Tim-herbie
commented
1 year ago To my first note:
It´s definitly not a bug, because I learnt that when a action log will be performed, it will continues. But when a action is deny or allow, no further rules will be processed.
As a Kubernetes beginner, I started to secure the K8s Cluster with Calico Network Policyies and also wanted to log a few of them. I had to struggle with some problems there at the beginning, because I didn't understand how logging works at calico. Therefore I had looked for help in Slack (and got it successfully) :)
To make it easier for more beginners I made some notes and thought about what could be added in the documentation.
I figured out (maybe a bug) that if you want to allow/deny and log something, the "Log" action have to be always before the allow/deny action in the order . When not, nothing will be logged, because that creates two iptables rules. I would name this on the documentation
It would have been a great help to me if the logging of Calico's network policies had been better described . Before I had an conversation with Lance from calico, I didn´t know anything about that. I would explain that calico "only" adds some parameter to the iptables rule like the logging and prefix parameter. Also that the responsibility of calico ends (at least currently) there. Maybe also the standard syslog path like /var/log/messages or /var/log/syslog. I was only looking before at /var/log/calico/...
Best Practise Network Policy Logging: e.g. Global Deny, that logs each connection attempt, which will be dropped
Example Calico Network Policy Log