Red Hat Summit 红帽全球峰会支持控制台(Console)开发人员开始试用联系人

7.2. Using the network graph to generate and simulate network policies

7.2.1. About generating policies from the network graph
复制链接

A Kubernetes network policy controls which pods receive incoming network traffic, and which pods can send outgoing traffic. By using network policies to enable and disable traffic to or from pods, you can limit your network attack surface.

These network policies are YAML configuration files. It is often difficult to gain insights into the network flow and manually create these files. You can use RHACS to generate these files. When you automatically generate network policies, RHACS follows these guidelines:

  • RHACS generates a single network policy for each deployment in the namespace. The pod selector for the policy is the pod selector of the deployment.

    • If a deployment already has a network policy, RHACS does not generate new policies or delete existing policies.

      Generated policies only restrict traffic to existing deployments.

    • Deployments that you create later will not have any restrictions unless you create or generate new network policies for them.
    • If a new deployment needs to contact a deployment with a network policy, you might need to edit the network policy to allow access.
  • Each policy has the same name as the deployment name, prefixed with stackrox-generated-. For example, the policy name for the deployment depABC in the generated network policy is stackrox-generated-depABC. All generated policies also have an identifying label.

  • RHACS generates a single rule allowing traffic from any IP address if one of the following conditions are met:

    • The deployment has an incoming connection from outside the cluster within the selected time
    • The deployment is exposed through a node port or load balancer service

  • RHACS generates one ingress rule for every deployment from which there is an incoming connection.

    • For deployments in the same namespace, this rule uses the pod selector labels from the other deployment.
    • For deployments in different namespaces, this rule uses a namespace selector. To make this possible, RHACS automatically adds a label, namespace.metadata.stackrox.io/name, to each namespace.
重要

In rare cases, if a standalone pod does not have any labels, the generated policy allows traffic from or to the pod’s entire namespace.

7.2.2. Generating network policies in the network graph
复制链接

RHACS lets you automatically generate network policies based on the actual observed network communication flows in your environment.

You can generate policies based on the cluster, namespaces, and deployments that you have selected in the network graph. Policies are generated for any deployments that are included in the current Network Graph scope. For example, the current scope could include the entire cluster, a cluster and namespaces, or individually selected deployments in the selected namespaces. You can also further reduce the scope by applying one of the filters from the Filter deployments field with any combination of the cluster, namespace, and deployment selections. For example, you could narrow the scope to deployments in a specific cluster and namespace that are affected by a specific CVE. Policies are generated from the traffic observed during the baseline discovery period.

  1. In the RHACS portal, go to Network Graph.
  2. Select a cluster, and then select one or more namespaces.
  3. Optional: Select individual deployments to restrict the policy generated to only those deployments. You can also use the Filter deployments feature to further narrow the scope.
  4. In the network graph header, select Network policy generator.

  5. Optional: In the information panel that opens, select Exclude ports & protocols to remove the port/protocol restrictions when generating network policies from a baseline.

    As an example, the nginx3 deployment makes a port 80 connection to nginx4, and this is included as part of the baseline for nginx4. If policies are generated and this checkbox is not selected (the default behavior), the generated policy will restrict the allowed connections from nginx3 to nginx4 to only port 80. If policies are generated with this option selected, the generated policy will allow any port in the connection from nginx3 to nginx4.

  6. Click Generate and simulate network policies. RHACS generates policies for the scope that you have chosen. This scope is displayed at the top of the Generate network policies panel.

    注意

    Clicking on the deployment information in the scope displays a list of the deployments that are included.

  7. Optional: Copy the generated network policy configuration YAML file to the clipboard or download it by clicking the download icon in the panel.

  8. Optional: To compare the generated network policies to the existing network policies, click Compare. The YAML files for existing and generated network policies are shown in a side-by-side view.

    注意

    Some items do not have generated policies, such as namespaces with existing ingress policies or deployments in certain protected namespaces such as as stackrox or acs.

  9. Optional: Click the Actions menu to perform the following activities:

    • Share the YAML file with notifiers: Sends the YAML file to one of the system notifiers you have configured, for example, Slack, ServiceNow, or an application that uses generic webhooks. These notifiers are configured by navigating to Platform Configuration Integrations. See the documentation in the "Additional resources" section for more information.
    • Rebuild rules from active traffic: Refreshes the generated policies that are displayed.
    • Revert rules to previously applied YAML: Removes the simulated policy and reverts to the last network policy.

7.2.3. Saving generated policies in the network graph
复制链接

You can download and save the generated network policies from RHACS. Use this option to download policies so that you can commit the policies into a version control system such as Git.

Procedure

  • After generating a network policy, click the Download YAML icon in the Network Policy Simulator panel.

7.2.4. Testing generated policies in the network graph
复制链接

After you download the network policies that RHACS generates, you can test them by applying them to your cluster by using the CLI or your automated deployment procedures. You cannot apply generated network policies directly in the network graph.

注意

If you use Kubernetes, enter kubectl instead of oc.

Procedure

  1. To create policies using the saved YAML file, run the following command: 

    $ oc create -f "<generated_file>.yml"

  2. If the generated policies cause problems, you can remove them by running the following command: 

    $ oc delete -f "<generated_file>.yml"
    警告

    Directly applying network policies might cause problems for running applications. Always download and test the network policies in a development environment or test clusters before applying them to production workloads.

You can remove a policy and revert to a previously applied policy.

Procedure

  1. In the RHACS portal, go to Network Graph.
  2. Select a cluster name from the menu on the top bar.
  3. Select one or more namespaces and deployments.
  4. Select Simulate network policy.
  5. Select View active YAMLS.

  6. From the Actions menu, select Revert rules to previously applied YAML.

    警告

    Directly applying network policies might cause problems for running applications. Always download and test the network policies in a development environment or test clusters before applying them to production workloads.

You can delete all automatically generated policies from your cluster that you have created by using RHACS.

注意

If you use Kubernetes, enter kubectl instead of oc.

Procedure

  • Run the following command: 

    $ oc get ns -o jsonpath='{.items[*].metadata.name}' | \
xargs -n 1 oc delete networkpolicies -l \
'network-policy-generator.stackrox.io/generated=true' -n

7.2.7. Simulating network policies from the network graph
复制链接

Your current network policies might allow unneeded network communications. You can use the network policy generator to create network policies that restrict ingress traffic to the computed baselines for a set of deployments.

注意

The Network Graph does not display the generated policies in the visualization. Generated policies are only for ingress traffic and policies that restrict egress traffic are not generated.

Procedure

  1. In the RHACS portal, go to Network Graph.
  2. Select a cluster, and then select one or more namespaces.
  3. On the network graph header, select Network policy generator.

  4. You can perform the following actions:

    • Generate a YAML file with network policies to use in the simulation by clicking Generate and simulate network policies. For more information, see "Generating network policies in the network graph".

    • Upload a YAML file of a network policy that you want to use in the simulation by performing the following steps:

      1. Click Upload YAML and then select the file.
      2. Click Open. The system displays a message to indicate the processing status of the uploaded policy.

  5. You can view active YAML files that correspond to the current network policies by clicking the View active YAMLS tab, and then selecting policies from the drop-down list. You can also perform the following actions:

    • Click the appropriate button to copy or download the displayed YAML file.
    • Use the Actions menu to rebuild rules from active traffic or revert rules to a previously applied YAML. For more information, see "Generating network policies in the network graph".
Red Hat logoGithubredditYoutubeTwitter

学习

尝试、购买和销售

社区

關於紅帽

我们提供强化的解决方案,使企业能够更轻松地跨平台和环境(从核心数据中心到网络边缘)工作。

让开源更具包容性

红帽致力于替换我们的代码、文档和 Web 属性中存在问题的语言。欲了解更多详情,请参阅红帽博客.

关于红帽文档

通过我们的产品和服务,以及可以信赖的内容,帮助红帽用户创新并实现他们的目标。 了解我们当前的更新.

Legal Notice

Theme

© 2026 Red Hat返回顶部