feat(operator): east-west context provider — identity MMDB + deltas (per-pod, labels), declared-edge deltas#47
Merged
Merged
Conversation
ccc98cf to
5ce1097
Compare
…vice-graph-api A leader-elected producer (--graph-producer) that uploads workload identities + NetworkPolicy declared edges to service-graph-api over REST, which writes them into the Apache AGE service_graph. The operator stays REST-only (no DB), mirroring the Identity/Edge producers. Extracts the NetworkPolicy walk into a shared walkPolicyEdges helper so buildEdgeDoc (agent allow-list) and the graph producer derive edges from one interpretation (buildEdgeDoc output unchanged). Content-hash gated full snapshot; stdlib-only (no new deps).
…ontrol-plane) The GraphProducer now derives node classification from pure Kubernetes state and sends it on each workload vertex: - internet_exposed: pod selected by a LoadBalancer/NodePort Service, or by a Service referenced from an Ingress backend - control_plane: kube-system, or a named core component (apiserver/etcd/...) - role: derived (control-plane > internet-exposed > internal) Lists Services + Ingresses (RBAC added, read-only); failures degrade gracefully (identities + declared edges still upload). Unit-tested.
…nents Was painting all of kube-system control-plane. Now matches only the actual control plane by name (kube-apiserver / etcd / kube-controller-manager / kube-scheduler / cloud-controller-manager / ccm); add-ons like cert-manager, CNI, autoscalers, DNS, kube-proxy are internal.
… drop GraphProducer The operator no longer builds/writes the service graph (that moves to the Synapse agent so it works on-prem). It stays a k8s-context provider: - IdentityProducer now folds internet-exposed (LoadBalancer/NodePort/Ingress) and control-plane classification into each identity MMDB record (internet_exposed/control_plane), so the agent can fold the declared layer in. Lists Services/Ingresses; classification moved to classify.go. - Remove GraphProducerReconciler + --graph-producer/--service-graph-url wiring. - EdgeProducer (policy-edges) unchanged. The agent assembles + uploads the graph from these artifacts + its own observed flows/fingerprints.
StatefulSet replicas (postgres core-0/1/2, kafka brokers) have stable per-ordinal identities and talk to each OTHER — DB streaming replication, inter-broker traffic. Keying them by the set name collapsed all replicas to one ref, so that traffic became a self-loop and was invisible in the graph. Key StatefulSet pods per-pod (core-0/core-1/core-2) so replicas are distinct vertices and their mutual edges are real. Deployments stay aggregated.
…PodSet) Kafka brokers are owned by Strimzi's StrimziPodSet, not a StatefulSet, so the StatefulSet-only check missed them. Key per-pod for ANY controller whose pods are <controller>-<ordinal> (StatefulSet, StrimziPodSet, ...), so kafka brokers (core-kafka-0/1/2) also become distinct vertices. Deployment pods (random RS suffix) still aggregate.
Attach each pod's labels (dropping k8s-internal churn keys like
pod-template-hash / controller-revision-hash) to the identity record — written
as a nested map in the MMDB baseline and carried in the delta upserts — so the
agent can evaluate identity.k8s.{src,dst}_label["<key>"] rules.
Mirror the identity delta producer for declared edges. The EdgeProducer becomes informer-driven: on NetworkPolicy/Pod/Namespace change it emits an incremental EdgeDelta (allow-list lines added/removed, tagged with epoch/seq for gap detection) to download-api, alongside a periodic full allow-list baseline for cold-start/resync. Factor the cluster-state reads into edgeInputs(), shared by the baseline build (buildAndUpload) and the delta flush (flushDelta). main.go wires the informer event handlers; tests cover the delta emission.
e3f5081 to
2b8622a
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The operator as the Kubernetes context provider for east-west / identity-aware microsegmentation. The operator holds the live pod→workload state and produces the identity + declared-edge artifacts the agent consumes; the service graph itself is built by the agent (works on-prem, no operator dependency), so the operator's own GraphProducer is dropped and workload classification is folded into the identity output.
Workload identity (MMDB baseline + event-driven deltas)
identity.k8s.{src,dst}_labelrules.Declared-edge allow-list (baseline + deltas)
edge.*fields.EdgeProducer: on NetworkPolicy / Pod / Namespace change, emits an incrementalEdgeDelta(allow-list lines added/removed, tagged epoch/seq for gap detection) to download-api, plus a periodic full baseline.Rebased onto current main.
go build ./...,go vet ./..., andgo test ./...all pass.Consolidation note: supersedes #50 — this adopts the context-only / agent-built-graph architecture and grafts in #50's per-pod identity, pod-label, and edge-delta work. (#50's GraphProducer-in-operator path is intentionally dropped; its
NetworkPolicy-port-on-graph-vertices change lived only in the dropped GraphProducer and is not carried over.)