View network policies

View all Kubernetes network policies for your environment.

3 minute read

Network policies specify how groups of pods are allowed to communicate with each other and with other network endpoints. Kubernetes NetworkPolicy resources use labels to select pods and define rules that specify what traffic is allowed to or from the selected pods.

The StackRox Kubernetes Security Platform discovers and displays network policy information for all your Kubernetes clusters, namespaces, deployments, and pods, in the Network Graph view.

Your cluster must use a Container Network Interface (CNI) provider that supports network policies—otherwise, creating policies won’t have an effect.

In the network graph, each circle represents a deployment, each surrounding box represents a Kubernetes namespace, and each thick line represents connection between namespaces. You can move your mouse over these items to view more details.

To understand the meaning of other symbols in the network graph, move you mouse over other symbols in the legend (lower left) to view the tooltip indicating the meaning of those symbols.

When you move your mouse over:

  • a connection, you see information about the network flow, which includes active connections, port numbers and protocols in use.
  • a deployment, you see information about ingress and egress connections, protocols, port numbers in use, and the direction of the network traffic between deployments.

You need the StackRox Kubernetes Security Platform version 3.0.47 or newer to see information about ingress and egress connections, protocols, port numbers, and the direction of the network traffic.

To view deployments in a namespace:

  1. On the Network Graph view, select a namespace to open the namespace details panel. The details panel lists all deployments in the selected namespace. You can then move your mouse over a deployment in the details panel and select the Navigate to deployment (arrow) icon that appears on the right to view deployment details.

To view details about a specific deployment:

  1. Select a deployment in the Network Graph view.

  2. The deployment details panel includes the Network Flows, Details, and Network Policies tabs. You can select each tab to view related information.

    • The Network Flows tab shows information about ingress and egress connections, protocols, and port numbers in use for that deployment.
    • The Details tab shows information about how the service is deployed, including orchestrator labels and annotations.
    • The Network Policies tab shows information about every network policy that applies to the deployment.

Example Policy
Example Policy

Allowed network connections

The StackRox Kubernetes Security Platform processes all network policies in each secured cluster to show you which deployments can contact each other, and which can reach external networks.

The network graph shows possible network connections as dashed lines.

Allowed Network Connections graph
Allowed Network Connections graph

Actual network flows

The StackRox Kubernetes Security Platform monitors running deployments and tracks traffic between them.

The network graph shows observed network flows as solid lines.

Active Network Connections graph
Active Network Connections graph

Network baseline

The StackRox Kubernetes Security Platform discovers existing network flows and creates a baseline. See Use network baselining for more details.

To view the network baseline for a deployment, select that deployment in the Network Graph view. The Network Flows details panel show both anomalous and baseline flows. From this panel, you can:

  • mark network flows from the baseline as anomalous by selecting Mark as Anomalous, or
  • add network flows to baseline from the anomalous flows by selecting Add to Baseline.

To use the Network baseline feature, you must use the StackRox Kubernetes Security Platform version 3.0.54 or newer.

External entities and connections

The Network Graph view shows information about network connections between managed clusters and external sources. The StackRox Kubernetes Security Platform also automatically discovers and highlights public CIDR (Classless Inter-Domain Routing) addresses blocks, such as Google Cloud, AWS, Azure, Oracle Cloud, and Cloudflare. Using this information, you can identify deployments with active external connections and if they’re making or receiving unauthorized connections from outside of your network.

You need the StackRox Kubernetes Security Platform version 3.0.52 or newer to see information about active external connections.

By default, the external connections point to a common External Entities box, and different CIDR (Classless Inter-Domain Routing) addresses blocks in the Network Graph view. However, you can choose not to show auto-discovered CIDR blocks.

The StackRox Kubernetes Security Platform includes IP ranges for the following cloud providers:

  • Google Cloud
  • AWS
  • Azure
  • Oracle Cloud
  • Cloudflare

The StackRox Kubernetes Security Platform fetches and updates the cloud providers’ IP ranges every 7 days. If you are using Offline mode, you can update these ranges by installing new support packages.

Configure CIDR blocks

To configure displaying auto-discovered CIDR block or specify custom CIDR blocks, in the Network Graph view:

  1. Select Configure CIDR Blocks.

  2. Turn the Display auto-discovered CIDR blocks in Network Graph toggle off to hide auto-discovered CIDR blocks.

    When you hide the auto-discovered CIDR blocks, the auto-discovered CIDR blocks are hidden for all clusters, not only for the selected cluster on the top bar in the Network Graph view.

  3. You can also add custom CIDR addresses by adding CIDR Block Name and CIDR Address. To add more than one, select the Add icon.

  4. Select Update Configuration to save the changes.

Questions?

We're happy to help! Reach out to us to discuss questions, issues, or feature requests.

© 2021 StackRox Inc. All rights reserved.