Generate network policies

Generate network policies based on network traffic flows in your environment.

3 minute read

A Kubernetes network policy controls which pods receive incoming network traffic, and which pods can send outgoing traffic. By using network policies to enable and disable traffic to or from pods, you can limit your network attack surface.

These network policies are YAML configuration files. It’s often difficult to gain insights into the network flow and manually create these files. The StackRox Kubernetes Security Platform allows you to autogenerate these network policies based on the actual observed network communication flows in your environment.

This topic provides instructions on how to generate and visualize network policies.

Generate network policies

You can generate network policies from the network graph view.

The generated policies apply to the deployments shown in the network graph and they allow all network traffic observed during the selected time.

To generate a network policy:

  1. In the StackRox portal, select Network Graph from the left-hand navigation menu.
  2. Select a cluster name from the menu on the top bar, if the right one isn’t already selected.
  3. If you want to generate policies for only some deployments, use the filter box to filter the deployments you are after. If you don’t add a filter, the StackRox Kubernetes Security Platform generates policies for all deployments in the cluster.
  4. Select an appropriate time from the menu on the top bar. If the selected time is too short it leaves out periodic or infrequent network communications.
  5. Select Network Policy Simulator.
  6. In the panel that opens, select Exclude ports & protocols if you don’t want ports and protocols to be scoped in StackRox Kubernetes Security Platform generated policies.
  7. Select Generate and simulate network policies. The generated network policy configuration YAML opens in the same panel, and the network graph shows the effects of the policies.

Generate network policy
Generate network policy

Save generated policies

You can download and save the generated network policies from the StackRox Kubernetes Security Platform. Use this option to commit the policies into a version control system like Git.

To save the policies and apply them later:

  1. Select the Download YAML icon on the Network Policy Simulator panel.

Download YAML file
Download YAML file

To create policies using the saved YAML file, use the following command:

Copy
kubectl create -f "StackRox Generated.yaml"
Copy
oc create -f "StackRox Generated.yaml"

If the generated policies cause problems, you can remove them by running the command:

Copy
kubectl delete -f "StackRox Generated.yaml"
Copy
oc delete -f "StackRox Generated.yaml"

Apply generated policies

To directly apply the generated policies in the cluster from within the StackRox Kubernetes Security Platform, select Apply Network Policies.

Directly applying network policies may cause problems for running applications. Always download and test the network policies in development environment or testing clusters, before you apply them to production workloads.

Delete generated policies

If you have applied generated policies directly and want to remove them, select the Revert most recently applied YAML icon on the Network Policy Simulator panel.

To find this option if you have closed the Network Policy Simulator panel:

  1. In the StackRox portal, select Network Graph from the left-hand navigation menu.
  2. Select a cluster name from the menu on the top bar, if the right one isn’t already selected.
  3. Select Network Policy Simulator.
  4. Select View active YAMLS.
  5. Select the Revert most recently applied YAML icon.

Delete all autogenerated policies

You can also delete all StackRox-generated policies in a cluster using the following command:

Copy
kubectl get ns -o jsonpath='{.items[*].metadata.name}' | xargs -n 1 kubectl delete networkpolicies -l 'network-policy-generator.stackrox.io/generated=true' -n
Copy
oc get ns -o jsonpath='{.items[*].metadata.name}' | xargs -n 1 oc delete networkpolicies -l 'network-policy-generator.stackrox.io/generated=true' -n

Policy generation strategy

When you autogenerate network policies:

  • The StackRox Kubernetes Security Platform generates a single network policy for each deployment in the namespace. The pod selector for the policy is the pod selector of the deployment.

    • If a deployment already has a network policy, the StackRox Kubernetes Security Platform doesn’t generate new policies or delete existing policies.
  • Generated policies only restrict traffic to existing deployments.

    • Deployments you create later won’t have any restrictions unless you create or generate new network policies for them.
    • If a new deployment needs to contact a deployment with a network policy, you may need to edit the network policy to allow access.
  • Each policy has the same name as the deployment name, prefixed with stackrox-generated-. For example, the policy name for the deployment depABC in the generated network policy is stackrox-generated-depABC. All generated policies also have an identifying label.

  • The StackRox Kubernetes Security Platform generates a single rule allowing traffic from any IP address if:

    • the deployment has an incoming connection from outside the cluster within the selected time, or
    • the deployment is exposed through a NodePort or LoadBalancer service.
  • The StackRox Kubernetes Security Platform generates one ingress rule for every deployment from which there is an incoming connection.

    • For deployments in the same namespace, this rule uses the pod selector labels from the other deployment.
    • For deployments in different namespaces, this rule uses a namespace selector. To make this possible, StackRox automatically adds a label, namespace.metadata.stackrox.io/name, to each namespace.

    In rare cases, if a standalone pod doesn’t have any labels, the generated policy allows traffic from or to the pod’s entire namespace.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.