github.com/inspektor-gadget/inspektor-gadget@v0.28.1/docs/builtin-gadgets/advise/network-policy.md (about) 1 --- 2 title: 'Using advise network-policy' 3 weight: 20 4 description: > 5 Generate network policies based on recorded network activity. 6 --- 7 8 The network-policy advisor monitors the network activity in the specified 9 namespaces and records a summary of TCP and UDP traffic in a file. This file 10 can then be used to generate Kubernetes network policies. 11 12 ### On Kubernetes 13 14 We will run this demo in the demo namespace: 15 16 ```bash 17 $ kubectl create ns demo 18 namespace/demo created 19 $ kubectl apply -f docs/examples/disable-psp-demo.yaml 20 clusterrole.rbac.authorization.k8s.io/disable-psp-demo created 21 clusterrolebinding.rbac.authorization.k8s.io/disable-psp-demo created 22 ``` 23 24 In one terminal, start the network-policy gadget: 25 26 ```bash 27 $ kubectl gadget advise network-policy monitor -n demo --output ./networktrace.log 28 ``` 29 30 In another terminal, deploy [GoogleCloudPlatform/microservices-demo](https://github.com/GoogleCloudPlatform/microservices-demo/blob/master/release/kubernetes-manifests.yaml) in the demo namespace: 31 32 ```bash 33 $ wget -O network-policy-demo.yaml https://raw.githubusercontent.com/GoogleCloudPlatform/microservices-demo/c1536ff6e6782bb37e36d2e6eee0fa64a6461216/release/kubernetes-manifests.yaml 34 $ kubectl apply -f network-policy-demo.yaml -n demo 35 ``` 36 37 Once the demo is deployed and running correctly, we can see all the pods in the 38 demo namespace: 39 40 ```bash 41 $ kubectl get pod -n demo 42 NAME READY STATUS RESTARTS AGE 43 adservice-6f498fc6c6-rjtrj 0/1 Running 0 28s 44 cartservice-bc9b949b-l8jts 0/1 Running 0 32s 45 checkoutservice-598d5b586d-fplr8 1/1 Running 0 36s 46 currencyservice-6ddbdd4956-hxkt4 1/1 Running 0 30s 47 emailservice-68fc78478-9g9vj 1/1 Running 0 37s 48 frontend-5bd77dd84b-6c5s9 1/1 Running 0 34s 49 loadgenerator-8f7d5d8d8-5nxw2 1/1 Running 0 31s 50 paymentservice-584567958d-4rp7q 1/1 Running 0 33s 51 productcatalogservice-75f4877bf4-xsn7m 1/1 Running 0 32s 52 recommendationservice-646c88579b-q9h4m 1/1 Running 0 35s 53 redis-cart-5b569cd47-ffqqr 1/1 Running 0 29s 54 shippingservice-79849ddf8-dc6st 1/1 Running 0 30s 55 ``` 56 57 At this point, let's stop the recording with Ctrl-C, and generate the 58 Kubernetes network policies: 59 60 ```bash 61 $ kubectl gadget advise network-policy report --input ./networktrace.log > network-policy.yaml 62 ``` 63 64 Example for the cartservice: 65 * it can receive connections from the frontend and the checkoutservice 66 * it can initiate connections to redis-cart and make DNS queries. 67 68 ```yaml 69 apiVersion: networking.k8s.io/v1 70 kind: NetworkPolicy 71 metadata: 72 creationTimestamp: null 73 name: cartservice-network 74 namespace: demo 75 spec: 76 egress: 77 - ports: 78 - port: 6379 79 protocol: TCP 80 to: 81 - podSelector: 82 matchLabels: 83 app: redis-cart 84 - ports: 85 - port: 53 86 protocol: UDP 87 to: 88 - namespaceSelector: 89 matchLabels: 90 kubernetes.io/metadata.name: kube-system 91 podSelector: 92 matchLabels: 93 k8s-app: kube-dns 94 ingress: 95 - from: 96 - podSelector: 97 matchLabels: 98 app: checkoutservice 99 ports: 100 - port: 7070 101 protocol: TCP 102 - from: 103 - podSelector: 104 matchLabels: 105 app: frontend 106 ports: 107 - port: 7070 108 protocol: TCP 109 podSelector: 110 matchLabels: 111 app: cartservice 112 policyTypes: 113 - Ingress 114 - Egress 115 ``` 116 117 Time to apply network policies: 118 119 ```bash 120 $ kubectl apply -f network-policy.yaml 121 networkpolicy.networking.k8s.io/adservice-network created 122 networkpolicy.networking.k8s.io/cartservice-network created 123 networkpolicy.networking.k8s.io/checkoutservice-network created 124 networkpolicy.networking.k8s.io/currencyservice-network created 125 networkpolicy.networking.k8s.io/emailservice-network created 126 networkpolicy.networking.k8s.io/frontend-network created 127 networkpolicy.networking.k8s.io/loadgenerator-network created 128 networkpolicy.networking.k8s.io/paymentservice-network created 129 networkpolicy.networking.k8s.io/productcatalogservice-network created 130 networkpolicy.networking.k8s.io/recommendationservice-network created 131 networkpolicy.networking.k8s.io/redis-cart-network created 132 networkpolicy.networking.k8s.io/shippingservice-network created 133 ``` 134 135 And redeploy the demo: 136 137 ```bash 138 $ kubectl delete -f network-policy-demo.yaml -n demo 139 $ kubectl apply -f network-policy-demo.yaml -n demo 140 ``` 141 142 After a while we can see all the pods in the demo namespace: 143 144 ```bash 145 $ kubectl get pod -n demo 146 NAME READY STATUS RESTARTS AGE 147 adservice-6f498fc6c6-f8sfm 1/1 Running 0 11m 148 cartservice-bc9b949b-7xxvr 1/1 Running 0 11m 149 checkoutservice-598d5b586d-59sws 1/1 Running 0 11m 150 currencyservice-6ddbdd4956-vdxml 1/1 Running 0 11m 151 emailservice-68fc78478-zxkn5 1/1 Running 0 11m 152 frontend-5bd77dd84b-gtcg8 1/1 Running 0 11m 153 loadgenerator-8f7d5d8d8-664jv 1/1 Running 0 11m 154 paymentservice-584567958d-ds8w6 1/1 Running 0 11m 155 productcatalogservice-75f4877bf4-h7654 1/1 Running 0 11m 156 recommendationservice-646c88579b-gvkp9 1/1 Running 0 11m 157 redis-cart-5b569cd47-8gwrc 1/1 Running 0 11m 158 shippingservice-79849ddf8-72bd4 1/1 Running 0 11m 159 ``` 160 161 Finally, we should delete the demo namespace: 162 163 ```bash 164 $ kubectl delete namespace demo 165 namespace "demo" deleted 166 ``` 167 168 #### Limitations 169 170 - When using the Docker bridge as CNI, pod-to-pod source IP is lost with services. This generates wrong ingress policies. https://github.com/kubernetes/minikube/issues/11211 171 172 ### With `ig` 173 174 This gadget is specific to Kubernetes and can't be used with `ig`.