Closed evanj80-illumio closed 5 hours ago
Hello @evanj80-illumio , providing a feature like this will require us to attach probes to all pods, which may not be intentional for the customer use.
I would like to propose a flag within the advanced configuration options to capture all network traffic without a network policy. Add the ability for the node-agent to listen and log all network flows to cloudwatch
If you are looking for the traffic monitoring / observability then perhaps a different solution is required.
Your approach of using a allow-all traffic is a work-around that you can use with NP agent and controller too.
Please raise this in containers-roadmap github repo.
What would you like to be added: I would like to propose a flag within the advanced configuration options to capture all network traffic without a network policy. Add the ability for the node-agent to listen and log all network flows to cloudwatch.
Why is this needed: This would allow a user to have full visibility into not just traffic that occurs on a VPC within AWS but also traffic that happens within a cluster and within a node of that cluster.
A workaround I have found for now is to apply a network policy that allows all traffic in all namesspaces. This way the node-agent logs all flows as enforcement events and logs them to cloudwatch.
The problem is then if I want to apply a network policy limiting traffic between 2 specific pods then I must reapply this same policy in every namespace but the namespace those 2 pods reside in. As policies become more complex this current implementation is not realistic or easy to maintain.