C 11 | dst_ns: 12 | - default 13 | dst_pods: 14 | - app=B 15 | connection: 16 | - All connections 17 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_csv.csv: -------------------------------------------------------------------------------- 1 | "query","src_ns","src_pods","dst_ns","dst_pods","connection", 2 | "connectivity_map_by_pods_csv, config: np25","","","","","", 3 | "","[default]","[my-test-deployment-C-1, my-test-deployment-C-2]","[default]","[app=B]","All connections", 4 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_txt.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map_by_pods_txt, config: np25: 2 | src_ns: [default] src_pods: [my-test-deployment-C-1, my-test-deployment-C-2] dst_ns: [default] dst_pods: [app=B] conn: All connections -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test25-scheme_connectivity_map_by_pods_yaml.yaml: -------------------------------------------------------------------------------- 1 | - query: connectivity_map_by_pods_yaml 2 | configs: 3 | - np25 4 | numerical_result: 0 5 | explanation: 6 | - rules: 7 | - src_ns: 8 | - default 9 | src_pods: 10 | - my-test-deployment-C-1, my-test-deployment-C-2 11 | dst_ns: 12 | - default 13 | dst_pods: 14 | - app=B 15 | connection: 16 | - All connections 17 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/expected_output/test3-scheme_output.txt: -------------------------------------------------------------------------------- 1 | final fw rules for query: connectivity_map, config: np3: 2 | src: 0.0.0.0/0 dst_ns: [default] dst_pods: [*] conn: All connections 3 | src_ns: [default,kube-system-new] src_pods: [*] dst: 0.0.0.0/0 conn: All connections 4 | src_ns: [default,kube-system-new] src_pods: [*] dst_ns: [default] dst_pods: [*] conn: All connections 5 | src_ns: [default] src_pods: [*] dst_ns: [kube-system-new] dst_pods: [*] conn: {protocols:TCP,dst_ports:85-90} 6 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/istio-allow-all-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-all 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | # This matches everything. 9 | rules: 10 | - {} -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/istio-allow-nothing-policy-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-nothing 5 | namespace: istio-config 6 | spec: 7 | action: ALLOW 8 | # the rules field is not specified, and the policy will never match. -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/istio-allow-nothing-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-nothing 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | # the rules field is not specified, and the policy will never match. -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/istio-allow-nothing-policy2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-nothing 5 | namespace: default 6 | spec: 7 | {} -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/istio-bookinfo-policy-test-operation-deny-example.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: deny-method-get 5 | namespace: default 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: details 10 | action: DENY 11 | rules: 12 | - to: 13 | - operation: 14 | methods: ["GET"] -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/istio-deny-all-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: deny-all 5 | spec: 6 | action: DENY 7 | # the rules field has an empty rule, and the policy will always match. 8 | rules: 9 | - {} -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/namedPorts-policy1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system-dummy-to-ignore 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - ports: 12 | - port: dns-local 13 | protocol: UDP 14 | - port: dns-tcp-local 15 | protocol: TCP 16 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/namedPorts-policy2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system-dummy-to-ignore 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - ports: 12 | - port: dns-local 13 | protocol: UDP 14 | - port: dns-tcp-local 15 | protocol: TCP 16 | - port: metrics 17 | protocol: TCP 18 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/namedPorts-policy3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: tiller 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/namedPorts-policy4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-port-number 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: 44134 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/policy_a.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy-from2-to1 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: app-1 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | app: app-2 17 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/policy_a_ipBlock.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy-from-ip-block-to1 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: app-1 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | cidr: 10.0.0.0/8 16 | except: 17 | - 10.10.0.0/16 18 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/policy_b.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy-from1-to2 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: app-2 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | app: app-1 17 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/policy_b_ipBlock.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy-from-ip-block-to2 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: app-2 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | cidr: 10.0.0.0/8 16 | except: 17 | - 10.11.0.0/16 18 | ports: 19 | - port: 53 20 | protocol: UDP 21 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/test1-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | 2 | 3 | ### First policy. Enables traffic to namespace kube-system from pods in namespace default 4 | 5 | apiVersion: networking.k8s.io/v1 6 | kind: NetworkPolicy 7 | metadata: 8 | name: allow-traffic-from-default-to-kube-system 9 | namespace: kube-system-new 10 | spec: 11 | podSelector: {} 12 | policyTypes: 13 | - Ingress 14 | ingress: 15 | - from: 16 | - namespaceSelector: 17 | matchLabels: 18 | unique-label: defaultNameSpace 19 | 20 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/test14-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | ### Second network policy 2 | ### Allows traffic into default from (all pods in) the ibm-system-new namespace 3 | 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | name: allow-traffic-from-external-namespace 8 | namespace: default 9 | spec: 10 | podSelector: {} 11 | policyTypes: 12 | - Ingress 13 | ingress: 14 | - from: 15 | - namespaceSelector: 16 | matchLabels: 17 | unique-label: ibm-system-newNameSpace 18 | -------------------------------------------------------------------------------- /tests/fw_rules_tests/policies/test15-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: allow-traffic-from-specific-pods-in-external-namespace 5 | namespace: default 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - from: 12 | - namespaceSelector: 13 | matchLabels: 14 | unique-label: ibm-system-newNameSpace 15 | podSelector: 16 | matchLabels: 17 | ibm-cloud-provider-lb-app: keepalived 18 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test1/redis/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test1/redis/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: common 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 1.14.1 5 | digest: sha256:c69621f97b90b8c2e909293fbc475f0a3b0aaa4aa04de5df3e5d7a1974e5d735 6 | generated: "2022-05-21T06:15:57.189279353Z" 7 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test1/redis/charts/common/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test1/redis/charts/common/templates/_tplvalues.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Renders a value that contains template. 4 | Usage: 5 | {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} 6 | */}} 7 | {{- define "common.tplvalues.render" -}} 8 | {{- if typeIs "string" .value }} 9 | {{- tpl .value .context }} 10 | {{- else }} 11 | {{- tpl (.value | toYaml) .context }} 12 | {{- end }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test1/redis/charts/common/values.yaml: -------------------------------------------------------------------------------- 1 | ## bitnami/common 2 | ## It is required by CI/CD tools and processes. 3 | ## @skip exampleValue 4 | ## 5 | exampleValue: common-chart 6 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test1/test_description.txt: -------------------------------------------------------------------------------- 1 | basic single chart -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/grafana/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .vscode 20 | .project 21 | .idea/ 22 | *.tmproj 23 | OWNERS 24 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/grafana/ci/default-values.yaml: -------------------------------------------------------------------------------- 1 | # Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. 2 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/grafana/ci/with-image-renderer-values.yaml: -------------------------------------------------------------------------------- 1 | podLabels: 2 | customLableA: Aaaaa 3 | imageRenderer: 4 | enabled: true 5 | env: 6 | RENDERING_ARGS: --disable-gpu,--window-size=1280x758 7 | RENDERING_MODE: clustered 8 | podLabels: 9 | customLableB: Bbbbb 10 | networkPolicy: 11 | limitIngress: true 12 | limitEgress: true 13 | resources: 14 | limits: 15 | cpu: 1000m 16 | memory: 1000Mi 17 | requests: 18 | cpu: 500m 19 | memory: 50Mi 20 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/grafana/ci/with-persistence.yaml: -------------------------------------------------------------------------------- 1 | persistence: 2 | type: pvc 3 | enabled: true 4 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/grafana/dashboards/custom-dashboard.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/grafana/templates/secret-env.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.envRenderSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-env 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | {{- include "grafana.labels" . | nindent 4 }} 9 | type: Opaque 10 | data: 11 | {{- range $key, $val := .Values.envRenderSecret }} 12 | {{ $key }}: {{ $val | b64enc | quote }} 13 | {{- end -}} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/grafana/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "grafana.labels" . | nindent 4 }} 7 | {{- $root := . }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{ tpl (toYaml . | indent 4) $root }} 11 | {{- end }} 12 | name: {{ template "grafana.serviceAccountName" . }} 13 | namespace: {{ template "grafana.namespace" . }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/grafana/templates/tests/test-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.testFramework.enabled .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "grafana.labels" . | nindent 4 }} 7 | name: {{ template "grafana.serviceAccountNameTest" . }} 8 | namespace: {{ template "grafana.namespace" . }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/prometheus/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | 23 | OWNERS 24 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/prometheus/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: kube-state-metrics 3 | repository: https://prometheus-community.github.io/helm-charts 4 | version: 4.7.0 5 | digest: sha256:1ae96f01358013a1ef2df0a83c215f1c8390f10fcb64f6d014d1cd00eb7d7eeb 6 | generated: "2022-06-12T07:52:25.183915591Z" 7 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/prometheus/charts/kube-state-metrics/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/redis/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/redis/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: common 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 1.14.1 5 | digest: sha256:c69621f97b90b8c2e909293fbc475f0a3b0aaa4aa04de5df3e5d7a1974e5d735 6 | generated: "2022-05-21T06:15:57.189279353Z" 7 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/redis/charts/common/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/redis/charts/common/templates/_tplvalues.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Renders a value that contains template. 4 | Usage: 5 | {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} 6 | */}} 7 | {{- define "common.tplvalues.render" -}} 8 | {{- if typeIs "string" .value }} 9 | {{- tpl .value .context }} 10 | {{- else }} 11 | {{- tpl (.value | toYaml) .context }} 12 | {{- end }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/redis/charts/common/values.yaml: -------------------------------------------------------------------------------- 1 | ## bitnami/common 2 | ## It is required by CI/CD tools and processes. 3 | ## @skip exampleValue 4 | ## 5 | exampleValue: common-chart 6 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test2/test_description.txt: -------------------------------------------------------------------------------- 1 | multi charts -------------------------------------------------------------------------------- /tests/helm_tests/helm_test3/redis/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test3/redis/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: common 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 1.14.1 5 | digest: sha256:c69621f97b90b8c2e909293fbc475f0a3b0aaa4aa04de5df3e5d7a1974e5d735 6 | generated: "2022-05-21T06:15:57.189279353Z" 7 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test3/redis/charts/common/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test3/redis/charts/common/templates/_tplvalues.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Renders a value that contains template. 4 | Usage: 5 | {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} 6 | */}} 7 | {{- define "common.tplvalues.render" -}} 8 | {{- if typeIs "string" .value }} 9 | {{- tpl .value .context }} 10 | {{- else }} 11 | {{- tpl (.value | toYaml) .context }} 12 | {{- end }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test3/redis/charts/common/values.yaml: -------------------------------------------------------------------------------- 1 | ## bitnami/common 2 | ## It is required by CI/CD tools and processes. 3 | ## @skip exampleValue 4 | ## 5 | exampleValue: common-chart 6 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test3/test_description.txt: -------------------------------------------------------------------------------- 1 | resolved yaml next to chart dir -------------------------------------------------------------------------------- /tests/helm_tests/helm_test4/redis/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test4/redis/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: common 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 1.14.1 5 | digest: sha256:c69621f97b90b8c2e909293fbc475f0a3b0aaa4aa04de5df3e5d7a1974e5d735 6 | generated: "2022-05-21T06:15:57.189279353Z" 7 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test4/redis/charts/common/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test4/redis/charts/common/templates/_tplvalues.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Renders a value that contains template. 4 | Usage: 5 | {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} 6 | */}} 7 | {{- define "common.tplvalues.render" -}} 8 | {{- if typeIs "string" .value }} 9 | {{- tpl .value .context }} 10 | {{- else }} 11 | {{- tpl (.value | toYaml) .context }} 12 | {{- end }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test4/redis/charts/common/values.yaml: -------------------------------------------------------------------------------- 1 | ## bitnami/common 2 | ## It is required by CI/CD tools and processes. 3 | ## @skip exampleValue 4 | ## 5 | exampleValue: common-chart 6 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test4/test_description.txt: -------------------------------------------------------------------------------- 1 | resolved yaml inside chart dir -------------------------------------------------------------------------------- /tests/helm_tests/helm_test5/redis/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test5/redis/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: common 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 1.14.1 5 | digest: sha256:c69621f97b90b8c2e909293fbc475f0a3b0aaa4aa04de5df3e5d7a1974e5d735 6 | generated: "2022-05-21T06:15:57.189279353Z" 7 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test5/redis/charts/common/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test5/redis/charts/common/templates/_tplvalues.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Renders a value that contains template. 4 | Usage: 5 | {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} 6 | */}} 7 | {{- define "common.tplvalues.render" -}} 8 | {{- if typeIs "string" .value }} 9 | {{- tpl .value .context }} 10 | {{- else }} 11 | {{- tpl (.value | toYaml) .context }} 12 | {{- end }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test5/redis/charts/common/values.yaml: -------------------------------------------------------------------------------- 1 | ## bitnami/common 2 | ## It is required by CI/CD tools and processes. 3 | ## @skip exampleValue 4 | ## 5 | exampleValue: common-chart 6 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test5/test_description.txt: -------------------------------------------------------------------------------- 1 | resolved yaml inside template dir -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/grafana/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .vscode 20 | .project 21 | .idea/ 22 | *.tmproj 23 | OWNERS 24 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/grafana/ci/default-values.yaml: -------------------------------------------------------------------------------- 1 | # Leave this file empty to ensure that CI runs builds against the default configuration in values.yaml. 2 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/grafana/ci/with-image-renderer-values.yaml: -------------------------------------------------------------------------------- 1 | podLabels: 2 | customLableA: Aaaaa 3 | imageRenderer: 4 | enabled: true 5 | env: 6 | RENDERING_ARGS: --disable-gpu,--window-size=1280x758 7 | RENDERING_MODE: clustered 8 | podLabels: 9 | customLableB: Bbbbb 10 | networkPolicy: 11 | limitIngress: true 12 | limitEgress: true 13 | resources: 14 | limits: 15 | cpu: 1000m 16 | memory: 1000Mi 17 | requests: 18 | cpu: 500m 19 | memory: 50Mi 20 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/grafana/ci/with-persistence.yaml: -------------------------------------------------------------------------------- 1 | persistence: 2 | type: pvc 3 | enabled: true 4 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/grafana/dashboards/custom-dashboard.json: -------------------------------------------------------------------------------- 1 | {} -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/grafana/templates/secret-env.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.envRenderSecret }} 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: {{ template "grafana.fullname" . }}-env 6 | namespace: {{ template "grafana.namespace" . }} 7 | labels: 8 | {{- include "grafana.labels" . | nindent 4 }} 9 | type: Opaque 10 | data: 11 | {{- range $key, $val := .Values.envRenderSecret }} 12 | {{ $key }}: {{ $val | b64enc | quote }} 13 | {{- end -}} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/grafana/templates/serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "grafana.labels" . | nindent 4 }} 7 | {{- $root := . }} 8 | {{- with .Values.serviceAccount.annotations }} 9 | annotations: 10 | {{ tpl (toYaml . | indent 4) $root }} 11 | {{- end }} 12 | name: {{ template "grafana.serviceAccountName" . }} 13 | namespace: {{ template "grafana.namespace" . }} 14 | {{- end }} 15 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/grafana/templates/tests/test-serviceaccount.yaml: -------------------------------------------------------------------------------- 1 | {{- if and .Values.testFramework.enabled .Values.serviceAccount.create }} 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | labels: 6 | {{- include "grafana.labels" . | nindent 4 }} 7 | name: {{ template "grafana.serviceAccountNameTest" . }} 8 | namespace: {{ template "grafana.namespace" . }} 9 | {{- end }} 10 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/prometheus/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | 23 | OWNERS 24 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/prometheus/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: kube-state-metrics 3 | repository: https://prometheus-community.github.io/helm-charts 4 | version: 4.7.0 5 | digest: sha256:1ae96f01358013a1ef2df0a83c215f1c8390f10fcb64f6d014d1cd00eb7d7eeb 6 | generated: "2022-06-12T07:52:25.183915591Z" 7 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/prometheus/charts/kube-state-metrics/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/redis/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/redis/Chart.lock: -------------------------------------------------------------------------------- 1 | dependencies: 2 | - name: common 3 | repository: https://charts.bitnami.com/bitnami 4 | version: 1.14.1 5 | digest: sha256:c69621f97b90b8c2e909293fbc475f0a3b0aaa4aa04de5df3e5d7a1974e5d735 6 | generated: "2022-05-21T06:15:57.189279353Z" 7 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/redis/charts/common/.helmignore: -------------------------------------------------------------------------------- 1 | # Patterns to ignore when building packages. 2 | # This supports shell glob matching, relative path matching, and 3 | # negation (prefixed with !). Only one pattern per line. 4 | .DS_Store 5 | # Common VCS dirs 6 | .git/ 7 | .gitignore 8 | .bzr/ 9 | .bzrignore 10 | .hg/ 11 | .hgignore 12 | .svn/ 13 | # Common backup files 14 | *.swp 15 | *.bak 16 | *.tmp 17 | *~ 18 | # Various IDEs 19 | .project 20 | .idea/ 21 | *.tmproj 22 | .vscode/ 23 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/redis/charts/common/templates/_tplvalues.tpl: -------------------------------------------------------------------------------- 1 | {{/* vim: set filetype=mustache: */}} 2 | {{/* 3 | Renders a value that contains template. 4 | Usage: 5 | {{ include "common.tplvalues.render" ( dict "value" .Values.path.to.the.Value "context" $) }} 6 | */}} 7 | {{- define "common.tplvalues.render" -}} 8 | {{- if typeIs "string" .value }} 9 | {{- tpl .value .context }} 10 | {{- else }} 11 | {{- tpl (.value | toYaml) .context }} 12 | {{- end }} 13 | {{- end -}} 14 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/redis/charts/common/values.yaml: -------------------------------------------------------------------------------- 1 | ## bitnami/common 2 | ## It is required by CI/CD tools and processes. 3 | ## @skip exampleValue 4 | ## 5 | exampleValue: common-chart 6 | -------------------------------------------------------------------------------- /tests/helm_tests/helm_test6/test_description.txt: -------------------------------------------------------------------------------- 1 | resolved yaml next to multi charts -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/bookinfo-policy-test-ns-no-match.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: "details-viewer-with-principal-regex" 5 | namespace: default 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: details 10 | action: ALLOW 11 | rules: 12 | - from: 13 | - source: 14 | namespaces: ["a*", "default"] 15 | --- -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/bookinfo-policy-test-operation-deny-example.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: deny-method-get 5 | namespace: default 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: details 10 | action: DENY 11 | rules: 12 | - to: 13 | - operation: 14 | methods: ["GET"] -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/bookinfo-policy-test-pircipals-no-match.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: "details-viewer-with-principal-regex" 5 | namespace: default 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: details 10 | action: ALLOW 11 | rules: 12 | - from: 13 | - source: 14 | principals: ["cluster.local/ns/default/sa/bookinfo-new*"] 15 | --- -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-default-sidecar-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-default-sidecar-1 5 | namespace: default 6 | spec: 7 | egress: 8 | - hosts: 9 | - "./details.default.svc.cluster.local" 10 | - "./ratings.default.svc.cluster.local" 11 | - "./reviews.default.svc.cluster.local" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-default-sidecar-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-default-sidecar-2 5 | namespace: default 6 | spec: 7 | egress: 8 | - hosts: 9 | - "./details.default.svc.cluster.local" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-productpage-sidecar-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-productpage-sidecar-1 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: productpage 9 | egress: 10 | - hosts: 11 | - "./details.default.svc.cluster.local" 12 | - "./reviews.default.svc.cluster.local" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-productpage-sidecar-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-productpage-sidecar-2 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: productpage 9 | egress: 10 | - hosts: 11 | - "./ratings.default.svc.cluster.local" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-reviews-sidecar.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-reviews-sidecar 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: reviews 9 | egress: 10 | - hosts: 11 | - "./ratings.default.svc.cluster.local" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/bookinfo-select-nothing-sidecar.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-selects-nothing-sidecar 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: payments 9 | egress: 10 | - hosts: 11 | - "./ratings.default.svc.cluster.local" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/default-sidecar-allow-any.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: sidecar-allow-any-conns 5 | spec: 6 | egress: 7 | - hosts: 8 | - "*/*" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/global-sidecar-from-istio-ref.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: default 5 | namespace: istio-config 6 | spec: 7 | egress: 8 | - hosts: 9 | - "./*" 10 | - "istio-system/*" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/global-sidecar.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: global-sidecar 5 | namespace: istio-config 6 | spec: 7 | egress: 8 | - hosts: 9 | - "*/*" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/service_entry_resources/bookinfo-service-entry-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: ServiceEntry 3 | metadata: 4 | name: external-svc-first-test 5 | spec: 6 | hosts: 7 | - www.slack.com 8 | - www.google.com 9 | location: MESH_EXTERNAL 10 | ports: 11 | - name: https-443 12 | number: 443 13 | protocol: HTTPS 14 | resolution: NONE -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sidecar-allows-all-in-registery-only.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-ratings-sidecar-registry-only 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: ratings 9 | egress: 10 | - hosts: 11 | - "*/*" 12 | outboundTrafficPolicy: 13 | mode: REGISTRY_ONLY 14 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sidecar-allows-any.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: sidecar-allows-any 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: ratings 9 | egress: 10 | - hosts: 11 | - "*/*" 12 | outboundTrafficPolicy: 13 | mode: ALLOW_ANY 14 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sidecar-w-general-host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-ratings-sidecar-specific-host 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: ratings 9 | egress: 10 | - hosts: 11 | - "*/*.facebook.com" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sidecar-w-internal-external-services.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-ratings-sidecar-mixed 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: ratings 9 | egress: 10 | - hosts: 11 | - "./details.default.svc.cluster.local" 12 | - "./reviews.default.svc.cluster.local" 13 | - "*/www.slack.com" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sidecar-w-pods-only.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-ratings-sidecar-mixed 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: ratings 9 | egress: 10 | - hosts: 11 | - "./details.default.svc.cluster.local" 12 | - "./reviews.default.svc.cluster.local" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sidecar-w-specific-host.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-ratings-sidecar-specific-host 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: ratings 9 | egress: 10 | - hosts: 11 | - "*/en.wikipedia.org" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-demo/sidecar_examples/sidecar-with-local-hosts-only.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: bookinfo-ratings-sidecar-only-local 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: ratings 9 | egress: 10 | - hosts: 11 | - "./details.default.svc.cluster.local" 12 | - "./reviews.default.svc.cluster.local" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-from-live-cluster/policies_0.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/istio_testcases/example_policies/bookinfo-from-live-cluster/policies_0.yaml -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/bookinfo-from-live-cluster/policies_1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: deny-all 5 | namespace: default 6 | spec: 7 | {} -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/added_resources/ingress-nginx-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-ingress-nginx 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: ingress-nginx 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: ingress-nginx 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/added_resources/ingress-nginx-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-ingress-nginx 6 | namespace: example 7 | labels: 8 | app: ingress-nginx 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 3000 16 | selector: 17 | app: ingress-nginx 18 | 19 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/added_resources/istio-ingress-gateway-deployment.yaml: -------------------------------------------------------------------------------- 1 | # based on https://istio.io/latest/docs/setup/additional-setup/gateway/#canary-upgrade-advanced 2 | 3 | apiVersion: apps/v1 4 | kind: Deployment 5 | metadata: 6 | name: istio-ingressgateway 7 | namespace: example 8 | spec: 9 | selector: 10 | matchLabels: 11 | istio: ingressgateway 12 | template: 13 | metadata: 14 | labels: 15 | istio: ingressgateway 16 | 17 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/aaaa-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-aaaa 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: aaaa 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: aaaa 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/aaaa-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-aaaa 6 | namespace: example 7 | labels: 8 | app: aaaa 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 3000 16 | selector: 17 | app: aaaa 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/bbbb-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-bbbb 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: bbbb 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: bbbb 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/bbbb-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-bbbb 6 | namespace: example 7 | labels: 8 | app: bbbb 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 3456 16 | selector: 17 | app: bbbb 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/cccc-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-cccc 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: cccc 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: cccc 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/cccc-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-cccc 6 | namespace: example 7 | labels: 8 | app: cccc 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 9950 16 | selector: 17 | app: cccc 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/dddd-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-dddd 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: dddd 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: dddd 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/dddd-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-dddd 6 | namespace: example 7 | labels: 8 | app: dddd 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 3200 16 | selector: 17 | app: dddd 18 | 19 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/eeee-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-eeee 6 | namespace: example 7 | spec: 8 | replicas: 2 9 | selector: 10 | matchLabels: 11 | app: eeee 12 | template: 13 | metadata: 14 | labels: 15 | app: eeee 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/eeee-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-eeee 6 | namespace: example 7 | labels: 8 | app: eeee 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 6432 14 | protocol: TCP 15 | targetPort: 6432 16 | selector: 17 | app: eeee 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/ffff-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-ffff 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: ffff 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: ffff 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/ffff-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-ffff 6 | namespace: example 7 | labels: 8 | app: ffff 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 3500 16 | selector: 17 | app: ffff 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/gggg-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-gggg 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: gggg 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: gggg 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/gggg-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-gggg 6 | namespace: example 7 | labels: 8 | app: gggg 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 4000 16 | selector: 17 | app: gggg 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/hhhh-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-hhhh 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: hhhh 11 | replicas: 3 12 | template: 13 | metadata: 14 | labels: 15 | app: hhhh 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/hhhh-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-hhhh 6 | namespace: example 7 | labels: 8 | app: hhhh 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 9950 16 | selector: 17 | app: hhhh 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/iiii-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-iiii 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: iiii 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: iiii 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/iiii-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-iiii 6 | namespace: example 7 | labels: 8 | app: iiii 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 3000 16 | selector: 17 | app: iiii 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/jjjj-deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: deploy-jjjj 6 | namespace: example 7 | spec: 8 | selector: 9 | matchLabels: 10 | app: jjjj 11 | replicas: 2 12 | template: 13 | metadata: 14 | labels: 15 | app: jjjj 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/complex-ingress-test/resources/jjjj-service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | name: svc-jjjj 6 | namespace: example 7 | labels: 8 | app: jjjj 9 | spec: 10 | type: ClusterIP 11 | ports: 12 | - name: serviceport 13 | port: 80 14 | protocol: TCP 15 | targetPort: 9950 16 | selector: 17 | app: jjjj 18 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/istio-egress-test-partial-flow1/resources/gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: my-gateway 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | istio: egressgateway 9 | servers: 10 | - port: 11 | number: 443 12 | name: https 13 | protocol: HTTPS 14 | hosts: 15 | - httpbin.example.com 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/istio-egress-test-partial-flow2/resources/gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: my-gateway 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | istio: egressgateway 9 | servers: 10 | - port: 11 | number: 443 12 | name: https 13 | protocol: HTTPS 14 | hosts: 15 | - httpbin.example.com 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/istio-egress-test/istio-egress-test-scheme.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ./ 2 | podList: ./ 3 | 4 | networkConfigList: 5 | - name: istio-egress 6 | resourceList: 7 | - ./resources 8 | expectedWarnings: 2 9 | 10 | 11 | queries: 12 | - name: connectivity 13 | connectivityMap: 14 | - istio-egress 15 | outputConfiguration: 16 | outputFormat: txt 17 | fwRulesRunInTestMode: false 18 | expectedOutput: ../../expected_output/istio_egress_test_connectivity_map.txt -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/istio-egress-test/resources/gateway.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1alpha3 2 | kind: Gateway 3 | metadata: 4 | name: my-gateway 5 | namespace: istio-system 6 | spec: 7 | selector: 8 | istio: egressgateway 9 | servers: 10 | - port: 11 | number: 443 12 | name: https 13 | protocol: HTTPS 14 | hosts: 15 | - httpbin.example.com 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/istio-ingress-test/istio-ingress-test-scheme.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ./ 2 | podList: ./ 3 | 4 | networkConfigList: 5 | - name: istio-ingress 6 | resourceList: 7 | - ./resources 8 | expectedWarnings: 7 9 | 10 | 11 | queries: 12 | - name: connectivity 13 | connectivityMap: 14 | - istio-ingress 15 | outputConfiguration: 16 | outputFormat: txt 17 | fwRulesRunInTestMode: false 18 | expectedOutput: ../../expected_output/istio_ingress_test_connectivity_map.txt -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity-map-of-onlineboutique.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/istio_testcases/example_policies/online_boutique_multi_layer_from_live_cluster_test/connectivity-map-of-onlineboutique.jpg -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-egress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: empty-egress 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "./*/*" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "*" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "./." -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "*/abc" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-5.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "abc./abc.ab" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-6.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "*/abc.*.*" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-7.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "*/abc." # passes on live cluster also 12 | - "*/abc.abc09-" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-8.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-invalid-host-9.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | a/a.b.c 12 | b/b.c.d -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/invalid_sidecars/sidecar-missing-spec.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: missing-spec -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecar-disable-egress1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "~/*" -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/sidecar_examples_w_onlineboutique/sidecar_disables_egress/sidecar-disable-egress2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.istio.io/v1beta1 2 | kind: Sidecar 3 | metadata: 4 | name: frontend 5 | spec: 6 | workloadSelector: 7 | labels: 8 | app: frontend 9 | egress: 10 | - hosts: 11 | - "~/cartservice." # also disables all egress for the 'frontend' workloads - same behaviour on live-cluster -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/test-istio-scheme-files-options/empty_ns.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/IBM/network-config-analyzer/c4bd39f99d76532baced2fd920edbc67ffc2f654/tests/istio_testcases/example_policies/test-istio-scheme-files-options/empty_ns.yaml -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/test-istio-scheme-files-options/policy-allow-nothing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-nothing 5 | namespace: default 6 | spec: 7 | {} -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/test-istio-scheme-files-options/policy-productpage-viewer.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: "productpage-viewer" 5 | namespace: default 6 | spec: 7 | selector: 8 | matchLabels: 9 | app: productpage 10 | action: ALLOW 11 | rules: 12 | - to: 13 | - operation: 14 | methods: ["GET"] 15 | 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/test-istio-scheme-files-options/scheme-test-from-live-cluster.yaml: -------------------------------------------------------------------------------- 1 | 2 | networkConfigList: 3 | - name: istio-test-live-cluster 4 | networkPolicyList: 5 | - istio 6 | 7 | 8 | queries: 9 | - name: connectivity-istio-test 10 | connectivityMap: 11 | - istio-test-live-cluster 12 | outputConfiguration: 13 | fwRulesGroupByLabelSinglePod: true 14 | expected: 0 15 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase1/testcase1-allow-all-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-all 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | # This matches everything. 9 | rules: 10 | - {} # An empty rule is always matched. -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase1/testcase1-allow-all-test-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-all 5 | namespace: default 6 | spec: 7 | rules: 8 | - {} -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase1/testcase1-allow-nothing-policy-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-nothing 5 | namespace: default 6 | spec: 7 | {} -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase1/testcase1-allow-nothing-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: allow-nothing 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | # the rules field is not specified, and the policy will never match. -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase1/testcase1-deny-all-policy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: deny-all 5 | spec: 6 | action: DENY 7 | # the rules field has an empty rule, and the policy will always match. 8 | rules: 9 | - {} -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase2/testcase2-policy-1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-empty-from 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - to: 13 | - operation: 14 | ports: ["26257", "30"] 15 | when: 16 | - key: destination.port 17 | values: ["26257"] 18 | 19 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase2/testcase2-policy-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-empty-source 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - to: 13 | - operation: 14 | ports: ["26257", "30"] 15 | when: 16 | - key: destination.port 17 | values: ["26257"] 18 | 19 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase2/testcase2-policy-4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-source-namespaces-only-1 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - to: 13 | - operation: 14 | ports: ["26257", "30"] 15 | when: 16 | - key: destination.port 17 | values: ["26257"] 18 | 19 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase2/testcase2-policy-8.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-source-namespaces-only-1 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - to: 13 | - operation: 14 | ports: ["26257", "30"] 15 | when: 16 | - key: destination.port 17 | values: ["26257"] 18 | 19 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-condition-empty-values-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-when-condition-empy-values 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - when: 13 | - key: source.namespace 14 | values: [] # values or notValues must be set 15 | 16 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-condition-empty-values.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-when-is-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - when: 13 | - key: source.namespace # values or notValues must be set 14 | 15 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-condition-values-null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-condition-values-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - when: 13 | - key: source.namespace 14 | values: ["default"] 15 | notValues: # notValues cannot be null (only type array) 16 | 17 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-deny-without-rules.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-error-deny-without-rules 5 | namespace: default 6 | spec: 7 | action: DENY 8 | 9 | 10 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-from-is-empty.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-empty-from 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - from: [] # from cannot be an empty array -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-from-is-null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-from-is-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - from: # from cannot be null 13 | 14 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-key-is-empty.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-when-is-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - when: 13 | - {} # must have key 14 | 15 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-namespaces-is-null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-namespaces-is-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - from: 13 | - source: 14 | namespaces: # namespaces cannot be null -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-operation-is-empty.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-oeration-is-empty 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | rules: 9 | - to: 10 | - operation: 11 | ports: [] -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-operation-is-null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-operation-is-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | rules: 9 | - to: 10 | - operation: 11 | 12 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-ports-is-null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-ports-is-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | rules: 9 | - to: 10 | - operation: 11 | ports: # cannot be null -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-rule-is-null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-rule-is-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - # rule cannot be null -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-source-is-empty-2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-empty-source 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - from: 13 | - source: {} # source cannot be empty 14 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-source-is-empty.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-empty-source 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - from: 13 | - source: 14 | namespaces: [] # source cannot be empty -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-to-is-empty.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-empty-to 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - to: [] # to cannot be an empty array -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-parse-error-when-is-null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-when-is-null 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - when: # from cannot be null 13 | 14 | -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-valid-syntax-source-not-empty.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-source-not-empty 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - from: 13 | - source: 14 | namespaces: [] 15 | notNamespaces: ["default"] -------------------------------------------------------------------------------- /tests/istio_testcases/example_policies/testcase3/testcase3-valid-syntax-when-is-empty.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: security.istio.io/v1beta1 2 | kind: AuthorizationPolicy 3 | metadata: 4 | name: test-empty-when 5 | namespace: default 6 | spec: 7 | action: ALLOW 8 | selector: 9 | matchLabels: 10 | app: skydive 11 | rules: 12 | - when: [] 13 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/containment_configs_w_sidecars_different_outbound_mode.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-selector-registery-only is contained in sidecar-with-selector-allows-any 2 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_hosts.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts are not semantically equivalent. 2 | Connections allowed in sidecar-with-local-hosts-only which are different in sidecar-with-local-and-dns-hosts: 3 | src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication on [protocols=TCP] while sidecar-with-local-hosts-only does not 4 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/equiv_configs_w_sidecars_different_outbound_mode.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-selector-allows-any and sidecar-with-selector-registery-only are not semantically equivalent. 2 | Connections allowed in sidecar-with-selector-allows-any which are different in sidecar-with-selector-registery-only: 3 | src: default/ratings-v1-1, dst: 0.0.0.0-255.255.255.255, description: sidecar-with-selector-allows-any allows all connections while sidecar-with-selector-registery-only does not. 4 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/forbids_configs_w_sidecars_different_hosts_types.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-local-and-dns-hosts does not forbid connections specified in sidecar-with-local-hosts-only 2 | Both sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts allow the following connection(s): 3 | src: ['default/ratings-v1-1'], dst: ['0.0.0.0-255.255.255.255', 'default/details-v1-1', 'default/reviews-v1-1', 'default/reviews-v2-1', 'default/reviews-v3-1'], conn: All connections 4 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/interferes_configs_w_sidecars_different_hosts_types.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-local-and-dns-hosts interferes with sidecar-with-local-hosts-only 2 | Allowed connections from sidecar-with-local-hosts-only which are extended in sidecar-with-local-and-dns-hosts: 3 | src: ['default/ratings-v1-1'], dst: ['www.slack.com'], description: sidecar-with-local-and-dns-hosts allows communication on [protocols=TCP] while sidecar-with-local-hosts-only does not 4 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/permits_configs_w_sidecars_different_outbound_mode.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-selector-allows-any permits all connections specified in sidecar-with-selector-registery-only 2 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/semantic_diff_online_boutique_new_synth_res_vs_synth_with_baseline_res.txt: -------------------------------------------------------------------------------- 1 | new_online_boutique_synthesis_res and new_online_boutique_synthesis_res_with_baseline_restrict_access_to_payment_service are not semantically equivalent. 2 | 3 | Removed connections between persistent peers (based on topology from config: new_online_boutique_synthesis_res) : 4 | src_ns: [default] src_pods: [checkoutservice] dst_ns: [default] dst_pods: [paymentservice] conn: {protocols:TCP,dst_ports:50051} 5 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/semantic_diff_sidecars_added_conns_test.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-local-hosts-only and sidecar-with-local-and-dns-hosts are not semantically equivalent. 2 | 3 | New connections between persistent peers and added peers (based on topology from config: sidecar-with-local-and-dns-hosts) : 4 | src_ns: [default] src_pods: [*] dst: www.slack.com conn: {protocols:TCP} 5 | src_ns: [default] src_pods: [app!=ratings] dst: www.google.com conn: {protocols:TCP} 6 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/semantic_diff_sidecars_lost_conns_test.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-selector-allows-any and sidecar-with-selector-registery-only are not semantically equivalent. 2 | 3 | Removed connections between persistent peers and ipBlocks (based on topology from config: sidecar-with-selector-allows-any) : 4 | src_ns: [default] src_pods: [ratings-v1] dst: 0.0.0.0/0 conn: {protocols:TCP} 5 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/strong_equiv_configs_w_sidecars_different_outbound_mode.txt: -------------------------------------------------------------------------------- 1 | sidecar-with-selector-allows-any contains a network policy named default/sidecar-allows-any[PolicyType.IstioSidecar], but sidecar-with-selector-registery-only does not -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/two_way_containment_configs_allow_any.txt: -------------------------------------------------------------------------------- 1 | The two network configurations default-sidecar-allows-any and sidecar-with-selector-allows-any are semantically equivalent. 2 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_hosts_types.txt: -------------------------------------------------------------------------------- 1 | Network configuration sidecar-with-local-hosts-only is a proper subset of sidecar-with-local-and-dns-hosts but sidecar-with-local-and-dns-hosts is not contained in sidecar-with-local-hosts-only 2 | Connections allowed in sidecar-with-local-and-dns-hosts which are not a subset of those in sidecar-with-local-hosts-only: 3 | src: ['default/ratings-v1-1'], dst: ['www.slack.com'], conn: {'protocols': 'TCP'} 4 | -------------------------------------------------------------------------------- /tests/istio_testcases/expected_output/two_way_containment_configs_w_sidecars_different_outbound_mode.txt: -------------------------------------------------------------------------------- 1 | Network configuration sidecar-with-selector-registery-only is a proper subset of sidecar-with-selector-allows-any but sidecar-with-selector-allows-any is not contained in sidecar-with-selector-registery-only 2 | Connections allowed in sidecar-with-selector-allows-any which are not a subset of those in sidecar-with-selector-registery-only: 3 | src: default/ratings-v1-1, dst: 0.0.0.0-255.255.255.255, conn: All connections 4 | -------------------------------------------------------------------------------- /tests/istio_testcases/scan-dir-test-scheme.yaml: -------------------------------------------------------------------------------- 1 | # non-recursive scan of dirs with no files, no resources are expected to be found 2 | podList: ./ 3 | namespaceList: ./ 4 | 5 | networkConfigList: 6 | - name: test 7 | networkPolicyList: 8 | - ./example_policies 9 | 10 | queries: 11 | - name: test-query 12 | connectivityMap: 13 | - test 14 | expectedNotExecuted: 1 -------------------------------------------------------------------------------- /tests/k8s_testcases/all_resources_in_same_dir/all-resources-in-one-dir-scheme.yaml: -------------------------------------------------------------------------------- 1 | resourceList: ./ 2 | 3 | networkConfigList: 4 | - name: some_captured 5 | resourceList: 6 | - ./ 7 | expectedWarnings: 1 8 | 9 | queries: 10 | - name: all-captured 11 | allCaptured: 12 | - some_captured 13 | expected: 11 -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/andOrCombinations/andOrCombinations-readme.yaml: -------------------------------------------------------------------------------- 1 | ### The policies in this folder demonstrates the delicate semantic of Ingress (as rule as Egress) rules 2 | 3 | ### first policy - ingress rule with multiple items of "podSelector" and with ports specified 4 | ### The semantic is (pod_selector1 or pod_selector2) and (ports) 5 | ### second policy - ingress rule with multiple items of "from" 6 | ### The semantic is (pod_selector1 and port1) or (pod_selector2 and port2) -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/demo_short/demo1-scheme.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list.json 2 | podList: ../../example_podlist/pods_list.json 3 | resourceList: '' 4 | 5 | networkConfigList: 6 | - name: sanity_np1 7 | networkPolicyList: 8 | - sanity1-networkpolicy.yaml 9 | expectedWarnings: 3 10 | 11 | queries: 12 | - name: sanity_np1 13 | sanity: 14 | - sanity_np1 15 | expected: 1 16 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/demo_short/demo1-topology-resourcelist-scheme.yaml: -------------------------------------------------------------------------------- 1 | resourceList: 2 | - ../../example_podlist/ns_list.json 3 | - ../../example_podlist/pods_list.json 4 | 5 | networkConfigList: 6 | - name: sanity_np1 7 | networkPolicyList: 8 | - sanity1-networkpolicy.yaml 9 | expectedWarnings: 3 10 | 11 | queries: 12 | - name: sanity_np1 13 | sanity: 14 | - sanity_np1 15 | expected: 1 16 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/demo_short/demo2-pods-resourcelist-scheme.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list.json # not recommended pattern (combines resourceList with namespaceList) 2 | resourceList: ../../example_podlist/pods_list.json 3 | 4 | networkConfigList: 5 | - name: sanity_np2 6 | networkPolicyList: 7 | - sanity2-networkpolicy.yaml 8 | expectedWarnings: 0 9 | 10 | queries: 11 | - name: sanity_np2 12 | sanity: 13 | - sanity_np2 14 | expected: 1 -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/demo_short/demo2-scheme.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list.json 2 | podList: ../../example_podlist/pods_list.json 3 | 4 | networkConfigList: 5 | - name: sanity_np2 6 | networkPolicyList: 7 | - sanity2-networkpolicy.yaml 8 | expectedWarnings: 0 9 | 10 | queries: 11 | - name: sanity_np2 12 | sanity: 13 | - sanity_np2 14 | expected: 1 15 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/namedPorts/namedPorts-policy1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system-dummy-to-ignore 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - ports: 12 | - port: dns-local 13 | protocol: UDP 14 | - port: dns-tcp-local 15 | protocol: TCP 16 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/namedPorts/namedPorts-policy2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system-dummy-to-ignore 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - ports: 12 | - port: dns-local 13 | protocol: UDP 14 | - port: dns-tcp-local 15 | protocol: TCP 16 | - port: metrics 17 | protocol: TCP 18 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/namedPorts/namedPorts-policy3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: tiller 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/namedPorts/namedPorts-policy4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-port-number 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: 44134 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/network-policy-checks/network-policy-check-scheme.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list.json 2 | podList: ../../example_podlist/pods_list.json 3 | 4 | networkConfigList: 5 | - name: checks_policy 6 | networkPolicyList: 7 | - checks-network-policy.yaml 8 | expectedWarnings: 0 9 | 10 | queries: 11 | - name: all-captured 12 | allCaptured: 13 | - checks_policy 14 | expected: 4 15 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/resourcelist-one-path-example/resource-path-scheme.yaml: -------------------------------------------------------------------------------- 1 | resourceList: ./resources-path.yaml 2 | 3 | networkConfigList: 4 | - name: workload_resources_captured 5 | resourceList: 6 | - resources-path.yaml 7 | expectedWarnings: 0 8 | 9 | queries: 10 | - name: all-captured 11 | allCaptured: 12 | - workload_resources_captured 13 | expected: 4 -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/sample-app/sample-all-captured-scheme.yaml: -------------------------------------------------------------------------------- 1 | resourceList: [] 2 | networkConfigList: 3 | - name: sample 4 | resourceList: 5 | - ./** 6 | queries: 7 | - name: sample-all-captured 8 | allCaptured: 9 | - sample 10 | expected: 2 -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/testcase11-forbids-permits/testcase11-empty-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | 2 | ### this policy is empty - it isolates not pods 3 | 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | name: empty 8 | namespace: default 9 | spec: 10 | podSelector: 11 | matchLabels: 12 | no_exists_label: no_exists_content 13 | policyTypes: 14 | - Ingress 15 | - Egress 16 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/testcase11-forbids-permits/testcase11-within-default.yaml: -------------------------------------------------------------------------------- 1 | 2 | ### This policy enables all internal traffic within namespace default 3 | 4 | apiVersion: networking.k8s.io/v1 5 | kind: NetworkPolicy 6 | metadata: 7 | name: within-default 8 | namespace: default 9 | spec: 10 | podSelector: {} 11 | policyTypes: 12 | - Ingress 13 | - Egress 14 | ingress: 15 | - from: 16 | - podSelector: {} 17 | egress: 18 | - to: 19 | - podSelector: {} 20 | 21 | 22 | 23 | 24 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/testcase1_tag/testcase1tag-readme.yaml: -------------------------------------------------------------------------------- 1 | ### This folder contains 2 files, each containing two network policies 2 | ### the policies in the first file are equiv to the policies in the second one 3 | 4 | ### namespace default, for which the policies are defined, contains pods with app=skydive (only), some with tier=agent and some with tier=analyzer 5 | ### Communication is allowed within the namespace for app=skydive only from tier=analyzer to tier=agent 6 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/testcase3/testcase3-readme.yaml: -------------------------------------------------------------------------------- 1 | ### This folder contains 2 network policies 2 | ### Both meant to allow traffic from namespace default to namespace kube-system through ports 53 with UDP and TCP 3 | 4 | ## The first one has a (common) typo, as a result of which traffic to kube-system is allow for all through ports 53 with UDP and TCP 5 | ## The second fixes this typo -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/testcase4/testcase4-scheme-demo.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list.json 2 | podList: ../../example_podlist/pods_list.json 3 | 4 | networkConfigList: 5 | - name: np1 6 | networkPolicyList: 7 | - testcase4-networkpolicy1.yaml 8 | - name: np2 9 | networkPolicyList: 10 | - testcase4-networkpolicy2.yaml 11 | 12 | queries: 13 | - name: compare_np1_and_np2 14 | equivalence: 15 | - np1 16 | - np2 -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/testcase6/testcase6-scheme-demo.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list.json 2 | podList: ../../example_podlist/pods_list.json 3 | 4 | networkConfigList: 5 | - name: np1 6 | networkPolicyList: 7 | - testcase6-networkpolicy1.yaml 8 | - name: np2 9 | networkPolicyList: 10 | - testcase6-networkpolicy2.yaml 11 | 12 | queries: 13 | - name: pairwiseInterferes_np1_and_np2 14 | pairwiseInterferes: 15 | - np1 16 | - np2 -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/testcase8/testcase8-scheme-demo.yaml: -------------------------------------------------------------------------------- 1 | namespaceList: ../../example_podlist/ns_list.json 2 | podList: ../../example_podlist/pods_list.json 3 | 4 | networkConfigList: 5 | - name: np1 6 | networkPolicyList: 7 | - testcase8-networkpolicy1.yaml 8 | 9 | queries: 10 | - name: redundnacy_np1 11 | redundancy: 12 | - np1 13 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-policy1.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system-dummy-to-ignore 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - ports: 12 | - port: dns-local 13 | protocol: UDP 14 | - port: dns-tcp-local 15 | protocol: TCP 16 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-policy2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system-dummy-to-ignore 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - ports: 12 | - port: dns-local 13 | protocol: UDP 14 | - port: dns-tcp-local 15 | protocol: TCP 16 | - port: metrics 17 | protocol: TCP 18 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-policy3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-named-ports 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: tiller 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/tests-different-topologies/namedPorts-policy4.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ingress-based-on-port-number 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: 44134 19 | protocol: TCP 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/tests-different-topologies/policy_a.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy-from2-to1 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: app-1 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | app: app-2 17 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/tests-different-topologies/policy_a_ipBlock.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy-from-ip-block-to1 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: app-1 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | cidr: 10.0.0.0/8 16 | except: 17 | - 10.10.0.0/16 18 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/tests-different-topologies/policy_b.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy-from1-to2 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: app-2 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | app: app-1 17 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/tests-different-topologies/policy_b_ipBlock.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: policy-from-ip-block-to2 5 | namespace: default 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: app-2 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | cidr: 10.0.0.0/8 16 | except: 17 | - 10.11.0.0/16 18 | ports: 19 | - port: 53 20 | protocol: UDP 21 | -------------------------------------------------------------------------------- /tests/k8s_testcases/example_policies/workload-resources-test/workload-test-networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: capture-all-ingress-default 5 | namespace: default 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - from: 12 | - namespaceSelector: {} 13 | podSelector: {} 14 | -------------------------------------------------------------------------------- /tests/k8s_testcases/expected_output/forbids-empty-impl-default-spec-all-examples.txt: -------------------------------------------------------------------------------- 1 | np-empty does not forbid connections specified in np-within-default 2 | Both np-within-default and np-empty allow the following connection(s): 3 | src: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], dst: ['default/cog-agents-d54st', 'default/cog-agents-js4qc', 'default/cog-agents-qr8gp', 'default/cog-local-analyzer-7d77fb55cc-bs8rc'], conn: All connections 4 | -------------------------------------------------------------------------------- /tests/k8s_testcases/expected_output/permits-a-b-not-executed.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "query": "permits_a_b", 4 | "configs": [ 5 | "config_b", 6 | "config_a" 7 | ], 8 | "executed": 0, 9 | "description": "The two configurations have different network topologies and thus are not comparable." 10 | } 11 | ] -------------------------------------------------------------------------------- /tests/k8s_testcases/expected_output/permits-a-b-not-executed.yaml: -------------------------------------------------------------------------------- 1 | - query: permits_a_b 2 | configs: 3 | - config_b 4 | - config_a 5 | executed: 0 6 | description: The two configurations have different network topologies and thus are 7 | not comparable. 8 | -------------------------------------------------------------------------------- /tests/k8s_testcases/expected_output/permits-default-impl-kube-system-spec.json: -------------------------------------------------------------------------------- 1 | [ 2 | { 3 | "query": "permits_default_impl_kube-system_spec_json", 4 | "configs": [ 5 | "np-within-kube-system", 6 | "np-within-default" 7 | ], 8 | "numerical_result": 0, 9 | "textual_result": "np-within-default permits all connections specified in np-within-kube-system" 10 | } 11 | ] -------------------------------------------------------------------------------- /tests/k8s_testcases/expected_output/permits-default-impl-kube-system-spec.txt: -------------------------------------------------------------------------------- 1 | np-within-default permits all connections specified in np-within-kube-system 2 | -------------------------------------------------------------------------------- /tests/k8s_testcases/expected_output/permits-default-impl-kube-system-spec.yaml: -------------------------------------------------------------------------------- 1 | - query: permits_default_impl_kube-system_spec_yaml 2 | configs: 3 | - np-within-kube-system 4 | - np-within-default 5 | numerical_result: 0 6 | textual_result: np-within-default permits all connections specified in np-within-kube-system 7 | -------------------------------------------------------------------------------- /tests/k8s_testcases/expected_output/redundancy-test-on-misconception-podSelector-namespaceSelector.txt: -------------------------------------------------------------------------------- 1 | Redundancies found in sanity-misconception-podSelector-namespaceSelector 2 | 3 | Ingress rules that are redundant in sanity-misconception-podSelector-namespaceSelector: 4 | NetworkPolicy default/wrong-allow-traffic-from-specific-pods-in-external-namespace, ingress rules indexes: 1, 2 5 | -------------------------------------------------------------------------------- /tests/k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml: -------------------------------------------------------------------------------- 1 | resourceList: [] 2 | networkConfigList: 3 | - name: sample 4 | resourceList: 5 | - ./sample-app/** 6 | expectedWarnings: 1 # Warning: Ingress rule redirects traffic to my-service:8080, but port 8080 is not exposed by Service my-service 7 | queries: 8 | - name: connectivity_map 9 | connectivityMap: 10 | - sample 11 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/api_version_wrong_value.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: k8sV1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: api-version-wrong-value 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - from: 13 | - namespaceSelector: {} 14 | podSelector: {} 15 | egress: 16 | - to: 17 | - namespaceSelector: {} 18 | podSelector: {} 19 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/endport_wrong_range.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: endport-test-wrong-range 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | tier: frontend 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | cidr: 10.0.0.0 16 | ports: 17 | - port: 53 18 | protocol: UDP 19 | endPort: 0 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/endport_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: endport-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | tier: frontend 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | cidr: 10.0.0.0 16 | ports: 17 | - port: 53 18 | protocol: UDP 19 | # wrong type 20 | endPort: UDP 21 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/ipblock_bad_cidr.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ipblock-bad-cidr 5 | namespace: default 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - from: 12 | - ipBlock: 13 | # bad cidr 14 | cidr: 8000:k00::/120 15 | ports: 16 | - port: 54 -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/ipblock_bad_cidr_2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ipblock-bad-cidr 5 | namespace: default 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - from: 12 | - ipBlock: 13 | # bad cidr 14 | cidr: 8000:f00::/129 15 | ports: 16 | - port: 53 -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/ipblock_bad_cidr_3.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ipblock-bad-cidr 5 | namespace: default 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - from: 12 | - ipBlock: 13 | # bad cidr 14 | cidr: 20.0.0.0/33 15 | ports: 16 | - port: 53 -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/ipblock_cidr_is_none.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ipblock-fields-test-none 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | tier: frontend 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | #none 16 | cidr: 17 | ports: 18 | - port: 53 19 | protocol: UDP -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/ipblock_cidr_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ipblock-fields-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | tier: frontend 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - ipBlock: 15 | # wrong type 16 | cidr: 17 | - 10.0.0.0/24 18 | ports: 19 | - port: 53 20 | protocol: UDP -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/ipblock_empty.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ipblock-test-empty 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | tier: frontend 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | # {} 15 | - ipBlock: {} 16 | - ports: 17 | - port: 53 18 | protocol: UDP -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_key_does_not_exist.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexp-key-test-exist 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | # existence test , it must be when we have a requirement 10 | - operator: NotIn 11 | values: 12 | - helm 13 | policyTypes: 14 | - Ingress 15 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_key_has_no_value.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexp-key-test-none 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | # spare 10 | - key: 11 | operator: Exists 12 | - key: tier 13 | operator: Exists 14 | policyTypes: 15 | - Ingress 16 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_key_null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexp-key-test-null 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | #null 10 | - key: null 11 | operator: Exists 12 | - key: tier 13 | operator: Exists 14 | policyTypes: 15 | - Ingress 16 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_key_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexpressions-key-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | # wrong type 10 | - key: 11 | - app 12 | operator: Exists 13 | policyTypes: 14 | - Ingress 15 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_key_wrong_value_form.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexp-key-test-val 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | - key: a/b/c 10 | operator: Exists 11 | - key: tier 12 | operator: Exists 13 | policyTypes: 14 | - Ingress 15 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_key_wrong_value_form2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexp-key-test-val2 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | - key: -_abc.ABB; 10 | operator: Exists 11 | - key: tier 12 | operator: Exists 13 | policyTypes: 14 | - Ingress 15 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_operator_has_no_value.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexpressions-operator-test-val 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | - key: app 10 | #no value 11 | operator: 12 | - key: app 13 | operator: Exists 14 | - key: tier 15 | operator: Exists 16 | policyTypes: 17 | - Ingress 18 | - Egress 19 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_operator_missing.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexpressions-operator-test-missing 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | - key: app 10 | # does not exist 11 | - key: app 12 | operator: Exists 13 | - key: tier 14 | operator: Exists 15 | policyTypes: 16 | - Ingress 17 | - Egress 18 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_operator_null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexpressions-operator-test-null 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | - key: app 10 | # null 11 | operator: null 12 | - key: app 13 | operator: Exists 14 | - key: tier 15 | operator: Exists 16 | policyTypes: 17 | - Ingress 18 | - Egress 19 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_values_no_match_with_operator.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexpressions-values-test1 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | # non-empty values with operator DoesNotExist/Exists 10 | - key: tier 11 | operator: Exists 12 | values: 13 | - helm 14 | policyTypes: 15 | - Ingress 16 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_values_no_match_with_operator2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexpressions-values-test2 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | # empty values with In/NotIn 10 | - key: app 11 | operator: In 12 | policyTypes: 13 | - Ingress 14 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_values_wrong_form.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexpressions-values-test-form 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | - key: app 10 | operator: NotIn 11 | # wrong form 12 | values: 13 | Abc-_. 14 | policyTypes: 15 | - Ingress 16 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_values_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: matchexpressions-values-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchExpressions: 9 | - key: app 10 | operator: NotIn 11 | # wrong type: 12 | values: 13 | helm 14 | policyTypes: 15 | - Ingress 16 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_wrong_keys.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: podselector-matchexpressions-test-keys 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | # wrong keys 9 | matchExpressions: 10 | - key: app 11 | operator: NotIn 12 | value: # values is the right key 13 | - helm 14 | policyTypes: 15 | - Ingress 16 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchexpressions_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: podselector-matchexpressions-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | # wrong type dict instead of array 9 | matchExpressions: 10 | key: app 11 | operator: Exists 12 | policyTypes: 13 | - Ingress 14 | - Egress -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchlabels_empty_value_label.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: podselector-matchlabels-test-empty 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: 10 | policyTypes: 11 | - Ingress 12 | - Egress 13 | ingress: 14 | - from: 15 | - namespaceSelector: {} 16 | podSelector: {} 17 | egress: 18 | - to: 19 | - namespaceSelector: {} 20 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/matchlabels_wrong_value_label_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: podselector-matchlabels-test-val 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: 6 10 | policyTypes: 11 | - Ingress 12 | - Egress 13 | ingress: 14 | - from: 15 | - namespaceSelector: {} 16 | podSelector: {} 17 | egress: 18 | - to: 19 | - namespaceSelector: {} 20 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_does_not_exist.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | #no metadata section 4 | spec: 5 | podSelector: {} 6 | policyTypes: 7 | - Ingress 8 | - Egress 9 | ingress: 10 | - from: 11 | - namespaceSelector: {} 12 | podSelector: {} 13 | egress: 14 | - to: 15 | - namespaceSelector: {} 16 | podSelector: {} 17 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_empty_map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | # {} 4 | metadata: {} 5 | spec: 6 | podSelector: {} 7 | policyTypes: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - from: 12 | - namespaceSelector: {} 13 | podSelector: {} 14 | egress: 15 | - to: 16 | - namespaceSelector: {} 17 | podSelector: {} 18 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_is_null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | # null 4 | metadata: null 5 | spec: 6 | podSelector: {} 7 | policyTypes: 8 | - Ingress 9 | - Egress 10 | ingress: 11 | - from: 12 | - namespaceSelector: {} 13 | podSelector: {} 14 | egress: 15 | - to: 16 | - namespaceSelector: {} 17 | podSelector: {} 18 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_name_does_not_exist.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | # name does not exist 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - from: 13 | - namespaceSelector: {} 14 | podSelector: {} 15 | egress: 16 | - to: 17 | - namespaceSelector: {} 18 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_name_has_no_value.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | # name is empty 5 | name: 6 | namespace: kube-system 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - namespaceSelector: {} 15 | podSelector: {} 16 | egress: 17 | - to: 18 | - namespaceSelector: {} 19 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_name_null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | # name is null 5 | name: null 6 | namespace: kube-system 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - namespaceSelector: {} 15 | podSelector: {} 16 | egress: 17 | - to: 18 | - namespaceSelector: {} 19 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_name_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | # name is an array 5 | name: 6 | - metadata-fields-test 7 | namespace: kube-system 8 | spec: 9 | podSelector: {} 10 | policyTypes: 11 | - Ingress 12 | - Egress 13 | ingress: 14 | - from: 15 | - namespaceSelector: {} 16 | podSelector: {} 17 | egress: 18 | - to: 19 | - namespaceSelector: {} 20 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_namespace_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: metadata-namespace-test-type 5 | # wrong type: 6 | namespace: 7 | - kube-system 8 | spec: 9 | podSelector: {} 10 | policyTypes: 11 | - Ingress 12 | - Egress 13 | ingress: 14 | - from: 15 | - namespaceSelector: {} 16 | podSelector: {} 17 | egress: 18 | - to: 19 | - namespaceSelector: {} 20 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_with_no_value.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | spec: 5 | podSelector: {} 6 | policyTypes: 7 | - Ingress 8 | - Egress 9 | ingress: 10 | - from: 11 | - namespaceSelector: {} 12 | podSelector: {} 13 | egress: 14 | - to: 15 | - namespaceSelector: {} 16 | podSelector: {} 17 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_wrong_form.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | # name includes _ 5 | name: metadata_name_test7 6 | namespace: kube-system 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - namespaceSelector: {} 15 | podSelector: {} 16 | egress: 17 | - to: 18 | - namespaceSelector: {} 19 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_wrong_keys.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | # wrong keys 4 | metadata: 5 | name: general-metadata-test 6 | namespaceSelector: {} 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - namespaceSelector: {} 15 | podSelector: {} 16 | egress: 17 | - to: 18 | - namespaceSelector: {} 19 | podSelector: {} -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/metadata_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | # wrong type (with - before each field): 4 | metadata: 5 | - name: metadata-test-type 6 | - namespace: kube-system 7 | spec: 8 | podSelector: {} 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - namespaceSelector: {} 15 | podSelector: {} 16 | egress: 17 | - to: 18 | - namespaceSelector: {} 19 | podSelector: {} 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/mixed_ipv4_cidr_ipv6_except.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ipv4-cidr-ipv6-except 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - from: 12 | - ipBlock: 13 | cidr: 0.0.0.0/0 # All destinations IPv4 14 | except: 15 | - a000:800::/32 16 | ports: 17 | - port: 53 18 | protocol: UDP 19 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/mixed_ipv6_cidr_ipv4_except.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ipv6-cidr-ipv4-except 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | ingress: 11 | - from: 12 | - ipBlock: 13 | cidr: ::/0 # All destinations IPv6 14 | except: 15 | - 172.21.0.0/16 16 | ports: 17 | - port: 53 18 | protocol: UDP 19 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/peer_podselector_wrong_keys.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: peer-podselector-test-keys 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | #wrong keys 15 | - podSelector: 16 | name: peer -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/peers_wrong_keys.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: to-from-peer-test-keys 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | # wrong keys 18 | - from: 19 | - port: 44134 -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/port_wrong_label_form2.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: port-test-form2 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: abc-def12_ 19 | protocol: UDP 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/port_wrong_range.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: port-test-range 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: 0 19 | protocol: UDP 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/port_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: port-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | # wrong type 19 | - port: 20 | - tbd 21 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/protocol_wrong_value.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: ports-protocol-test-value 5 | namespace: kube-system 6 | spec: 7 | podSelector: 8 | matchLabels: 9 | app: helm 10 | policyTypes: 11 | - Ingress 12 | ingress: 13 | - from: 14 | - podSelector: 15 | matchLabels: 16 | tier: frontend 17 | ports: 18 | - port: 44134 19 | # wrong value 20 | protocol: HTTP -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_egress_wrong_keys.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-egress-test-keys 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - from: 13 | - namespaceSelector: {} 14 | podSelector: {} 15 | # wrong keys 16 | egress: 17 | - from: 18 | - namespaceSelector: { } 19 | podSelector: { } 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_egress_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-egress-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - from: 13 | - namespaceSelector: {} 14 | podSelector: {} 15 | # wrong type 16 | egress: 17 | to: 18 | - namespaceSelector: { } 19 | podSelector: { } -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_empty_map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: general-spec-test-empty 5 | namespace: kube-system 6 | # spec is {} 7 | spec: {} 8 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_ingress_wrong_keys.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-ingress-test-keys 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | egress: 12 | - to: 13 | - namespaceSelector: {} 14 | podSelector: {} 15 | # wrong keys 16 | ingress: 17 | - to: 18 | - namespaceSelector: { } 19 | podSelector: { } -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_ingress_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-ingress-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | egress: 12 | - to: 13 | - namespaceSelector: {} 14 | podSelector: {} 15 | # wrong type 16 | ingress: 17 | from: 18 | - namespaceSelector: { } 19 | podSelector: { } -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_podselector_does_not_exist.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-podselector-test-missing 5 | namespace: kube-system-dummy-to-ignore 6 | spec: 7 | # podSelector does not exist 8 | policyTypes: 9 | - Ingress 10 | - Egress 11 | ingress: 12 | - from: 13 | - namespaceSelector: {} 14 | podSelector: {} 15 | egress: 16 | - to: 17 | - namespaceSelector: {} 18 | podSelector: {} 19 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_podselector_has_no_value.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-podselector-test-no-val 5 | namespace: kube-system 6 | spec: 7 | # none 8 | podSelector: 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - namespaceSelector: {} 15 | podSelector: {} 16 | egress: 17 | - to: 18 | - namespaceSelector: {} 19 | podSelector: {} 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_podselector_null.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-podselector-test-null 5 | namespace: kube-system 6 | spec: 7 | # null 8 | podSelector: null 9 | policyTypes: 10 | - Ingress 11 | - Egress 12 | ingress: 13 | - from: 14 | - namespaceSelector: {} 15 | podSelector: {} 16 | egress: 17 | - to: 18 | - namespaceSelector: {} 19 | podSelector: {} 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_policytypes_missing_ingress.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-policytypes-test-ingress 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | # exists with egress only but there is an ingress section : 9 | policyTypes: 10 | - Egress 11 | ingress: 12 | - from: 13 | - ipBlock: 14 | cidr: 172.17.0.0/16 15 | except: 16 | - 172.17.1.0/24 -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_policytypes_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: spec-policytypes-test-type 5 | namespace: kube-system 6 | spec: 7 | podSelector: {} 8 | # wrong type 9 | policyTypes: 10 | Ingress 11 | Egress 12 | ingress: 13 | - from: 14 | - namespaceSelector: { } 15 | podSelector: { } 16 | egress: 17 | - to: 18 | - namespaceSelector: { } 19 | podSelector: { } 20 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_wrong_keys.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: general-spec-test-keys 5 | namespace: kube-system 6 | # wrong keys 7 | spec: 8 | podSelector: {} 9 | name: general_spec_test 10 | namespace: kube-system 11 | -------------------------------------------------------------------------------- /tests/k8s_testcases/network-policy-checks-bad-path/spec_wrong_type.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: networking.k8s.io/v1 2 | kind: NetworkPolicy 3 | metadata: 4 | name: general-spec-test-type 5 | namespace: kube-system 6 | # wrong type 7 | spec: 8 | - podSelector: {} 9 | - policyTypes: 10 | - Ingress 11 | - Egress 12 | - ingress: 13 | - from: 14 | - namespaceSelector: {} 15 | podSelector: {} 16 | - egress: 17 | - to: 18 | - namespaceSelector: {} 19 | podSelector: {} 20 | --------------------------------------------------------------------------------