• Stars
    star
    132
  • Rank 274,205 (Top 6 %)
  • Language
    Go
  • License
    MIT License
  • Created about 1 year ago
  • Updated 7 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Kubernetes tool for scanning clusters for network policies and identifying unprotected workloads.

Netfetch

Scan your Kubernetes clusters to identifiy unprotected workloads and map your existing Network policies

Netfetch

Contents

⭐ What is this project ⭐

This project aims to demystify network policies in Kubernetes. It's a work in progress!

The netfetch tool is designed to scan Kubernetes namespaces for network policies, checking if your workloads are targeted by a network policy or not.

What can I use netfetch for? 🤔

CLI:

  • Scan your Kubernetes cluster or namespace to identify pods running with no ingress and egress restrictions.
  • Save the output of your scans in a text file to analyze.
  • Create implicit default deny network policies in namespaces that do not have one.
  • Get a score calculated for your cluster or namespace based on the findings of the scans.

Dashboard:

  • Scan your cluster or namespace and list pods running without network restrictions in a table.
  • Visualise all existing network policies and pods in your cluster or namespace in a network map you can interact with.
  • Double click a network policy in a network map to preview the YAML of that policy.
  • Create implicit default deny network policies in namespaces that do not have one.
  • Get suggestions for network policies that you can edit & apply to your namespaces by analysing existing pods.
  • Get a score calculated for your cluster or namespace based on the findings of the scans.

NetworkPolicy type support in Netfetch

Dashboard:

  • Kubernetes

CLI:

  • Kubernetes
  • Cilium

Support for additional types of network policies is in the works. No support for the type you need? Check out issues for an existing request or create a new one if there is none.

Installation

Installation via Homebrew for Mac 💻

You can install netfetch using our Homebrew tap:

brew tap deggja/netfetch https://github.com/deggja/netfetch
brew install netfetch

For specific Linux distros, Windows and other install binaries, check the latest release.

Installation via Helm 🎩

You can deploy the netfetch dashboard in your Kubernetes clusters using Helm.

helm repo add deggja https://deggja.github.io/netfetch/
helm repo update
helm install netfetch deggja/netfetch --namespace netfetch --create-namespace

Follow the instructions after deployment to access the dashboard.

Prerequisites 🌌

  • Installed netfetch via homebrew or a release binary.
  • Access to a Kubernetes cluster with kubectl configured.
  • Permissions to read and create network policies.

Usage

Get started

The primary command provided by netfetch is scan. This command scans all non-system Kubernetes namespaces for network policies.

You can also scan specific namespaces by specifying the name of that namespace.

You may add the --dryrun or -d flag to run a dryrun of the scan. The application will not prompt you about adding network policies, but still give you the output of the scan.

Run netfetch in dryrun against a cluster.

netfetch scan --dryrun

Run netfetch in dryrun against a namespace

netfetch scan production --dryrun

netfetch-demo

Scan entire cluster.

netfetch scan

Scan a namespace called production.

netfetch scan production

Scan entire cluster for Cilium Network Policies.

netfetch scan --cilium

Scan a namespace called production.

netfetch scan production --cilium

Using the dashboard 📟

Launch the dashboard:

netfetch dash

While in the dashboard, you have a couple of options.

You can use the Scan cluster button, which is the equivalent to the CLI netfetch scan command. This will populate the table view with all pods not targeted by a network policy.

Scanning a specific namespace is done by selecting the namespace of choice from the Select a namespace dropdown and using the Scan namespace button. This is the equivalent to the CLI netfetch scan namespace command.

This will populate the table view with all pods not targeted by a network policy in that specific namespace. In addition to this, if there are any pods in the cluster already targeted by a network policy - it will create a visualisation of this in a network map rendered using D3 below the table view.

Netfetch Dashboard

You can click the Create cluster map button to do exactly that. This will render a network map with D3, fetching all pods and policies in all the namespaces you have access to in the cluster.

Cluster map

Inside the network map visualisations, you can double click the network policy nodes to preview the YAML of that policy.

Network map

When scanning a specific namespace using the Select namespace dropdown, you may click Suggest policy to get network policy suggestions based on your existing workloads.

Suggested policies

You may also edit the suggestions inline by using the "Edit" button or copy the YAML of the policy and use it outside of netfetch.

Netfetch score 🥇

The netfetch tool provides a basic score at the end of each scan. The score ranges from 1 to 42, with 1 being the lowest and 42 being the highest possible score.

Your score will decrease based on the amount of workloads in your cluster that are running without being targeted by a network policy.

The score reflects the security posture of your Kubernetes namespaces based on network policies and general policy coverage. If changes are made based on recommendations from the initial scan, rerunning netfetch will likely result in a higher score.

Uninstalling netfetch

If you want to uninstall the application - you can do so by running the following commands.

brew uninstall netfetch
brew cleanup -s netfetch
brew untap deggja/netfetch https://github.com/deggja/netfetch

Contribute 🔨

Thank you to the following awesome people:

You are welcome to contribute!

See CONTRIBUTING for instructions on how to proceed.

Tools 🧰

Netfetch uses other tools for a plethora of different things. It would not be possible without the following:

License

Netfetch is distributed under the MIT License. See the LICENSE for more information.