[RHACS] Added docs for explanations feature #95065
Open
+112
−1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gaurav-nelson
added
RHACS
openshift-ci
bot
added
the
size/L
|
🤖 Thu Jun 26 11:51:34 - Prow CI generated the docs preview: https://95065--ocpdocs-pr.netlify.app/ |
gaurav-nelson
added
the
peer-review-needed
gaurav-nelson
commented
Jun 23, 2025
modules/retrieving-connectivity-mapping-information-from-a-kubernetes-manifest-directory.adoc
Outdated
Show resolved
Hide resolved
gaurav-nelson
commented
Jun 23, 2025
modules/retrieving-connectivity-mapping-information-from-a-kubernetes-manifest-directory.adoc
Outdated
Show resolved
Hide resolved
gaurav-nelson
commented
Jun 23, 2025
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="retrieving-explanations_{context}"] | ||
| = Retrieving explanations |
There was a problem hiding this comment.
question: Can we simplify this word. Get or Fetch maybe?
There was a problem hiding this comment.
I think we can leave it as it is.
gaurav-nelson
removed
the
peer-review-needed
adisos
suggested changes
Jun 23, 2025
modules/retrieving-connectivity-mapping-information-from-a-kubernetes-manifest-directory.adoc
Outdated
Show resolved
Hide resolved
modules/retrieving-connectivity-mapping-information-from-a-kubernetes-manifest-directory.adoc
Show resolved
Hide resolved
adisos
reviewed
Jun 23, 2025
gaurav-nelson
force-pushed
the
ROX-25000-np-guard-explainability
branch
from
bc60026 to
8d264c0
Compare
gaurav-nelson
added
the
peer-review-needed
gaurav-nelson
commented
Jun 25, 2025
Comment on lines
+16
to
+18
| |`--explain` | ||
| |Enhance the analysis of permitted connectivity with explanations per denied/allowed connection; supported only for txt output format. | ||
|
|
There was a problem hiding this comment.
Note: For peer review, please ignore this change. It is the actual output from the CLI tool.
There was a problem hiding this comment.
Question about this change:
why can't I see this update in the link for the table options here?
Also, why in this link the --exposure option exists, but not in the table of this changed file?
There was a problem hiding this comment.
Thank you @adisos this was an older file which we don't use anywhere. I've updated the correct file n my recent commit to fix it.
adisos
reviewed
Jun 26, 2025
Comment on lines
+16
to
+18
| |`--explain` | ||
| |Enhance the analysis of permitted connectivity with explanations per denied/allowed connection; supported only for txt output format. | ||
|
|
There was a problem hiding this comment.
Question about this change:
why can't I see this update in the link for the table options here?
Also, why in this link the --exposure option exists, but not in the table of this changed file?
agantony
added
peer-review-in-progress
gaurav-nelson
force-pushed
the
ROX-25000-np-guard-explainability
branch
from
8d264c0 to
0698656
Compare
agantony
reviewed
Jun 26, 2025
| @@ -49,3 +49,7 @@ Each line is composed of the following elements: | |||
| * `conn`:: Represents the permissible connectivity attributes. | |||
| An endpoint follows the format `namespace/name[Kind]`. For example, `default/backend[Deployment]`. | |||
|
|
|||
| Additionally, you can also use the `--explain` option with the `roxctl netpol connectivity map` command to see which policies and rules are responsible for allowing or denying specific connections. | |||
There was a problem hiding this comment.
Suggested change
| Additionally, you can also use the `--explain` option with the `roxctl netpol connectivity map` command to see which policies and rules are responsible for allowing or denying specific connections. | |
| Opional: To see which policies and rules are responsible for allowing or denying specific connections, you can use the `--explain` option with the `roxctl netpol connectivity map` command. |
There was a problem hiding this comment.
| @@ -49,3 +49,7 @@ Each line is composed of the following elements: | |||
| * `conn`:: Represents the permissible connectivity attributes. | |||
| An endpoint follows the format `namespace/name[Kind]`. For example, `default/backend[Deployment]`. | |||
|
|
|||
| Additionally, you can also use the `--explain` option with the `roxctl netpol connectivity map` command to see which policies and rules are responsible for allowing or denying specific connections. | |||
| The output is useful for debugging network policy configurations. | |||
There was a problem hiding this comment.
Suggested change
| The output is useful for debugging network policy configurations. | |
| You can use the output to debug network policy configurations. |
|
|
||
| Additionally, you can also use the `--explain` option with the `roxctl netpol connectivity map` command to see which policies and rules are responsible for allowing or denying specific connections. | ||
| The output is useful for debugging network policy configurations. | ||
| For more information on understanding the explanation output, see "Retriving explanations" section. |
There was a problem hiding this comment.
Suggested change
| For more information on understanding the explanation output, see "Retriving explanations" section. | |
| For more information about understanding the explanation output, see "Retriving explanations". |
There was a problem hiding this comment.
|
|
||
| :_mod-docs-content-type: PROCEDURE | ||
| [id="retrieving-explanations_{context}"] | ||
| = Retrieving explanations |
There was a problem hiding this comment.
I think we can leave it as it is.
| = Retrieving explanations | ||
|
|
||
| [role="_abstract"] | ||
| Understand why connections are allowed or denied based on your Kubernetes network policy rules. |
There was a problem hiding this comment.
Suggested change
| Understand why connections are allowed or denied based on your Kubernetes network policy rules. | |
| You can understand why connections are allowed or denied based on your Kubernetes network policy rules by retrieving the explanations. |
Comment on lines
+46
to
+48
| In this example: | ||
|
|
||
| The connection from `monitoring/monitoring-service` to `internal-apps/internal-app-a` is allowed by the combination of ANP `pass-monitoring` that applies broadly on all namespaces with the label `security: internal` and a more specific NP `internal-apps/allow-monitoring` tailored for `internal-app-a`. The output shows that multiple policies can contribute to allowing a connection. |
There was a problem hiding this comment.
Suggested change
| In this example: | |
| The connection from `monitoring/monitoring-service` to `internal-apps/internal-app-a` is allowed by the combination of ANP `pass-monitoring` that applies broadly on all namespaces with the label `security: internal` and a more specific NP `internal-apps/allow-monitoring` tailored for `internal-app-a`. The output shows that multiple policies can contribute to allowing a connection. | |
| In this example, the combination of ANP `pass-monitoring` allows the connection from `monitoring/monitoring-service` to `internal-apps/internal-app-a` that applies broadly on all namespaces with the label `security: internal` and a more specific NP `internal-apps/allow-monitoring` tailored for `internal-app-a`. The output shows that multiple policies can contribute to allowing a connection. |
| [discrete] | ||
| == Example blocked connections | ||
|
|
||
| Consider an isolated data service `isolated-data-service` which is designed to deny all external access by default for security reasons. |
There was a problem hiding this comment.
Suggested change
| Consider an isolated data service `isolated-data-service` which is designed to deny all external access by default for security reasons. | |
| Consider an isolated data service `isolated-data-service` which denies all external access by default for security reasons. |
|
|
||
| Consider an isolated data service `isolated-data-service` which is designed to deny all external access by default for security reasons. | ||
|
|
||
| You can see the YAML manifest for this example at link:https://github.com/np-guard/netpol-analyzer/tree/7ab6bbd421d3d80cbfff7cd1529ff8caf0137fbc/tests/anp_banp_explain_demo_2[`netpol-analyzer/tests/anp_banp_explain_demo_2/`]. |
|
|
||
| You can see the YAML manifest for this example at link:https://github.com/np-guard/netpol-analyzer/tree/7ab6bbd421d3d80cbfff7cd1529ff8caf0137fbc/tests/anp_banp_explain_demo_2[`netpol-analyzer/tests/anp_banp_explain_demo_2/`]. | ||
|
|
||
| The explainability output for blocked connections from the `monitoring-service` deployment to this workload shows: |
There was a problem hiding this comment.
Suggested change
| The explainability output for blocked connections from the `monitoring-service` deployment to this workload shows: | |
| When you run the `roxctl netpol connectivity map --explain` command, you can see the following example explainability output for allowed connections from the `monitoring-service` deployment for such a configuration: |
| BaselineAdminNetworkPolicy 'default' denies connections by Ingress rule deny-ingress-from-monitoring | ||
| ---- | ||
|
|
||
| In this example, the connection to `data/isolated-data-service` is blocked by a combination of ANP with Pass action, and of BANP that denies all connections from `monitoring` by default. |
There was a problem hiding this comment.
Suggested change
| In this example, the connection to `data/isolated-data-service` is blocked by a combination of ANP with Pass action, and of BANP that denies all connections from `monitoring` by default. | |
| In this example, a combination of ANP with Pass action blocks the connection to `data/isolated-data-service`, and of BANP that denies all connections from `monitoring` by default. |
There was a problem hiding this comment.
The ANP with Pass action does not block the connection, it only delegates the decision to the next policies layer, which in this case is the BANP. I would keep the original wording, that the combination of ANP with BANP results in a blocked connection for this case.
agantony
added
peer-review-done
|
@gaurav-nelson: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
For https://issues.redhat.com/browse/ROX-29787
Added documentation for the new explainability feature.
Cherrypick in
rhacs-docs-4.8.Preview: