netpol-analyzer

module
v1.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 9, 2024 License: Apache-2.0

README

netpol-analyzer

About netpol-analyzer

This repo contains a Golang library and CLI for analyzing k8s connectivity-configuration resources (a.k.a. network policies).

CLI usage

Evaluate command
Evaluate if a specific connection allowed

Usage:
  k8snetpolicy evaluate [flags]

Aliases:
  evaluate, eval, check, allow

Examples:
  # Evaluate if a specific connection is allowed on given resources from dir path
  k8snetpolicy eval --dirpath ./resources_dir/ -s pod-1 -d pod-2 -p 80

  # Evaluate if a specific connection is allowed on a live k8s cluster
  k8snetpolicy eval -k ./kube/config -s pod-1 -d pod-2 -p 80

Flags:
      --destination-ip string          Destination (external) IP address
      --destination-namespace string   Destination pod namespace (default "default")
  -d, --destination-pod string         Destination pod name
  -p, --destination-port string        Destination port (name or number)
  -h, --help                           help for evaluate
      --protocol string                Protocol in use (tcp, udp, sctp) (default "tcp")
      --source-ip string               Source (external) IP address
  -n, --source-namespace string        Source pod namespace (default "default")
  -s, --source-pod string              Source pod name, required

Global Flags:
  -c, --context string      Kubernetes context to use when evaluating connections in a live cluster
      --dirpath string      Resources dir path when evaluating connections from a dir
      --fail                fail on the first encountered error
      --include-json        consider JSON manifests (in addition to YAML) when analyzing from dir
  -k, --kubeconfig string   Path and file to use for kubeconfig when evaluating connections in a live cluster
  -q, --quiet               Runs quietly, reports only severe errors and results
  -v, --verbose             Runs with more informative messages printed to log
List command
Lists all allowed connections based on the workloads, network policies, and Ingress/Route resources defined.

Connections between workload to itself are excluded from the output.

Usage:
  k8snetpolicy list [flags]

Examples:
  # Get list of allowed connections from resources dir path
  k8snetpolicy list --dirpath ./resources_dir/

  # Get list of allowed connections from live k8s cluster
  k8snetpolicy list -k ./kube/config

Flags:
      --exposure               Enhance the analysis of permitted connectivity with exposure analysis
  -f, --file string            Write output to specified file
      --focusworkload string   Focus connections of specified workload in the output (<workload-name> or <workload-namespace/workload-name>)
  -h, --help                   help for list
  -o, --output string          Required output format (txt,json,dot,csv,md) (default "txt")

Global Flags:
  -c, --context string      Kubernetes context to use when evaluating connections in a live cluster
      --dirpath string      Resources dir path when evaluating connections from a dir
      --fail                fail on the first encountered error
  -k, --kubeconfig string   Path and file to use for kubeconfig when evaluating connections in a live cluster
  -q, --quiet               runs quietly, reports only severe errors and results
  -v, --verbose             runs with more informative messages printed to log
Diff command
Reports all differences in allowed connections between two different directories of YAML manifests.

Usage:
  k8snetpolicy diff [flags]

Examples:
  # Get list of different allowed connections between two resources dir paths
  k8snetpolicy diff --dir1 ./resources_dir/ --dir2 ./other_resources_dir/

Flags:
      --dir1  string  First resources dir path
      --dir2  string  Second resources dir path to be compared with the first dir path
  -f, --file string            Write output to specified file
  -o, --output string Required output format (txt, csv, md, dot) (default "txt")  
  -h, --help   help for diff

Global Flags:
  -c, --context string      Kubernetes context to use when evaluating connections in a live cluster
      --dirpath string      Resources dir path when evaluating connections from a dir
      --fail                fail on the first encountered error
      --include-json        consider JSON manifests (in addition to YAML) when analyzing from dir
  -k, --kubeconfig string   Path and file to use for kubeconfig when evaluating connections in a live cluster
  -q, --quiet               Runs quietly, reports only severe errors and results
  -v, --verbose             Runs with more informative messages printed to log  
Example outputs:
$ k8snetpolicy eval --dirpath tests/onlineboutique -s adservice-77d5cd745d-t8mx4 -d emailservice-54c7c5d9d-vp27n -p 80

default/adservice-77d5cd745d-t8mx4 => default/emailservice-54c7c5d9d-vp27n over tcp/80: false



$ k8snetpolicy list --dirpath tests/onlineboutique_workloads

0.0.0.0-255.255.255.255 => default/redis-cart[Deployment] : All Connections
default/checkoutservice[Deployment] => default/cartservice[Deployment] : TCP 7070
default/checkoutservice[Deployment] => default/currencyservice[Deployment] : TCP 7000
default/checkoutservice[Deployment] => default/emailservice[Deployment] : TCP 8080
default/checkoutservice[Deployment] => default/paymentservice[Deployment] : TCP 50051
default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550
default/checkoutservice[Deployment] => default/shippingservice[Deployment] : TCP 50051
default/frontend[Deployment] => default/adservice[Deployment] : TCP 9555
default/frontend[Deployment] => default/cartservice[Deployment] : TCP 7070
default/frontend[Deployment] => default/checkoutservice[Deployment] : TCP 5050
default/frontend[Deployment] => default/currencyservice[Deployment] : TCP 7000
default/frontend[Deployment] => default/productcatalogservice[Deployment] : TCP 3550
default/frontend[Deployment] => default/recommendationservice[Deployment] : TCP 8080
default/frontend[Deployment] => default/shippingservice[Deployment] : TCP 50051
default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080
default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550
default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections



$ ./bin/k8snetpolicy diff --dir1 tests/onlineboutique_workloads --dir2 tests/onlineboutique_workloads_changed_netpols
Connectivity diff:
source: default/checkoutservice[Deployment], destination: default/cartservice[Deployment], dir1:  TCP 7070, dir2: TCP 8000, diff-type: changed
source: default/checkoutservice[Deployment], destination: default/emailservice[Deployment], dir1:  TCP 8080, dir2: TCP 8080,9555, diff-type: changed
source: default/cartservice[Deployment], destination: default/emailservice[Deployment], dir1:  No Connections, dir2: TCP 9555, diff-type: added
source: default/checkoutservice[Deployment], destination: default/adservice[Deployment], dir1:  No Connections, dir2: TCP 9555, diff-type: added
source: 128.0.0.0-255.255.255.255, destination: default/redis-cart[Deployment], dir1:  All Connections, dir2: No Connections, diff-type: removed
source: default/checkoutservice[Deployment], destination: default/currencyservice[Deployment], dir1:  TCP 7000, dir2: No Connections, diff-type: removed
source: default/frontend[Deployment], destination: default/adservice[Deployment], dir1:  TCP 9555, dir2: No Connections, diff-type: removed
source: default/redis-cart[Deployment], destination: 0.0.0.0-255.255.255.255, dir1:  All Connections, dir2: No Connections, diff-type: removed


Additional details about the connectivity analysis and its output is specified here.

Additional details about exposure analysis (--exposure flag for the list command) is specified here.

Additional details about the connectivity diff command and its output is specified here.

Build the project

Make sure you have golang 1.21+ on your platform

git clone git@github.com:np-guard/netpol-analyzer.git
cd netpol-analyzer
make mod 
make build

Test your build by running ./bin/k8snetpolicy -h.

Directories

Path Synopsis
cmd
pkg
cli
netpol/connlist
The connlist package of netpol-analyzer allows producing a k8s connectivity report based on several resources: k8s NetworkPolicy, k8s Ingress, openshift Route It lists the set of allowed connections between each pair of different peers (k8s workloads or ip-blocks).
The connlist package of netpol-analyzer allows producing a k8s connectivity report based on several resources: k8s NetworkPolicy, k8s Ingress, openshift Route It lists the set of allowed connections between each pair of different peers (k8s workloads or ip-blocks).
netpol/diff
The diff package of netpol-analyzer allows producing a k8s connectivity semantic-diff report based on several resources: k8s NetworkPolicy, k8s Ingress, openshift Route It lists the set of changed/removed/added connections between pair of peers (k8s workloads or ip-blocks).
The diff package of netpol-analyzer allows producing a k8s connectivity semantic-diff report based on several resources: k8s NetworkPolicy, k8s Ingress, openshift Route It lists the set of changed/removed/added connections between pair of peers (k8s workloads or ip-blocks).

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL