aws / aws-network-policy-agent

Apache License 2.0
45 stars 29 forks source link

Option to log all network flows to Cloudwatch without writing NetworkPolicies #320

Closed evanj80-illumio closed 5 hours ago

evanj80-illumio commented 4 weeks ago

What would you like to be added: I would like to propose a flag within the advanced configuration options to capture all network traffic without a network policy. Add the ability for the node-agent to listen and log all network flows to cloudwatch.

Why is this needed: This would allow a user to have full visibility into not just traffic that occurs on a VPC within AWS but also traffic that happens within a cluster and within a node of that cluster.

A workaround I have found for now is to apply a network policy that allows all traffic in all namesspaces. This way the node-agent logs all flows as enforcement events and logs them to cloudwatch.

# Define an array of namespaces where you want to allow all traffic
namespaces=("default" "kube-system")
# Loop through each namespace and apply the Network Policy
for ns in "${namespaces[@]}"; do
  kubectl apply -f - <<EOF
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-all-traffic
  namespace: $ns
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - {}
  egress:
  - {}
EOF
done

The problem is then if I want to apply a network policy limiting traffic between 2 specific pods then I must reapply this same policy in every namespace but the namespace those 2 pods reside in. As policies become more complex this current implementation is not realistic or easy to maintain.

orsenthil commented 1 week ago

Hello @evanj80-illumio , providing a feature like this will require us to attach probes to all pods, which may not be intentional for the customer use.

I would like to propose a flag within the advanced configuration options to capture all network traffic without a network policy. Add the ability for the node-agent to listen and log all network flows to cloudwatch

If you are looking for the traffic monitoring / observability then perhaps a different solution is required.

Your approach of using a allow-all traffic is a work-around that you can use with NP agent and controller too.

orsenthil commented 5 hours ago

Please raise this in containers-roadmap github repo.