analyze: start parsing anps and banp from kube server or path

[Peac36]

Issue: #201

@huntergregory - As the requester of the issue can you review the PR?

---

Notes:

• Change the GetNetworkPoliciesInNamespaces function to accept context as the first argument.
• Introduce GetAdminNetworkPoliciesInNamespace and GetBaseAdminNetworkPoliciesInNamespace methods
• Use concurrency to get NetworkPolicies, ANPs, and BANP.
• In case BANP is fetched from multiple sources(kube server or path). The latest successful fetch would be used.

Questions:

I wasn't sure if I could add a flag for context timeout so I hardcode it for now. No problem to add if you don't see a problem with that.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Peac36
Once this PR has been reviewed and has the lgtm label, please assign huntergregory for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• cmd/policy-assistant/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @Peac36. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[netlify]

✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name	Link
🔨 Latest commit	2adcf15
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-sigs-network-policy-api/deploys/66c57a726388d10008fc69e0
😎 Deploy Preview	https://deploy-preview-239--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[huntergregory]

Thank you @Peac36 ! This is a huge help, solving a large missing piece for policy-assistant.

For getting policies from API Server, could we check if ANP/BANP resources are defined before trying to get them? If they do exist, I think it would be more natural to have a panic/fatal if a GET call fails.

Also I'm not sure we need to optimize with concurrent GET calls but wdyt? If we use concurrency, could we simplify that code with sync.WaitGroup or errgroup.Group?

Otherwise, had some thoughts about the k8s interface and miscellaneous nitpicks.

[Peac36]

For getting policies from API Server, could we check if ANP/BANP resources are defined before trying to get them?

Can you help me with this ? I can not find a way to achieve this. I guess I need to check if ANP and BANP are registered in api-server as CRD but couldn't find a clientset method that can achieve that.
The only way I found was by using a hardcoded URI to the API server.

Also I'm not sure we need to optimize with concurrent GET calls but wdyt?

As the user of the command, I should expect to see the information as fast as possible. Till now we executed only one request to the server which was fine, but now we add 2 more or even more. Imagine the kube api-server is slow to respond - it takes about 5 seconds to return a response. So if we run these three requests sequentially - it would take about 15 seconds in which the client will not see anything on the screen. On the other side with concurrency, we might get the result much faster which I'm sure would make the user much happier.

If we use concurrency, could we simplify that code with sync.WaitGroup or errgroup.Group?

Yeah, sure, I'll need more time to test it.

[huntergregory]

/ok-to-test

[huntergregory]

For getting policies from API Server, could we check if ANP/BANP resources are defined before trying to get them?

Can you help me with this ? I can not find a way to achieve this. I guess I need to check if ANP and BANP are registered in api-server as CRD but couldn't find a clientset method that can achieve that. The only way I found was by using a hardcoded URI to the API server.

I’m not sure off the top of my head, but perhaps there’s an equivalent to kubectl get resources, or get crds? Otherwise, maybe there’s a certain error type returned from kubectl get adminnetworkpolicies when anp doesn’t exist.

[Peac36]

I’m not sure off the top of my head, but perhaps there’s an equivalent to kubectl get resources, or get crds? Otherwise, maybe there’s a certain error type returned from kubectl get adminnetworkpolicies when anp doesn’t exist.

Ok, I found it. DiscoveryClient can get us all registered resources.

I'm ready with the PR, but want to test it more. Do you know where I can find the latest CRD?. The ones in the project seem to be outdated and using one of the example policies yields following error:

panic: invalid admin peer: must have exactly one of NamespaceSelector, SameLabels, or NotSameLabels

[huntergregory]

Ok, I found it. DiscoveryClient can get us all registered resources.

I'm ready with the PR, but want to test it more. Do you know where I can find the latest CRD?. The ones in the project seem to be outdated and using one of the example policies yields following error:

panic: invalid admin peer: must have exactly one of NamespaceSelector, SameLabels, or NotSameLabels

Nice find! For creating (B)ANPs, can you try this if you haven't already:

• Go to this repo's Releases and apply the latest install.yaml. As of today, that is: kubectl apply -f https://github.com/kubernetes-sigs/network-policy-api/releases/download/v0.1.1/install.yaml

The latest CRD is encoded in that install.yaml. I'm also adding some new example (B)ANPs in #245 under examples/.

EDIT: assuming you were looking at https://network-policy-api.sigs.k8s.io/getting-started/ ?
Curious which example policy you were using which gave the above panic? That panic is the correct behavior (or at least the error message is correct).

[Peac36]

Ok, I found it. DiscoveryClient can get us all registered resources.
I'm ready with the PR, but want to test it more. Do you know where I can find the latest CRD?. The ones in the project seem to be outdated and using one of the example policies yields following error:

panic: invalid admin peer: must have exactly one of NamespaceSelector, SameLabels, or NotSameLabels

Nice find! For creating (B)ANPs, can you try this if you haven't already:

• Go to this repo's Releases and apply the latest install.yaml. As of today, that is: kubectl apply -f https://github.com/kubernetes-sigs/network-policy-api/releases/download/v0.1.1/install.yaml

The latest CRD is encoded in that install.yaml. I'm also adding some new example (B)ANPs in #245 under examples/.

EDIT: assuming you were looking at https://network-policy-api.sigs.k8s.io/getting-started/ ? Curious which example policy you were using which gave the above panic? That panic is the correct behavior (or at least the error message is correct).

For resource definitions : https://github.com/kubernetes-sigs/network-policy-api/tree/main/config/crd
Example from here: https://github.com/kubernetes-sigs/network-policy-api/tree/main/conformance/base

---

I'm ready with the PR, feel free to look through it.

[huntergregory]

Thanks @Peac36 for making those changes and thanks for adding all those nice example policies. I have some minor requests, then I think we can merge

[Peac36]

@huntergregory - Thanks for the feedback. The issues have been addressed.