Using advise network-policy

    The network-policy advisor monitors the network activity in the specified namespaces and records a summary of TCP and UDP traffic in a file. This file can then be used to generate Kubernetes network policies.

    On Kubernetes

    We will run this demo in the demo namespace:

    $ kubectl create ns demo
    namespace/demo created
    $ kubectl apply -f docs/examples/disable-psp-demo.yaml created created

    In one terminal, start the network-policy gadget:

    $ kubectl gadget advise network-policy monitor -n demo --output ./networktrace.log

    In another terminal, deploy GoogleCloudPlatform/microservices-demo in the demo namespace:

    $ wget -O network-policy-demo.yaml
    $ kubectl apply -f network-policy-demo.yaml -n demo

    Once the demo is deployed and running correctly, we can see all the pods in the demo namespace:

    $ kubectl get pod -n demo
    NAME                                     READY   STATUS    RESTARTS   AGE
    adservice-6f498fc6c6-rjtrj               0/1     Running   0          28s
    cartservice-bc9b949b-l8jts               0/1     Running   0          32s
    checkoutservice-598d5b586d-fplr8         1/1     Running   0          36s
    currencyservice-6ddbdd4956-hxkt4         1/1     Running   0          30s
    emailservice-68fc78478-9g9vj             1/1     Running   0          37s
    frontend-5bd77dd84b-6c5s9                1/1     Running   0          34s
    loadgenerator-8f7d5d8d8-5nxw2            1/1     Running   0          31s
    paymentservice-584567958d-4rp7q          1/1     Running   0          33s
    productcatalogservice-75f4877bf4-xsn7m   1/1     Running   0          32s
    recommendationservice-646c88579b-q9h4m   1/1     Running   0          35s
    redis-cart-5b569cd47-ffqqr               1/1     Running   0          29s
    shippingservice-79849ddf8-dc6st          1/1     Running   0          30s

    At this point, let’s stop the recording with Ctrl-C, and generate the Kubernetes network policies:

    $ kubectl gadget advise network-policy report --input ./networktrace.log > network-policy.yaml

    Example for the cartservice:

    • it can receive connections from the frontend and the checkoutservice
    • it can initiate connections to redis-cart and make DNS queries.
    kind: NetworkPolicy
      creationTimestamp: null
      name: cartservice-network
      namespace: demo
      - ports:
        - port: 6379
          protocol: TCP
        - podSelector:
              app: redis-cart
      - ports:
        - port: 53
          protocol: UDP
        - namespaceSelector:
              k8s-app: kube-dns
      - from:
        - podSelector:
              app: checkoutservice
        - port: 7070
          protocol: TCP
      - from:
        - podSelector:
              app: frontend
        - port: 7070
          protocol: TCP
          app: cartservice
      - Ingress
      - Egress

    Time to apply network policies:

    $ kubectl apply -f network-policy.yaml created created created created created created created created created created created created

    And redeploy the demo:

    $ kubectl delete -f network-policy-demo.yaml -n demo
    $ kubectl apply -f network-policy-demo.yaml -n demo

    After a while we can see all the pods in the demo namespace:

    $ kubectl get pod -n demo
    NAME                                     READY   STATUS    RESTARTS   AGE
    adservice-6f498fc6c6-f8sfm               1/1     Running   0          11m
    cartservice-bc9b949b-7xxvr               1/1     Running   0          11m
    checkoutservice-598d5b586d-59sws         1/1     Running   0          11m
    currencyservice-6ddbdd4956-vdxml         1/1     Running   0          11m
    emailservice-68fc78478-zxkn5             1/1     Running   0          11m
    frontend-5bd77dd84b-gtcg8                1/1     Running   0          11m
    loadgenerator-8f7d5d8d8-664jv            1/1     Running   0          11m
    paymentservice-584567958d-ds8w6          1/1     Running   0          11m
    productcatalogservice-75f4877bf4-h7654   1/1     Running   0          11m
    recommendationservice-646c88579b-gvkp9   1/1     Running   0          11m
    redis-cart-5b569cd47-8gwrc               1/1     Running   0          11m
    shippingservice-79849ddf8-72bd4          1/1     Running   0          11m

    Finally, we should delete the demo namespace:

    $ kubectl delete namespace demo
    namespace "demo" deleted


    With ig

    This gadget is specific to Kubernetes and can’t be used with ig.