Releases: np-guard/network-config-analyzer
Releases · np-guard/network-config-analyzer
Release v2.1.0
What's Changed
- Added a script for collecting resources from a live cluster into yamls by @adisos in #142
- Update supported istio resources api version + small parser bug fix by @adisos in #136
- Allow duplicate policies (ignore newer) by @zivnevo in #143
- Add to Manifest a JavaScript file, needed for interactivity by @zivnevo in #135
- Fix faulty file-path in warning by @zivnevo in #144
- Restore testing on a live cluster by @zivnevo in #111
- Tiny fix to README.md by @zivnevo in #134
- Bump lxml from 5.2.2 to 5.3.0 by @dependabot in #101
- Bump ghapi from 1.0.5 to 1.0.6 by @dependabot in #115
- Bump pyyaml from 6.0.1 to 6.0.2 by @dependabot in #102
Full Changelog: v2.0.1...v2.1.0
Contributors
dependabot, zivnevo, and adisos
Assets 2
Release v2.0.1
What's Changed
- Permits and Forbids queries will now only consider the endpoints discovered by the base network config and will filter-out automatically-added resources (e.g., ingress controller and DNS server) by @tanyaveksler in #64
- Set user email when creating release tag to prevent git error by @zivnevo in #44
Full Changelog: v2.0.0...v2.0.1
Contributors
tanyaveksler and zivnevo
Assets 2
v2.0.0
Changes in this release:
- The internal data structure for representing the network graph was much optimized, yielding significant runtime speedups (on some cases >10x)
- New HTML output format allows presenting interactive graphs. Double clicking an endpoint on the graph hides all endpoints not connected to the selected endpoint. Clicking a source endpoint, then a destination endpoint, provides more details on why the two are connected/disconnected. In particular, which network policies are involved in this decision.
- Support for Istio's Egress Gateway
- Upgrade to Python 3.9
v1.9.6
v1.9.5
Changes in this Release:
- Two more queries,
interferesandpairwiseInterferes, can now benefit from optimized mode (run with-opt=true). - Bug fix: rarely, some diffs were not reported by
semanticDiffquery - Bug fix: Issue #569 - some warnings printed to
stdoutinstead ofstderr - Bug fix: Issue #573 - crash when hitting an illegal JSON file
v1.9.4
v1.9.3
Changes in this Release:
Many improvements to the generated graphviz-based graph:
Endpoints sharing the same connectivity and the same namespace are grouped together to reduce the total number of edges.
If the graph contains a large-enough set of endpoints, in which each pair of endpoints is connected in exactly the same way, a Clique node will be created, and all endpoints in the set will connect to this (meta-)node. This also reduces the total number of edges
If the graph contains two large-enough sets of endpoints A and B, where the allowed connectivity from any endpoint in A to any endpoint in B is the same, a Bi-Clique node will be created, and every endpoint in A will connect to this (meta-)node, and the Bi-Clique will connect to every node in B.
Labels on edges are shortened, and a legend explains what each shortening means.
Explainability: A new flag, --explain, appends to connectivity reports the exact set of resources that take part in setting the allowed connectivity between endpoints. Such explanation can be provided for the connectivity between a given set of endpoint, e.g., --explain default/Pod1[Pod],ns2/deployment-D[Deployment] or between every pair of endpoints by specifying --explain ALL.
Istio traffic management: Supporting ServiceEntries as hosts in the spec of Sidecar egress.
Improved performance via a new data-structure. This is currently under a feature flag: -opt=true.
Graphviz added to docker images
Various bug fixes
v1.9.2
Changes in this Release:
- Reporting much simpler regular expressions in connectivity reports and in connectivity-diff reports
- Adding the
jpegformat to the list of allowed formats for connectivity reports (when using the--output_formatcommand-line flag or theoutputConfiguration.outputFormatscheme object). This will automatically convert adotgraph to a jpeg image file. Requires GraphViz to be preinstalled andPATHto include itsbindirectory. - Fixed: Exit code should be 7 if an handled exception made it to
nca_main - Added OpenSSF Scorecard badge to repo
- Removed dependency on
ruamel.yaml - Minor bug fixes
v1.9.1
v1.9.0
Changes in this Release:
- Most queries can now output their results in JSON/YAML formats. In a scheme file set
outputConfiguration.outputFormatto eitherjsonoryaml. From the command-line, use the-oflag with eitherjsonoryamlvalue. - Query results will no longer refer to IPv6 address space, unless there are network-connectivity resources (e.g., NetworkPolicy) that explicitly refer to such addresses. To force including IPv6 addresses in query results, use the
--print_ipv6command line flag. Alternatively, setoutputConfiguration.excludeIPv6Rangetofalsein your scheme file. - Improved connectivity-map output whenever Istio resources are present. Two connectivity maps will be produced now: one for TCP connections and another one for all other protocols.
- Improved usability for shift-left analysis: when policies refer to certain resources missing from the input config, check if they can be added to enable the analysis. Taking into account resources that are usually visible in a live cluster mode: Ingress-controller pod, Istio ingress gateway pod, and kube-dns pod. Documentation is available here.
- Queries will not execute if there are no endpoints in a given network configuration. An error message is printed in such a case.
- Removed support for running as a REST-API server (the
--daemonflag). Instead, use nca-rest-server. - Not printing back-trace on errors such as syntax errors.
- Avoiding crash on a malformed yaml
- Avoiding crash in the presence of helm charts if
helmexecutable cannot be found. - Handle YAML files with UTF-8 characters
- Ingress resource parsing: issue warning instead of error when service referenced by backed is missing
- Query all-captured output: consider Istio layer as well