ROX-20713: Add log with connection details (External Entities in NWG)

[vikin91]

Description

Currently, if customers see an edge connecting a container with External Entities on the network graph, then they have no information about this connection.

With this PR, we are adding a log line to Sensor with information about all external connections that are unknown. It means that we show source and destination of the connection (namespace + container name on one side, and IP address and port on the other side) for all cases when "External Entities" would appear on the graph.

Note that we will not show this log line, if the source/destination is external but belongs to the known CIDR ranges. In that case, we will show the name associated with the CIDR range on the graph and no log entry will be produced.

Checklist

• Investigated and inspected CI test results

N/A

• Unit test and regression tests added
• Evaluated and added CHANGELOG entry if required
• Determined and documented upgrade steps
• Documented user facing changes (create PR based on openshift/openshift-docs and merge into rhacs-docs)

Testing Performed

Here I tell how I validated my change

• I have deployed a cluster and triggered an edge to "External Entities" (stackrox has such edges by default)
• Opened Sensor logs and visually confirmed that the log line appears.

(...) Warn: Outgoing connection from container stackrox/central to "169.254.169.254:80". Marking it as 'External Entities' in the network graph.
(...) Warn: Outgoing connection from container stackrox/central to "255.255.255.255:443". Marking it as 'External Entities' in the network graph.
(...) Warn: Incoming connection to container stackrox/central from "10.74.41.227:8443". Marking it as 'External Entities' in the network graph.

Reminder for reviewers

In addition to reviewing code here, reviewers must also review testing and request further testing in case the
performed one does not seem sufficient. As a reviewer, you must not approve the change until you understand the
performed testing and you are satisfied with it.

[ghost]

Images are ready for the commit at b66d6cf.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.3.x-147-gb66d6cf868.

[vikin91]

/test gke-qa-e2e-tests

[ovalenti]

As I understand it, the new log statements can display something else than 255.255.255.255 or ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff only when collector is configured with ROX_ENABLE_EXTERNAL_IPS. Is this correct ?

[Maddosaurus]

LGTM!

Regarding the log output:
I don't know about v6 compatibility at this point, but we should maybe think about it as we investigate the NetworkGraph further.
Looking at this KCS, it seems OpenShift can run a v4/v6 DualStack, but runs v4 only by default.

[vikin91]

@Maddosaurus IPv6 is a good point, but I have not tested it on a cluster that would use it. I guess that for such cases, we would use the same structure:

type connection struct {
	local       net.NetworkPeerID
	remote      net.NumericEndpoint
	containerID string
	incoming    bool
}

The net.NumericEndpoint holds inside an IPAddress which // IPAddress represents an IP (v4 or v6) address.
I hope that this should be enough to cover both types of addresses.

[vikin91]

Current dependencies on/for this PR:

• master
  • PR ROX-20713: Add log with connection details (External Entities in NWG) #8580 👈
    • PR ROX-20847: Add "Internal entities" to the network graph #8648

This stack of pull requests is managed by Graphite.

[ovalenti]

Looks fine to me.

I am just a bit concerned with the processing involved in formatting the strings. Lazy evaluation mechanism in Go seems to be planned for Go2 (golang/go#37739).
IP conversion to string and concatenation will seemingly always occur whatever the log level (https://github.com/stackrox/zap/blob/master/sugar.go#L218)