I'm interested in using Kubernetes NetworkPolicy to control network policy. I want to know if the NetworkPolicy is blocking traffic so I can either fix the policies or fix/stop whatever is in violation.
We use Calico and they view this as a paid feature. https://github.com/projectcalico/calico/issues/1035
Cilium has cilium monitor
which sounds like it would work if we started using Cilium.
http://docs.cilium.io/en/latest/troubleshooting/
Is there a general, vendor-neutral way to monitor network traffic that violates Kuberenetes NetworkPolicy?
podSelector: Each NetworkPolicy includes a podSelector which selects the grouping of pods to which the policy applies. The example policy selects pods with the label "role=db". An empty podSelector selects all pods in the namespace.
Network policy logs are automatically uploaded to Cloud Logging. You can access logs through the Logs Explorer or with the Google Cloud CLI.
The easiest way to test network policies is to start a single or multi node CNCF certified K8s cluster in Vagran, using the Banzai Cloud's PKE - default installation uses the Weave network plugin, so supports NetworkPolicy out-of-the-box.
View logs from the CNI plugin By default, these logs can be found at /var/log/calico/cni/ on the host machine. The container runtime may also display the CNI plugin logs within its own log output.
AFAIU, there is no way to create such vendor-neutral tool because NetworkPolicy is just an abstraction. Each networking plugin enforces them differently, (Cilium does that mostly in BPF for L3 and L4 and Envoy for L7), so each plugin needs to provide its own means of accessing this information.
AFAIK, there is no initiative in Kubernetes community to store this information and provide an interface for CNI plugins to provide this information, but it seems like it would be a fun project.
Disclaimer: I am on Cilium dev team.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With