The "network-policy" gadget

network-policy monitors the network activity in the specified namespaces and record the list of new TCP connections in a file. This file can then be used to generate Kubernetes network policies.

We will run this demo in the demo namespace:

$ kubectl create ns demo
namespace/demo created
$ kubectl apply -f docs/examples/disable-psp-demo.yaml
clusterrole.rbac.authorization.k8s.io/disable-psp-demo created
clusterrolebinding.rbac.authorization.k8s.io/disable-psp-demo created

In one terminal, start the network-policy gadget:

$ kubectl gadget network-policy monitor --namespaces demo --output ./networktrace.log

In another terminal, deploy GoogleCloudPlatform/microservices-demo in the demo namespace:

$ wget -O network-policy-demo.yaml https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/ccff406cdcd3e043b432fe99b4038d1b4699c702/release/kubernetes-manifests.yaml
$ kubectl apply -f network-policy-demo.yaml -n demo

Once the demo is deployed and running correctly, we can see all the pods in the demo namespace:

$ kubectl get pod -n demo
NAME                                     READY   STATUS    RESTARTS   AGE
adservice-58c85c77d8-k5667               1/1     Running   0          44s
cartservice-579bdd6865-2wcbk             0/1     Running   1          45s
checkoutservice-66d68cbdd-smp6w          1/1     Running   0          46s
currencyservice-65dd85f486-62vld         1/1     Running   0          45s
emailservice-84c98657cb-lqwfz            0/1     Running   2          46s
frontend-788f7bdc86-q56rw                0/1     Running   1          46s
loadgenerator-7699dc7d4b-j6vq6           1/1     Running   1          45s
paymentservice-5c54c9887b-prz7n          1/1     Running   0          45s
productcatalogservice-7df777f796-29lmz   1/1     Running   0          45s
recommendationservice-89547cff8-xf4mv    0/1     Running   1          46s
redis-cart-5f59546cdd-6rq8f              0/1     Running   2          44s
shippingservice-778db496dd-mhdk5         1/1     Running   0          45s

At this point, let’s stop the recording with Ctrl-C, and generate the Kubernetes network policies:

$ kubectl gadget network-policy report --input ./networktrace.log > network-policy.yaml

Example for the cartservice: it can receive connections from the frontend and can initiate connections to redis-cart.

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  creationTimestamp: null
  name: cartservice-network
  namespace: demo
spec:
  egress:
  - ports:
    - port: 6379
      protocol: TCP
    to:
    - podSelector:
        matchLabels:
          app: redis-cart
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - port: 7070
      protocol: TCP
  podSelector:
    matchLabels:
      app: cartservice
  policyTypes:
  - Ingress
  - Egress

Time to apply network policies:

$ kubectl apply -f network-policy.yaml
networkpolicy.networking.k8s.io/cartservice-network created
networkpolicy.networking.k8s.io/checkoutservice-network created
networkpolicy.networking.k8s.io/currencyservice-network created
networkpolicy.networking.k8s.io/frontend-network created
networkpolicy.networking.k8s.io/productcatalogservice-network created
networkpolicy.networking.k8s.io/redis-cart-network created
networkpolicy.networking.k8s.io/shippingservice-network created

After a while we can see all the pods in the demo namespace:

$kubectl get pod -n demo
NAME                                     READY   STATUS             RESTARTS   AGE
adservice-58c85c77d8-k5667               1/1     Running            0          5m11s
cartservice-579bdd6865-2wcbk             1/1     Running            0          5m12s
checkoutservice-66d68cbdd-smp6w          1/1     Running            0          5m14s
currencyservice-65dd85f486-62vld         1/1     Running            0          5m12s
emailservice-84c98657cb-lqwfz            0/1     Running            5          5m14s
frontend-788f7bdc86-q56rw                1/1     Running            0          5m13s
loadgenerator-7699dc7d4b-j6vq6           1/1     Running            2          5m12s
paymentservice-5c54c9887b-prz7n          1/1     Running            0          5m13s
productcatalogservice-7df777f796-29lmz   1/1     Running            0          5m13s
recommendationservice-89547cff8-xf4mv    0/1     Running            4          5m14s
redis-cart-5f59546cdd-6rq8f              1/1     Running            0          5m11s
shippingservice-778db496dd-mhdk5         1/1     Running            0          5m12s

(emailservice-84c98657cb-lqwfz and recommendationservice-89547cff8-xf4mv services are failing because GOOGLE_APPLICATION_CREDENTIALS are not set)

Finally, we should delete the demo namespace:

$ kubectl delete namespace demo
namespace "demo" deleted