Using advise network-policy

    The network-policy advisor monitors the network activity in the specified namespaces and records the list of new TCP connections in a file. This file can then be used to generate Kubernetes network policies.

    We will run this demo in the demo namespace:

    $ kubectl create ns demo
    namespace/demo created
    $ kubectl apply -f docs/examples/disable-psp-demo.yaml created created

    In one terminal, start the network-policy gadget:

    $ kubectl gadget advise network-policy monitor --namespaces demo --output ./networktrace.log

    In another terminal, deploy GoogleCloudPlatform/microservices-demo in the demo namespace:

    $ wget -O network-policy-demo.yaml
    $ kubectl apply -f network-policy-demo.yaml -n demo

    Once the demo is deployed and running correctly, we can see all the pods in the demo namespace:

    $ kubectl get pod -n demo
    NAME                                     READY   STATUS    RESTARTS   AGE
    adservice-58c85c77d8-k5667               1/1     Running   0          44s
    cartservice-579bdd6865-2wcbk             0/1     Running   1          45s
    checkoutservice-66d68cbdd-smp6w          1/1     Running   0          46s
    currencyservice-65dd85f486-62vld         1/1     Running   0          45s
    emailservice-84c98657cb-lqwfz            0/1     Running   2          46s
    frontend-788f7bdc86-q56rw                0/1     Running   1          46s
    loadgenerator-7699dc7d4b-j6vq6           1/1     Running   1          45s
    paymentservice-5c54c9887b-prz7n          1/1     Running   0          45s
    productcatalogservice-7df777f796-29lmz   1/1     Running   0          45s
    recommendationservice-89547cff8-xf4mv    0/1     Running   1          46s
    redis-cart-5f59546cdd-6rq8f              0/1     Running   2          44s
    shippingservice-778db496dd-mhdk5         1/1     Running   0          45s

    At this point, let’s stop the recording with Ctrl-C, and generate the Kubernetes network policies:

    $ kubectl gadget advise network-policy report --input ./networktrace.log > network-policy.yaml

    Example for the cartservice: it can receive connections from the frontend and can initiate connections to redis-cart.

    kind: NetworkPolicy
      creationTimestamp: null
      name: cartservice-network
      namespace: demo
      - ports:
        - port: 6379
          protocol: TCP
        - podSelector:
              app: redis-cart
      - from:
        - podSelector:
              app: frontend
        - port: 7070
          protocol: TCP
          app: cartservice
      - Ingress
      - Egress

    Time to apply network policies:

    $ kubectl apply -f network-policy.yaml created created created created created created created

    After a while we can see all the pods in the demo namespace:

    $kubectl get pod -n demo
    NAME                                     READY   STATUS             RESTARTS   AGE
    adservice-58c85c77d8-k5667               1/1     Running            0          5m11s
    cartservice-579bdd6865-2wcbk             1/1     Running            0          5m12s
    checkoutservice-66d68cbdd-smp6w          1/1     Running            0          5m14s
    currencyservice-65dd85f486-62vld         1/1     Running            0          5m12s
    emailservice-84c98657cb-lqwfz            0/1     Running            5          5m14s
    frontend-788f7bdc86-q56rw                1/1     Running            0          5m13s
    loadgenerator-7699dc7d4b-j6vq6           1/1     Running            2          5m12s
    paymentservice-5c54c9887b-prz7n          1/1     Running            0          5m13s
    productcatalogservice-7df777f796-29lmz   1/1     Running            0          5m13s
    recommendationservice-89547cff8-xf4mv    0/1     Running            4          5m14s
    redis-cart-5f59546cdd-6rq8f              1/1     Running            0          5m11s
    shippingservice-778db496dd-mhdk5         1/1     Running            0          5m12s

    (emailservice-84c98657cb-lqwfz and recommendationservice-89547cff8-xf4mv services are failing because GOOGLE_APPLICATION_CREDENTIALS are not set)

    Finally, we should delete the demo namespace:

    $ kubectl delete namespace demo
    namespace "demo" deleted