Scan your Kubernetes clusters to identifiy unprotected workloads and map your existing Network policies
This project aims to demystify network policies in Kubernetes. It's a work in progress!
The netfetch tool is designed to scan Kubernetes namespaces for network policies, checking if your workloads are targeted by a network policy or not.
What can I use netfetch for? 🤔
CLI:
- Scan your Kubernetes cluster or namespace to identify pods running with no ingress and egress restrictions.
- Save the output of your scans in a text file to analyze.
- Create implicit default deny network policies in namespaces that do not have one.
- Get a score calculated for your cluster or namespace based on the findings of the scans.
Dashboard:
- Scan your cluster or namespace and list pods running without network restrictions in a table.
- Visualise all existing network policies and pods in your cluster or namespace in a network map you can interact with.
- Double click a network policy in a network map to preview the YAML of that policy.
- Create implicit default deny network policies in namespaces that do not have one.
- Get suggestions for network policies that you can edit & apply to your namespaces by analysing existing pods.
- Get a score calculated for your cluster or namespace based on the findings of the scans.
Dashboard:
- Kubernetes
CLI:
- Kubernetes
- Cilium
Support for additional types of network policies is in the works. No support for the type you need? Check out issues for an existing request or create a new one if there is none.
You can install netfetch using our Homebrew tap:
brew tap deggja/netfetch https://github.com/deggja/netfetch
brew install netfetchFor specific Linux distros, Windows and other install binaries, check the latest release.
You can deploy the netfetch dashboard in your Kubernetes clusters using Helm.
helm repo add deggja https://deggja.github.io/netfetch/
helm repo update
helm install netfetch deggja/netfetch --namespace netfetch --create-namespaceFollow the instructions after deployment to access the dashboard.
- Installed
netfetchvia homebrew or a release binary. - Access to a Kubernetes cluster with
kubectlconfigured. - Permissions to read and create network policies.
The primary command provided by netfetch is scan. This command scans all non-system Kubernetes namespaces for network policies.
You can also scan specific namespaces by specifying the name of that namespace.
You may add the --dryrun or -d flag to run a dryrun of the scan. The application will not prompt you about adding network policies, but still give you the output of the scan.
Run netfetch in dryrun against a cluster.
netfetch scan --dryrunRun netfetch in dryrun against a namespace
netfetch scan production --dryrun
Scan entire cluster.
netfetch scanScan a namespace called production.
netfetch scan productionScan entire cluster for Cilium Network Policies.
netfetch scan --ciliumScan a namespace called production.
netfetch scan production --ciliumLaunch the dashboard:
netfetch dashWhile in the dashboard, you have a couple of options.
You can use the Scan cluster button, which is the equivalent to the CLI netfetch scan command. This will populate the table view with all pods not targeted by a network policy.
Scanning a specific namespace is done by selecting the namespace of choice from the Select a namespace dropdown and using the Scan namespace button. This is the equivalent to the CLI netfetch scan namespace command.
This will populate the table view with all pods not targeted by a network policy in that specific namespace. In addition to this, if there are any pods in the cluster already targeted by a network policy - it will create a visualisation of this in a network map rendered using D3 below the table view.
You can click the Create cluster map button to do exactly that. This will render a network map with D3, fetching all pods and policies in all the namespaces you have access to in the cluster.
Inside the network map visualisations, you can double click the network policy nodes to preview the YAML of that policy.
When scanning a specific namespace using the Select namespace dropdown, you may click Suggest policy to get network policy suggestions based on your existing workloads.
You may also edit the suggestions inline by using the "Edit" button or copy the YAML of the policy and use it outside of netfetch.
The netfetch tool provides a basic score at the end of each scan. The score ranges from 1 to 42, with 1 being the lowest and 42 being the highest possible score.
Your score will decrease based on the amount of workloads in your cluster that are running without being targeted by a network policy.
The score reflects the security posture of your Kubernetes namespaces based on network policies and general policy coverage. If changes are made based on recommendations from the initial scan, rerunning netfetch will likely result in a higher score.
If you want to uninstall the application - you can do so by running the following commands.
brew uninstall netfetch
brew cleanup -s netfetch
brew untap deggja/netfetch https://github.com/deggja/netfetch
To run tests for this project, follow these steps:
-
Navigate to the root directory of the project in your terminal.
-
Navigate to the backend directory within the project:
cd backend
- Run the following command to execute all tests in the project:
go test ./...
This command will recursively search for tests in all subdirectories (./...) and run them.
- After executing the command, you will see the test results in the terminal output.
Thank you to the following awesome people:
- s-rd - logo
- JJGadgets - testing
- Home Operations Discord - testing
You are welcome to contribute!
See CONTRIBUTING for instructions on how to proceed.
Netfetch uses other tools for a plethora of different things. It would not be possible without the following:
Netfetch is distributed under the MIT License. See the LICENSE for more information.