This repo contains a Golang library and CLI for analyzing k8s connectivity-configuration resources (a.k.a. network policies).
Evaluate if a specific connection allowed
Usage:
k8snetpolicy evaluate [flags]
Aliases:
evaluate, eval, check, allow
Examples:
# Evaluate if a specific connection is allowed on given resources from dir path
k8snetpolicy eval --dirpath ./resources_dir/ -s pod-1 -d pod-2 -p 80
# Evaluate if a specific connection is allowed on a live k8s cluster
k8snetpolicy eval -k ./kube/config -s pod-1 -d pod-2 -p 80
Flags:
--destination-ip string Destination (external) IP address
--destination-namespace string Destination pod namespace (default "default")
-d, --destination-pod string Destination pod name
-p, --destination-port string Destination port (name or number)
-h, --help help for evaluate
--protocol string Protocol in use (tcp, udp, sctp) (default "tcp")
--source-ip string Source (external) IP address
-n, --source-namespace string Source pod namespace (default "default")
-s, --source-pod string Source pod name, required
Global Flags:
-c, --context string Kubernetes context to use when evaluating connections in a live cluster
--dirpath string Resources dir path when evaluating connections from a dir
--fail fail on the first encountered error
--include-json consider JSON manifests (in addition to YAML) when analyzing from dir
-k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster
-q, --quiet Runs quietly, reports only severe errors and results
-v, --verbose Runs with more informative messages printed to log
Lists all allowed connections based on the workloads, network policies, and Ingress/Route resources defined.
Connections between workload to itself are excluded from the output.
Usage:
k8snetpolicy list [flags]
Examples:
# Get list of allowed connections from resources dir path
k8snetpolicy list --dirpath ./resources_dir/
# Get list of allowed connections from live k8s cluster
k8snetpolicy list -k ./kube/config
Flags:
--exposure Enhance the analysis of permitted connectivity with exposure analysis
-f, --file string Write output to specified file
--focusworkload string Focus connections of specified workload in the output (<workload-name> or <workload-namespace/workload-name>)
-h, --help help for list
-o, --output string Required output format (txt,json,dot,csv,md) (default "txt")
Global Flags:
-c, --context string Kubernetes context to use when evaluating connections in a live cluster
--dirpath string Resources dir path when evaluating connections from a dir
--fail fail on the first encountered error
-k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster
-q, --quiet runs quietly, reports only severe errors and results
-v, --verbose runs with more informative messages printed to log
Reports all differences in allowed connections between two different directories of YAML manifests.
Usage:
k8snetpolicy diff [flags]
Examples:
# Get list of different allowed connections between two resources dir paths
k8snetpolicy diff --dir1 ./resources_dir/ --dir2 ./other_resources_dir/
Flags:
--dir1 string First resources dir path
--dir2 string Second resources dir path to be compared with the first dir path
-f, --file string Write output to specified file
-o, --output string Required output format (txt, csv, md, dot) (default "txt")
-h, --help help for diff
Global Flags:
-c, --context string Kubernetes context to use when evaluating connections in a live cluster
--dirpath string Resources dir path when evaluating connections from a dir
--fail fail on the first encountered error
--include-json consider JSON manifests (in addition to YAML) when analyzing from dir
-k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster
-q, --quiet Runs quietly, reports only severe errors and results
-v, --verbose Runs with more informative messages printed to log
$ k8snetpolicy eval --dirpath tests/onlineboutique -s adservice-77d5cd745d-t8mx4 -d emailservice-54c7c5d9d-vp27n -p 80
default/adservice-77d5cd745d-t8mx4 => default/emailservice-54c7c5d9d-vp27n over tcp/80: false
$ k8snetpolicy list --dirpath tests/onlineboutique_workloads
0.0.0.0-255.255.255.255 => default/redis-cart[Deployment] : All Connections
default/checkoutservice[Deployment] => default/cartservice[Deployment] : TCP 7070
default/checkoutservice[Deployment] => default/currencyservice[Deployment] : TCP 7000
default/checkoutservice[Deployment] => default/emailservice[Deployment] : TCP 8080
default/checkoutservice[Deployment] => default/paymentservice[Deployment] : TCP 50051
default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550
default/checkoutservice[Deployment] => default/shippingservice[Deployment] : TCP 50051
default/frontend[Deployment] => default/adservice[Deployment] : TCP 9555
default/frontend[Deployment] => default/cartservice[Deployment] : TCP 7070
default/frontend[Deployment] => default/checkoutservice[Deployment] : TCP 5050
default/frontend[Deployment] => default/currencyservice[Deployment] : TCP 7000
default/frontend[Deployment] => default/productcatalogservice[Deployment] : TCP 3550
default/frontend[Deployment] => default/recommendationservice[Deployment] : TCP 8080
default/frontend[Deployment] => default/shippingservice[Deployment] : TCP 50051
default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080
default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550
default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
$ ./bin/k8snetpolicy diff --dir1 tests/onlineboutique_workloads --dir2 tests/onlineboutique_workloads_changed_netpols
Connectivity diff:
source: default/checkoutservice[Deployment], destination: default/cartservice[Deployment], dir1: TCP 7070, dir2: TCP 8000, diff-type: changed
source: default/checkoutservice[Deployment], destination: default/emailservice[Deployment], dir1: TCP 8080, dir2: TCP 8080,9555, diff-type: changed
source: default/cartservice[Deployment], destination: default/emailservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added
source: default/checkoutservice[Deployment], destination: default/adservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added
source: 128.0.0.0-255.255.255.255, destination: default/redis-cart[Deployment], dir1: All Connections, dir2: No Connections, diff-type: removed
source: default/checkoutservice[Deployment], destination: default/currencyservice[Deployment], dir1: TCP 7000, dir2: No Connections, diff-type: removed
source: default/frontend[Deployment], destination: default/adservice[Deployment], dir1: TCP 9555, dir2: No Connections, diff-type: removed
source: default/redis-cart[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed
Additional details about the connectivity analysis and its output is specified here.
Additional details about exposure analysis (--exposure
flag for the list
command) is specified here.
Additional details about the connectivity diff command and its output is specified here.
Make sure you have golang 1.21+ on your platform
git clone git@github.com:np-guard/netpol-analyzer.git
cd netpol-analyzer
make mod
make build
Test your build by running ./bin/k8snetpolicy -h
.