Resource manifests considered for a connectivity analysis:
- workload resources (such as Kubernetes Pod / Deployment)
- Kubernetes NetworkPolicy
- Kubernetes AdminNetworkPolicy
- Kubernetes BaselineAdminNetworkPolicy
- Kubernetes Ingress
- Openshift Route
The connectivity output consists of lines of the form: src
=> dst
: connections
For connections inferred from network policy resources only, the src
and dst
are workloads or external IP-blocks.
For Ingress/Route analysis, the src
is specified as {ingress-controller}
, representing the cluster's ingress controller Pod.
Its connectivity lines are of the form: {ingress-controller}
=> dst
: connections
, where dst
is a workload in the cluster.
This analysis is currently activated only with --dir-path
flag, and not on a live cluster.
It assumes that the ingress controller Pod is unknown, and thus using this notation of {ingress-controller}
.
list
output in txt
format:
$ ./bin/k8snetpolicy list --dirpath tests/netpol-analysis-example-minimal/
0.0.0.0-255.255.255.255 => default/frontend[Deployment] : TCP 8080
default/frontend[Deployment] => 0.0.0.0-255.255.255.255 : UDP 53
default/frontend[Deployment] => default/backend[Deployment] : TCP 9090
list
output in md
format:
$ ./bin/k8snetpolicy list --dirpath tests/netpol-analysis-example-minimal/ -o md
src | dst | conn |
---|---|---|
0.0.0.0-255.255.255.255 | default/frontend[Deployment] | TCP 8080 |
default/frontend[Deployment] | 0.0.0.0-255.255.255.255 | UDP 53 |
default/frontend[Deployment] | default/backend[Deployment] | TCP 9090 |
list
output in csv
format:
$ ./bin/k8snetpolicy list --dirpath tests/netpol-analysis-example-minimal/ -o csv
src,dst,conn
0.0.0.0-255.255.255.255,default/frontend[Deployment],TCP 8080
default/frontend[Deployment],0.0.0.0-255.255.255.255,UDP 53
default/frontend[Deployment],default/backend[Deployment],TCP 9090
list
output in json
format:
$ ./bin/k8snetpolicy list --dirpath tests/netpol-analysis-example-minimal/ -o json
[
{
"src": "0.0.0.0-255.255.255.255",
"dst": "default/frontend[Deployment]",
"conn": "TCP 8080"
},
{
"src": "default/frontend[Deployment]",
"dst": "0.0.0.0-255.255.255.255",
"conn": "UDP 53"
},
{
"src": "default/frontend[Deployment]",
"dst": "default/backend[Deployment]",
"conn": "TCP 9090"
}
]
list
output in dot
format:
In dot
output graphs, all the peers of the analyzed cluster are grouped by their namespaces.
$ ./bin/k8snetpolicy list --dirpath tests/netpol-analysis-example-minimal/ -o dot
digraph {
subgraph cluster_default {
"default/backend[Deployment]" [label="backend[Deployment]" color="blue" fontcolor="blue"]
"default/frontend[Deployment]" [label="frontend[Deployment]" color="blue" fontcolor="blue"]
label="default"
}
"0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
"0.0.0.0-255.255.255.255" -> "default/frontend[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
"default/frontend[Deployment]" -> "0.0.0.0-255.255.255.255" [label="UDP 53" color="gold2" fontcolor="darkgreen"]
"default/frontend[Deployment]" -> "default/backend[Deployment]" [label="TCP 9090" color="gold2" fontcolor="darkgreen"]
}
svg
graph from dot
format output can be produced using graphviz
as following:
$ dot -Tsvg test_outputs/connlist/netpol-analysis-example-minimal_connlist_output.dot -O
The frames in the graph represent namespaces of the analyzed cluster.
Route/Ingress specified workload as a backend, but network policies are blocking ingress connections from an arbitrary in-cluster source to this workload. Connectivity map will not include a possibly allowed connection between the ingress controller and this workload.
Since the analysis assumes the manifest of the ingress controller is unknown, it checks whether an arbitrary workload can access the destination workloads specified in Ingress/Route rules. If such access is not permitted by network policies, this connection is removed from the report. It may be an allowed connection if a network policy specifically allows ingress access to that workload from a specific workload/namespace of the actual ingress controller installed.
IPv6 addresses are not supported
While egress rules with networks
field in an (baseline-)admin-network-policy may select an external destination by IPv6 address format, such addresses will be ignored and omitted from the connectivity report, since the analysis supports only IPv4 addresses for external IP-blocks.