The "network-policy" gadget

network-policy monitors the network activity in the specified namespaces and record the list of new TCP connections in a file. This file can then be used to generate Kubernetes network policies.

We will run this demo in the demo namespace:

$ kubectl create ns demo
namespace/demo created
$ kubectl apply -f docs/examples/disable-psp-demo.yaml created created

In one terminal, start the network-policy gadget:

$ kubectl gadget network-policy monitor --namespaces demo --output ./networktrace.log

In another terminal, deploy GoogleCloudPlatform/microservices-demo in the demo namespace:

$ wget -O network-policy-demo.yaml
$ kubectl apply -f network-policy-demo.yaml -n demo

Once the demo is deployed and running correctly, we can see all the pods in the demo namespace:

$ kubectl get pod -n demo
NAME                                     READY   STATUS    RESTARTS   AGE
adservice-58c85c77d8-k5667               1/1     Running   0          44s
cartservice-579bdd6865-2wcbk             0/1     Running   1          45s
checkoutservice-66d68cbdd-smp6w          1/1     Running   0          46s
currencyservice-65dd85f486-62vld         1/1     Running   0          45s
emailservice-84c98657cb-lqwfz            0/1     Running   2          46s
frontend-788f7bdc86-q56rw                0/1     Running   1          46s
loadgenerator-7699dc7d4b-j6vq6           1/1     Running   1          45s
paymentservice-5c54c9887b-prz7n          1/1     Running   0          45s
productcatalogservice-7df777f796-29lmz   1/1     Running   0          45s
recommendationservice-89547cff8-xf4mv    0/1     Running   1          46s
redis-cart-5f59546cdd-6rq8f              0/1     Running   2          44s
shippingservice-778db496dd-mhdk5         1/1     Running   0          45s

At this point, let’s stop the recording with Ctrl-C, and generate the Kubernetes network policies:

$ kubectl gadget network-policy report --input ./networktrace.log > network-policy.yaml

Example for the cartservice: it can receive connections from the frontend and can initiate connections to redis-cart.

kind: NetworkPolicy
  creationTimestamp: null
  name: cartservice-network
  namespace: demo
  - ports:
    - port: 6379
      protocol: TCP
    - podSelector:
          app: redis-cart
  - from:
    - podSelector:
          app: frontend
    - port: 7070
      protocol: TCP
      app: cartservice
  - Ingress
  - Egress

Time to apply network policies:

$ kubectl apply -f network-policy.yaml created created created created created created created

After a while we can see all the pods in the demo namespace:

$kubectl get pod -n demo
NAME                                     READY   STATUS             RESTARTS   AGE
adservice-58c85c77d8-k5667               1/1     Running            0          5m11s
cartservice-579bdd6865-2wcbk             1/1     Running            0          5m12s
checkoutservice-66d68cbdd-smp6w          1/1     Running            0          5m14s
currencyservice-65dd85f486-62vld         1/1     Running            0          5m12s
emailservice-84c98657cb-lqwfz            0/1     Running            5          5m14s
frontend-788f7bdc86-q56rw                1/1     Running            0          5m13s
loadgenerator-7699dc7d4b-j6vq6           1/1     Running            2          5m12s
paymentservice-5c54c9887b-prz7n          1/1     Running            0          5m13s
productcatalogservice-7df777f796-29lmz   1/1     Running            0          5m13s
recommendationservice-89547cff8-xf4mv    0/1     Running            4          5m14s
redis-cart-5f59546cdd-6rq8f              1/1     Running            0          5m11s
shippingservice-778db496dd-mhdk5         1/1     Running            0          5m12s

(emailservice-84c98657cb-lqwfz and recommendationservice-89547cff8-xf4mv services are failing because GOOGLE_APPLICATION_CREDENTIALS are not set)

Finally, we should delete the demo namespace:

$ kubectl delete namespace demo
namespace "demo" deleted