Open mattfenwick opened 4 years ago
I've taken a first pass at this here, still a lot of work to do on that but would love some feedback on what kinds of support other people use when working on network policies!
if you want to make a PR into hack/explainer/
or whatever feel free to. would be great to have this and at least look at it during the mtng for a few minutes next wk.
paste the output in here when you get a chance to thanks !
Example output from a bunch of network policies:
{"Namespace": "default", "PodSelector": ["MatchLabels",["app: bookstore","role: db"],"MatchExpression",null]}
ingress:
- pods matching ["MatchLabels",["app: bookstore","role: search"],"MatchExpression",null] in all namespaces
all ports all protocols
- pods matching ["MatchLabels",["app: bookstore","role: api"],"MatchExpression",null] in all namespaces
all ports all protocols
- pods matching ["MatchLabels",["app: inventory","role: web"],"MatchExpression",null] in all namespaces
all ports all protocols
{"Namespace": "default", "PodSelector": ["MatchLabels",["app: foo"],"MatchExpression",null]}
ingress:
egress:
- anywhere: all pods in all namespaces and all IPs
port 53 on protocol TCP
- anywhere: all pods in all namespaces and all IPs
port 53 on protocol UDP
- all pods in all namespaces
port 53 on protocol TCP
- all pods in all namespaces
port 53 on protocol UDP
{"Namespace": "default", "PodSelector": ["MatchLabels",["app: web"],"MatchExpression",null]}
ingress:
- anywhere: all pods in all namespaces and all IPs
all ports all protocols
- all pods in all namespaces
all ports all protocols
- anywhere: all pods in all namespaces and all IPs
all ports all protocols
- all pods in all namespaces
all ports all protocols
- all pods in namespaces matching ["MatchLabels",["purpose: production"],"MatchExpression",null]
all ports all protocols
- pods matching ["MatchLabels",["type: monitoring"],"MatchExpression",null] in namespaces matching ["MatchLabels",["team: operations"],"MatchExpression",null]
all ports all protocols
- anywhere: all pods in all namespaces and all IPs
all ports all protocols
{"Namespace": "default", "PodSelector": ["MatchLabels",["all: web"],"MatchExpression",null]}
ingress:
{"Namespace": "default", "PodSelector": ["MatchLabels",["app: bookstore","role: api"],"MatchExpression",null]}
ingress:
- pods matching ["MatchLabels",["app: bookstore"],"MatchExpression",null] in all namespaces
all ports all protocols
{"Namespace": "default", "PodSelector": ["MatchLabels",null,"MatchExpression",null]}
ingress:
- all pods in namespace default
all ports all protocols
egress:
{"Namespace": "default", "PodSelector": ["MatchLabels",["a: b"],"MatchExpression",null]}
ingress:
- pods matching ["MatchLabels",["role: client"],"MatchExpression",null] in namespaces matching ["MatchLabels",["user: alice"],"MatchExpression",null]
all ports all protocols
- all pods in namespaces matching ["MatchLabels",["user: alice"],"MatchExpression",null]
all ports all protocols
- pods matching ["MatchLabels",["role: client"],"MatchExpression",null] in all namespaces
all ports all protocols
{"Namespace": "default", "PodSelector": ["MatchLabels",["app: apiserver"],"MatchExpression",null]}
ingress:
- pods matching ["MatchLabels",["role: monitoring"],"MatchExpression",null] in all namespaces
port 5000 on protocol TCP
Input: 1 or more NetworkPolicies
Output: semantic explanation of policies, indicating what pods/namespaces/etc. will be targeted by the policy
Use case: as a developer or infra engineer, I want a debugging or sanity check tool to help me understand the impact of my network policies