Release v1.7.1

Changes in this Release:

• Fixing a crash when running nca --version.

Release v1.7.0

Changes in this Release:

• A new output-configuration flag, fullExplanation, allows printing ALL connections/endpoints that explain why a query fails. This flag is only available when using scheme files. See here

Release v1.6.0

Changes in this Release:

• Support for helm charts - whenever a Chart.yaml file is encountered while scanning a directory, NCA will run helm template to resolve template YAML files in subdirectories. This requires helm to be installed locally.
• Initial support for Istio ingress control, using the Gateway and VirtualService resources. See details here.
• Initial support for Istio egress control using Sidecar resources. See details here.
• Added support for namespaceSelector in the spec of Calico's GlobalNetworkPolicy
• Running nca --version prints the current NCA version.
• Bug fix: Avoid recursive scanning of input directories in the Scheme file, unless they are suffixed with /**.
• Enhancing Docker image security and reducing the number of its layers.
• Restructured source tree to ease navigation and to create standalone packages.

Release v1.5.0

Changes in this Release:

• Multi-layer analysis: When provided with the right files, NCA may now consider a combined connectivity graph as defined by Kubernetes resources, Calico resources and Istio resources. Note that some of the queries (e.g., redundancy) report results layer by layer, while others (e.g., connectivity) will consider the combined connectivity graph.
• New settings were added to focus connectivity query on just a subset of the cluster endpoints. The command-line arguments --deployment_subset, --namespace_subset and --label_subset allow focusing by deployment names, namespace names and deployment labels, respectively.
• Setting the kubernetes.io/metadata.name label on all namespaces (as defined in Kubernetes 1.22 spec).
• Fixing a bug when referring to paths like ./ or ../
• Calico support is now limited to K8s environments only. Assuming existence of Calico default profiles for all namespaces.
• Calico Profiles: removed support for deprecated fields ingress and egress . Supporting only labelsToApply field.
• Return value update: a command-line query with return value greater than 3 indicates that the query could not be executed.
• New field for Scheme files: expectedNotExecuted , to specify the number of input configs/config pairs that the query is not expected to be run on.

Release v1.4.2

Changes in this Release:

• Supporting the analysis of a combination of K8s and Calico network policies. This allows for example to produce a combined connectivity graph for both the Calico layer and the Kubernetes layer.
• Caching of DFA operations and binary search in CanonicalIntervalSet significantly improve performance in many cases (up to x5).
• Allowing (but ignoring) status field in K8s NetworkPolicies to align with Kubernetes 1.24.
• The file VERSION.txt is now the single source-of-truth for NCA version number

Release v1.4.1

Changes in this Release:

• Allowing Calico GlobalNetworkPolicies with applyOnForward and preDNAT set to true (but issuing a warning that these cases are not handled well)
• Fixing an issue with closing files

Release v1.4.0

Changes in this Release:

• Support for K8s Ingress resource. Currently this only works with nginx-type Ingress Controllers. When deployed, the Ingress resource can further limit TCP traffic from the Ingress Controller Pod to other pods. The input resources list should include the K8s Service and Ingress resources, in addition to Pods/Deployments, Namespaces, NetworkPolicy resources.
• New command-line flags, --resource_list and --base_resource_list allow specifying the location of namespaces, endpoints and network policies using just one (or two) switches. This can replace the need to specify separately the location of network policies (--<query>), the location of endpoints (--pod_list) and the location of namespaces (--ns_list) if they are all the same location.
  Similarly, a new scheme file key resourceList was added, which can replace the more specific keys namespaceList, podList, networkPolicyList.
• In most connectivity reports, when allowed ports for TCP and for UDP intersect, the intersection will appear as `TCP+UDP: <list of common allowed ports>'.
• An updated README.md file

Release v1.3.1

Changes in this Release:

• Istio support: Added support for Authorization Policies with principals/namespaces containing *
• Istio support: Added a warning for ignoring specified principals that do not exist in the input topology.
• Base docker image is now python-slim rather than python-alpine
• NCA is now available from PyPi: pip install network-config-analyzer
• Support for GitHub URLs that refer to RAW file content.
• Defined two Tekton tasks to run NCA connectivity and diff queries (see the tekton sub directory in this project)
• A new CLI flag --connectivity_by_deployments and a matching scheme option allow referring to workloads rather than to pods on some queries.
• Can now define expected output in scheme files
• Simplified entries in connectivity and diff reports
• Referring to all standard protocols by name rather than by number
• Allow reading a YAML file with separate endpoints (not inside some list)
• Fixed an issue with missing CIDRs in some reports
• Fixed an issue with recursive scanning of a git repo

Release v1.3.0

Changes in this Release:

• Improved support for Istio AuthorizationPolicies (see here)
• Properly supporting IPv6
• Looking for NetworkPolicy resources also in json files
• Allow defining multiple resources for pod list and for namespace list (e.g., multiple --pod_list in the command-line).
• No longer supporting Python 3.7. Requiring Python 3.8 or above.

Release v1.2.0

Changes in this Release:

• Initial (incomplete) support for Istio AuthorizationPolicies
• Firewall-rules-style reports will use complementary sets if shorter