runoncloud / kubectl-np-viewer Goto Github PK

View Code? Open in Web Editor NEW

93.0 2.0 7.0 679 KB

A kubectl plugin to visualize network policies rules.

License: Apache License 2.0

Makefile 2.95% Go 97.05%

kubectl-np-viewer's Introduction

kubectl np-viewer

A kubectl plugin to visualize network policies rules.

Demo

Examples

Prints all network policies rules for the current namespace
```
kubectl np-viewer
```
Prints all network policies rules for a specific namespace
```
kubectl np-viewer -n default
```

Prints all network policies rules for all namespaces

kubectl np-viewer --all-namespaces
kubectl np-viewer -A

Prints network policies rules of type ingress for the current namespace
```
kubectl np-viewer -i
```
Prints network policies rules of type egress for the current namespace
```
kubectl np-viewer -e
```
Prints network policies rules affecting a specific pod in the current namespace
```
kubectl np-viewer -p pod-name
```

Installation

There are several ways to install np-viewer. The recommended installation is via the kubectl plugin manager called krew.

Via krew

Krew is a kubectl plugin manager. If you have not yet installed krew, get it at https://github.com/kubernetes-sigs/krew. Then installation is as simple as

kubectl krew install np-viewer

The plugin will be available as kubectl np-viewer, see doc/USAGE for further details.

Binaries

OSX

curl -L -o kubectl-np-viewer.gz https://github.com/runoncloud/kubectl-np-viewer/releases/download/v1.0.6/kubectl-np-viewer_darwin_amd64.tar.gz && \
  tar zxvf kubectl-np-viewer.gz && chmod +x kubectl-np-viewer && mv kubectl-np_viewer $GOPATH/bin/

Linux

curl -L -o kubectl-np-viewer.gz https://github.com/runoncloud/kubectl-np-viewer/releases/download/v1.0.6/kubectl-np-viewer_linux_amd64.tar.gz && \
  gunzip kubectl-np-viewer.gz && chmod +x kubectl-np-viewer && mv kubectl-np_viewer $GOPATH/bin/

Windows

https://github.com/runoncloud/kubectl-np-viewer/releases/download/v1.0.6/kubectl-np-viewer_windows_amd64.zip

Note that the file name in the GOPATH should be kubectl-np_viewer if you want to be able to use it with kubectl

From source

Requirements:

go 1.13 or newer
GNU make
git

make bin           # binaries will be placed in bin/

kubectl-np-viewer's People

Contributors

Stargazers

Watchers

Forkers

jeanpbond jpriebe ductnn kinoute shepardo kalyann567 ariary

kubectl-np-viewer's Issues

binary filename doesn't work as kubectl plugin

I installed by downloading the release and putting the binary into my path. kubectl np-viewer gives me this error:

Error: unknown command "np-viewer" for "kubectl"

I had to rename the binary to kubectl-np_viewer (underscore, not dash). This is probably not intuitive to users who don't have a lot of experience using or building kubectl plugins.

Add the possibility to output the policies as a CSV

TBD

`matchExpression` is not taken into account

Hi,

it seems that matchExpression in podselector is not taken into account and replaced by a wildcard in the output

it can be present in spec.podSelector but also spec.egress.to[*].podSelector or spec.ingress.from[*].podSelector (everywhere you can find matchLabels)

NetworkPolicies with both namespaceSelector and podSelector in a single from rule are not displayed correctly

Hello,

Thanks for this great plugin. I've noticed an issue where NetworkPolicies with both namespaceSelector and podSelector in a single from rule are not displayed correctly. Example:

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-example
spec:
  podSelector: {}
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ns1
      podSelector:
        matchLabels:
          app: app1
    - namespaceSelector:
        matchLabels:
          kubernetes.io/metadata.name: ns2
      podSelector:
        matchLabels:
          app: app2
          version: v2
  policyTypes:
  - Ingress

which is shown as:

kubectl describe netpol allow-example -n default

Name:         allow-example
Namespace:    default
Created on:   2022-05-04 14:13:50 +0300 EEST
Labels:       <none>
Annotations:  <none>
Spec:
  PodSelector:     <none> (Allowing the specific traffic to all pods in this namespace)
  Allowing ingress traffic:
    To Port: <any> (traffic allowed to all ports)
    From:
      NamespaceSelector: kubernetes.io/metadata.name=ns1
      PodSelector: app=app1
    From:
      NamespaceSelector: kubernetes.io/metadata.name=ns2
      PodSelector: app=app2,version=v2
  Not affecting egress traffic
  Policy Types: Ingress

but np-viewer is displaying it like this:

kubectl np-viewer -n default

+----------------+---------+-----------+------+---------------------------------+---------------+----------+-------+
| NETWORK POLICY |  TYPE   | NAMESPACE | PODS |       NAMESPACES SELECTOR       | PODS SELECTOR | IP BLOCK | PORTS |
+----------------+---------+-----------+------+---------------------------------+---------------+----------+-------+
| allow-example  | Ingress |  default  |  *   |             default             |   app=app1    |    *     |   *   |
+----------------+---------+-----------+------+---------------------------------+---------------+----------+-------+
| allow-example  | Ingress |  default  |  *   | kubernetes.io/metadata.name=ns1 |       *       |    *     |   *   |
+----------------+---------+-----------+------+---------------------------------+---------------+----------+-------+
| allow-example  | Ingress |  default  |  *   |             default             |   app=app2    |    *     |   *   |
|                |         |           |      |                                 |  version=v2   |          |       |
+----------------+---------+-----------+------+---------------------------------+---------------+----------+-------+
| allow-example  | Ingress |  default  |  *   | kubernetes.io/metadata.name=ns2 |       *       |    *     |   *   |
+----------------+---------+-----------+------+---------------------------------+---------------+----------+-------+

which is wrong.

Networks policies that are completely open are ignored

A network policy that looks like:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: wide-open-network-policy
spec:
  podSelector:
    matchLabels:
      app: some-app
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - {}
  egress:
    - {}

...will not get printed. It seems that, since there are no peers, there is nothing in each of the ingress or egress loops that will catch it and print it out.

Possible CSV output ?

Hi !
Thanks for this great and handy krew plugin.
This is not an issue with it, but wanted to know if it would be possible to allow for output to be in csv format.

I can imagine this getting used as part of an admin tool, to view network policies