Monitor or log dropped network traffic for Kubernetes NetworkPolicy

5
votes

I'm interested in using Kubernetes NetworkPolicy to control network policy. I want to know if the NetworkPolicy is blocking traffic so I can either fix the policies or fix/stop whatever is in violation.

We use Calico and they view this as a paid feature. https://github.com/projectcalico/calico/issues/1035

Cilium has cilium monitor which sounds like it would work if we started using Cilium. http://docs.cilium.io/en/latest/troubleshooting/

Is there a general, vendor-neutral way to monitor network traffic that violates Kuberenetes NetworkPolicy?

1
kubernetesproject-calicociliumkubernetes-networkpolicy

1 Answers

5
votes

AFAIU, there is no way to create such vendor-neutral tool because NetworkPolicy is just an abstraction. Each networking plugin enforces them differently, (Cilium does that mostly in BPF for L3 and L4 and Envoy for L7), so each plugin needs to provide its own means of accessing this information.

AFAIK, there is no initiative in Kubernetes community to store this information and provide an interface for CNI plugins to provide this information, but it seems like it would be a fun project.

Disclaimer: I am on Cilium dev team.