Skip to content

montross50/k8s-network-policy-viewer

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

108 Commits
chart
chart
 
 
images
images
 
 
testdata
testdata
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
Dockerfile_test
Dockerfile_test
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
blacklist.go
blacklist.go
 
 
blacklist_test.go
blacklist_test.go
 
 
edge_map.go
edge_map.go
 
 
edge_map_test.go
edge_map_test.go
 
 
go.mod
go.mod
 
 
kube_api.go
kube_api.go
 
 
main.go
main.go
 
 
make_list.go
make_list.go
 
 
make_list_test.go
make_list_test.go
 
 
markdown_table.go
markdown_table.go
 
 
markdown_table_test.go
markdown_table_test.go
 
 
page.go
page.go
 
 
page_test.go
page_test.go
 
 
preflight.go
preflight.go
 
 
preflight_test.go
preflight_test.go
 
 
process.go
process.go
 
 
process_test.go
process_test.go
 
 
select_namespaces.go
select_namespaces.go
 
 
select_namespaces_test.go
select_namespaces_test.go
 
 
select_pods.go
select_pods.go
 
 
select_pods_test.go
select_pods_test.go
 
 
server.go
server.go
 
 
server_test.go
server_test.go
 
 
types.go
types.go
 
 
types_test.go
types_test.go
 
 
write_dot.go
write_dot.go
 
 
write_json.go
write_json.go
 
 
write_json_test.go
write_json_test.go
 
 
write_markdown.go
write_markdown.go
 
 
write_markdown_test.go
write_markdown_test.go
 
 
write_yaml.go
write_yaml.go
 
 
write_yaml_test.go
write_yaml_test.go
 
 

Repository files navigation

k8s-network-policy-viewer

Docker Automated Docker Build

The network policy viewer visualizes the pod network. It is far from complete, but basic isolation rules can be represented in JSON, YAML or dot (Graphviz).

Sample visualization

In this example, the names of the namespaces match their respective network policies, the exception being the global namespace (which has none) and ingress-isolated-whitelist (which has two).

The policies isolated, egress-isolated, ingress-isolated each apply to the namespace as a whole.

ingress-isolated-whitelist whitelists httpd-bob, which is why httpd-bob can be reached from httpd-alice and the generic httpd pod in the namespace.

Deployment

Install the helm chart defined in the folder chart:

$ make -C chart install

Point your browser to the URL given in values.yaml (e.g. http://minikube.info/):

network policy viewer screenshot

The available endpoints are:

Endpoint Description
/ Show graph
/health Health endpoint
/api/v1/metrics Metrics endpoint

Build

The build steps are the following:

$ go mod download
$ go get
$ go vet
$ go test -v
$ go build -o k8s-network-policy-viewer .

make build will run these steps in a two-stage docker build process.

Alternatively, you can use the default image k8s-network-policy-viewer. This is also the image referenced in the helm chart.

Testdata

To build the sample data, run:

$ make -C testdata init
$ make -C testdata create

Custom inputs

The application is intended for in-cluster use -- in which case it fetches the required API resources from the cluster -- but you can supply arbitrary input by piping the output of kubectl get pod,namespace,networkpolicy --all-namespaces -o json to it. The application accepts both JSON and YAML, but you may wish to work with JSON so you can filter the input with jq.

About

Visualizes the pod network

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • Go 96.6%
  • Makefile 1.5%
  • Other 1.9%