Releases: IBM/network-config-analyzer
Releases · IBM/network-config-analyzer
Release v1.7.1
Changes in this Release:
- Fixing a crash when running
nca --version
.
Release v1.7.0
Changes in this Release:
- A new output-configuration flag,
fullExplanation
, allows printing ALL connections/endpoints that explain why a query fails. This flag is only available when using scheme files. See here
Release v1.6.0
Changes in this Release:
- Support for helm charts - whenever a
Chart.yaml
file is encountered while scanning a directory, NCA will runhelm template
to resolve template YAML files in subdirectories. This requireshelm
to be installed locally. - Initial support for Istio ingress control, using the Gateway and VirtualService resources. See details here.
- Initial support for Istio egress control using Sidecar resources. See details here.
- Added support for
namespaceSelector
in the spec of Calico'sGlobalNetworkPolicy
- Running
nca --version
prints the current NCA version. - Bug fix: Avoid recursive scanning of input directories in the Scheme file, unless they are suffixed with
/**
. - Enhancing Docker image security and reducing the number of its layers.
- Restructured source tree to ease navigation and to create standalone packages.
Release v1.5.0
Changes in this Release:
- Multi-layer analysis: When provided with the right files, NCA may now consider a combined connectivity graph as defined by Kubernetes resources, Calico resources and Istio resources. Note that some of the queries (e.g., redundancy) report results layer by layer, while others (e.g., connectivity) will consider the combined connectivity graph.
- New settings were added to focus connectivity query on just a subset of the cluster endpoints. The command-line arguments
--deployment_subset
,--namespace_subset
and--label_subset
allow focusing by deployment names, namespace names and deployment labels, respectively. - Setting the
kubernetes.io/metadata.name
label on all namespaces (as defined in Kubernetes 1.22 spec). - Fixing a bug when referring to paths like
./
or../
- Calico support is now limited to K8s environments only. Assuming existence of Calico default profiles for all namespaces.
- Calico Profiles: removed support for deprecated fields
ingress
andegress
. Supporting onlylabelsToApply
field. - Return value update: a command-line query with return value greater than 3 indicates that the query could not be executed.
- New field for Scheme files:
expectedNotExecuted
, to specify the number of input configs/config pairs that the query is not expected to be run on.
Release v1.4.2
Changes in this Release:
- Supporting the analysis of a combination of K8s and Calico network policies. This allows for example to produce a combined connectivity graph for both the Calico layer and the Kubernetes layer.
- Caching of DFA operations and binary search in CanonicalIntervalSet significantly improve performance in many cases (up to x5).
- Allowing (but ignoring)
status
field in K8s NetworkPolicies to align with Kubernetes 1.24. - The file
VERSION.txt
is now the single source-of-truth for NCA version number
Release v1.4.1
Changes in this Release:
- Allowing Calico GlobalNetworkPolicies with
applyOnForward
andpreDNAT
set totrue
(but issuing a warning that these cases are not handled well) - Fixing an issue with closing files
Release v1.4.0
Changes in this Release:
- Support for K8s
Ingress
resource. Currently this only works with nginx-type Ingress Controllers. When deployed, theIngress
resource can further limit TCP traffic from the Ingress Controller Pod to other pods. The input resources list should include the K8s Service and Ingress resources, in addition to Pods/Deployments, Namespaces, NetworkPolicy resources. - New command-line flags,
--resource_list
and--base_resource_list
allow specifying the location of namespaces, endpoints and network policies using just one (or two) switches. This can replace the need to specify separately the location of network policies (--<query>
), the location of endpoints (--pod_list
) and the location of namespaces (--ns_list
) if they are all the same location.
Similarly, a new scheme file keyresourceList
was added, which can replace the more specific keysnamespaceList, podList, networkPolicyList
. - In most connectivity reports, when allowed ports for TCP and for UDP intersect, the intersection will appear as `TCP+UDP: <list of common allowed ports>'.
- An updated
README.md
file
Release v1.3.1
Changes in this Release:
- Istio support: Added support for Authorization Policies with principals/namespaces containing
*
- Istio support: Added a warning for ignoring specified principals that do not exist in the input topology.
- Base docker image is now
python-slim
rather thanpython-alpine
- NCA is now available from PyPi:
pip install network-config-analyzer
- Support for GitHub URLs that refer to RAW file content.
- Defined two Tekton tasks to run NCA connectivity and diff queries (see the
tekton
sub directory in this project) - A new CLI flag
--connectivity_by_deployments
and a matching scheme option allow referring to workloads rather than to pods on some queries. - Can now define expected output in scheme files
- Simplified entries in connectivity and diff reports
- Referring to all standard protocols by name rather than by number
- Allow reading a YAML file with separate endpoints (not inside some list)
- Fixed an issue with missing CIDRs in some reports
- Fixed an issue with recursive scanning of a git repo
Release v1.3.0
Changes in this Release:
- Improved support for Istio AuthorizationPolicies (see here)
- Properly supporting IPv6
- Looking for NetworkPolicy resources also in json files
- Allow defining multiple resources for pod list and for namespace list (e.g., multiple
--pod_list
in the command-line). - No longer supporting Python 3.7. Requiring Python 3.8 or above.
Release v1.2.0
Changes in this Release:
- Initial (incomplete) support for Istio AuthorizationPolicies
- Firewall-rules-style reports will use complementary sets if shorter