CLI evaluation of Kubernetes NetworkPolicys with detailed output helpful for debugging. Given source and destination pods, identify the NetworkPolicies that apply and whether a connection is allowed.
Alpha. The core NetworkPolicy evaluation is unit tested, but may have incorrect assertions based on my reading of the spec. Comparison to real k8s implementations has been limited and manual.
With a recent, stable version of go installed
go install golang.org/dl/go1.18beta1@latest
go1.18beta1 download
go1.18beta1 install github.com/cheriot/netpoltool/cmd/netpoltool@latest
netpoltool eval -v --namespace=sourceNamespace --pod=sourcePod --to-namespace=destinationNamespace --to-pod=destinationPod
Usage:
main [OPTIONS] eval [eval-OPTIONS]
Given source and destination pods, evaluate if Network Policies allow the source pod to access any ports on the destination pod.
Application Options:
--kubeconfig= Absolute path to the kubeconfig file. Default to ~/.kube/config.
-v, --verbose Show more detail on NetworkPolicy evaluation (-v, -vv).
Help Options:
-h, --help Show this help message
[eval command options]
-n, --namespace= Namespace of the pod creating the connection.
--pod= Name of the pod creating the connection.
--to-namespace= Namespace of the pod receiving the connection.
--to-pod= Name of the pod receiving the connection.
--to-port= (Optional) Number or name of the port to connect to.