How to verify cluster network policy configuration/support

12/30/2019

I'm trying to figure out which the best approach to verify the network policy configuration for a given cluster. According to the documentation

Network policies are implemented by the network plugin, so you must be using a networking solution which supports NetworkPolicy - simply creating the resource without a controller to implement it will have no effect.

Assuming I have access only through kubectl to my cluster, what should I do to ensure the network policy resource deployed into the cluster will be honored?

I'm aware about the CNI available and the related matrix capabilities.
I know you could check for the pod deployed under kube-system that are related to those CNI and verify the related capabilities using for ex. the matrix that I shared, but I wonder if there's a more structured approach to verify the current CNI installed and the related capabilities.

Regarding the "controller to implement it", is there a way to get the list of add-on/controller related to the network policy?

-- Crixo
cni
kubernetes
kubernetes-networkpolicy

1 Answer

12/31/2019

Which the best approach to verify the network policy configuration for a given cluster?

If you have access to the pods, you can run tests to make sure that your NetworkPolicies are effective or not. There are two ways for you to check it:

  • Reading your NetworkPolicy using kubectl (kubectl get networkpolicies).
  • Testing your endpoints to check if NetworkPolicies are effective.

I wonder if there's a more structured approach to verify the current CNI installed and the related capabilities.

There is no structured way to check your CNI. You need to understand how your CNI works to be able to identify it on your cluster. For Calico for example, you can identify it by checking if calico pods are running. (kubectl get pods --all-namespaces --selector=k8s-app=calico-node)

Regarding the "controller to implement it", is there a way to get the list of add-on/controller related to the network policy?

"controller to implement it" is a reference to the CNI you are using.

There is a tool called Kubernetes Network Policies Viewer that allows your to see graphically your NetworkPolicy. This is not connected to your question but it might help you to visualize your NetworkPolicies and understand what they are doing.

-- mWatney
Source: StackOverflow