Version: latest

Using advise network-policy

The network-policy advisor monitors the network activity in the specified namespaces and records a summary of TCP and UDP traffic in a file. This file can then be used to generate Kubernetes network policies.

On Kubernetes

We will run this demo in the demo namespace:

$ kubectl create ns demo
namespace/demo created
$ kubectl apply -f https://raw.githubusercontent.com/inspektor-gadget/inspektor-gadget/main/docs/examples/disable-psp-demo.yaml
clusterrole.rbac.authorization.k8s.io/disable-psp-demo created
clusterrolebinding.rbac.authorization.k8s.io/disable-psp-demo created

In one terminal, start the network-policy gadget:

$ kubectl gadget advise network-policy monitor -n demo --output ./networktrace.log

In another terminal, deploy GoogleCloudPlatform/microservices-demo in the demo namespace:

$ wget -O network-policy-demo.yaml https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/c1536ff6e6782bb37e36d2e6eee0fa64a6461216/release/kubernetes-manifests.yaml
$ kubectl apply -f network-policy-demo.yaml -n demo

Once the demo is deployed and running correctly, we can see all the pods in the demo namespace:

$ kubectl get pod -n demo
NAME                                     READY   STATUS    RESTARTS   AGE
adservice-6f498fc6c6-rjtrj               0/1     Running   0          28s
cartservice-bc9b949b-l8jts               0/1     Running   0          32s
checkoutservice-598d5b586d-fplr8         1/1     Running   0          36s
currencyservice-6ddbdd4956-hxkt4         1/1     Running   0          30s
emailservice-68fc78478-9g9vj             1/1     Running   0          37s
frontend-5bd77dd84b-6c5s9                1/1     Running   0          34s
loadgenerator-8f7d5d8d8-5nxw2            1/1     Running   0          31s
paymentservice-584567958d-4rp7q          1/1     Running   0          33s
productcatalogservice-75f4877bf4-xsn7m   1/1     Running   0          32s
recommendationservice-646c88579b-q9h4m   1/1     Running   0          35s
redis-cart-5b569cd47-ffqqr               1/1     Running   0          29s
shippingservice-79849ddf8-dc6st          1/1     Running   0          30s

At this point, let's stop the recording with Ctrl-C, and generate the Kubernetes network policies:

$ kubectl gadget advise network-policy report --input ./networktrace.log > network-policy.yaml

Example for the cartservice:

it can receive connections from the frontend and the checkoutservice
it can initiate connections to redis-cart and make DNS queries.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: null
  name: cartservice-network
  namespace: demo
spec:
  egress:
  - ports:
    - port: 6379
      protocol: TCP
    to:
    - podSelector:
        matchLabels:
          app: redis-cart
  - ports:
    - port: 53
      protocol: UDP
    to:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: kube-system
      podSelector:
        matchLabels:
          k8s-app: kube-dns
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: checkoutservice
    ports:
    - port: 7070
      protocol: TCP
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - port: 7070
      protocol: TCP
  podSelector:
    matchLabels:
      app: cartservice
  policyTypes:
  - Ingress
  - Egress

Time to apply network policies:

$ kubectl apply -f network-policy.yaml
networkpolicy.networking.k8s.io/adservice-network created
networkpolicy.networking.k8s.io/cartservice-network created
networkpolicy.networking.k8s.io/checkoutservice-network created
networkpolicy.networking.k8s.io/currencyservice-network created
networkpolicy.networking.k8s.io/emailservice-network created
networkpolicy.networking.k8s.io/frontend-network created
networkpolicy.networking.k8s.io/loadgenerator-network created
networkpolicy.networking.k8s.io/paymentservice-network created
networkpolicy.networking.k8s.io/productcatalogservice-network created
networkpolicy.networking.k8s.io/recommendationservice-network created
networkpolicy.networking.k8s.io/redis-cart-network created
networkpolicy.networking.k8s.io/shippingservice-network created

And redeploy the demo:

$ kubectl delete -f network-policy-demo.yaml -n demo
$ kubectl apply -f network-policy-demo.yaml -n demo

After a while we can see all the pods in the demo namespace:

$ kubectl get pod -n demo
NAME                                     READY   STATUS    RESTARTS   AGE
adservice-6f498fc6c6-f8sfm               1/1     Running   0          11m
cartservice-bc9b949b-7xxvr               1/1     Running   0          11m
checkoutservice-598d5b586d-59sws         1/1     Running   0          11m
currencyservice-6ddbdd4956-vdxml         1/1     Running   0          11m
emailservice-68fc78478-zxkn5             1/1     Running   0          11m
frontend-5bd77dd84b-gtcg8                1/1     Running   0          11m
loadgenerator-8f7d5d8d8-664jv            1/1     Running   0          11m
paymentservice-584567958d-ds8w6          1/1     Running   0          11m
productcatalogservice-75f4877bf4-h7654   1/1     Running   0          11m
recommendationservice-646c88579b-gvkp9   1/1     Running   0          11m
redis-cart-5b569cd47-8gwrc               1/1     Running   0          11m
shippingservice-79849ddf8-72bd4          1/1     Running   0          11m

Finally, we should delete the demo namespace:

$ kubectl delete namespace demo
namespace "demo" deleted

Limitations

When using the Docker bridge as CNI, pod-to-pod source IP is lost with services. This generates wrong ingress policies. https://github.com/kubernetes/minikube/issues/11211

With `ig`

This gadget is specific to Kubernetes and can't be used with ig.

On Kubernetes​

Limitations​

With ig​

On Kubernetes

Limitations

With `ig`