Evaluate if a specific connection allowed Usage: netpol-analyzer evaluate [flags] Aliases: evaluate, eval, check, allow Examples: # Evaluate if a specific connection is allowed on given resources from dir path netpol-analyzer eval --dirpath ./resources_dir/ -s pod-1 -d pod-2 -p 80 # Evaluate if a specific connection is allowed on a live k8s cluster netpol-analyzer eval -k ./kube/config -s pod-1 -d pod-2 -p 80 Flags: --destination-ip string Destination (external) IP address --destination-namespace string Destination pod namespace (default "default") -d, --destination-pod string Destination pod name -p, --destination-port string Destination port (name or number) -h, --help help for evaluate --protocol string Protocol in use (tcp, udp, sctp) (default "tcp") --source-ip string Source (external) IP address -n, --source-namespace string Source pod namespace (default "default") -s, --source-pod string Source pod name, required Global Flags: -c, --context string Kubernetes context to use when evaluating connections in a live cluster --dirpath string Resources dir path when evaluating connections from a dir --fail fail on the first encountered error --include-json consider JSON manifests (in addition to YAML) when analyzing from dir -k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster --multiple-networks Enables analysis of multi-network resources such as UserDefinedNetwork, NetworkAttachmentDefinition, and MultiNetworkPolicy. If disabled, these resources will be ignored (default "true"). -q, --quiet Runs quietly, reports only severe errors and results -v, --verbose Runs with more informative messages printed to log 

Lists all allowed connections based on the workloads, network policies, and Ingress/Route resources defined. Connections between workload to itself are excluded from the output. Usage: netpol-analyzer list [flags] Examples: # Get list of allowed connections from resources dir path netpol-analyzer list --dirpath ./resources_dir/ # Get list of allowed connections from live k8s cluster netpol-analyzer list -k ./kube/config Flags: --explain Enhance the analysis of permitted connectivity with explainability information --exposure Enhance the analysis of permitted connectivity with exposure analysis -f, --file string Write output to specified file --focusworkload string Focus connections of specified workload(s) in the output, supports comma-separated names (workload name format: <workload-name> or <workload-namespace/workload-name>) --focusworkload-peer string Focus connections of specified workload(s) with this peer(s), applies only when focusworkload is used; supports comma-separated names (focusworkload-peer name format is same as focusworkload) --focus-direction string Focus connections of specified workload(s) on one direction, applies only when focusworkload is used; must be one of ingress,egress --explain-only string Filter explain output to show only allowed or denied connections, applies only when explain is used; must be one of allow,deny --focus-conn string Filter output to show results for a specific connection (connection format <protocolName-portNumber>) -h, --help help for list -o, --output string Required output format; must be one of txt,json,dot,svg,csv,md (default "txt") Global Flags: -c, --context string Kubernetes context to use when evaluating connections in a live cluster --dirpath string Resources dir path when evaluating connections from a dir --fail fail on the first encountered error -k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster --multiple-networks Enables analysis of multi-network resources such as UserDefinedNetwork, NetworkAttachmentDefinition, and MultiNetworkPolicy. If disabled, these resources will be ignored (default "true"). -q, --quiet runs quietly, reports only severe errors and results -v, --verbose runs with more informative messages printed to log 

Reports all differences in allowed connections between two different directories of YAML manifests. Usage: netpol-analyzer diff [flags] Examples: # Get list of different allowed connections between two resources dir paths netpol-analyzer diff --dir1 ./resources_dir/ --dir2 ./other_resources_dir/ Flags: --dir1 string First resources dir path --dir2 string Second resources dir path to be compared with the first dir path -f, --file string Write output to specified file -o, --output string Required output format; must be one of txt,csv,md,dot,svg (default "txt") -h, --help help for diff Global Flags: -c, --context string Kubernetes context to use when evaluating connections in a live cluster --dirpath string Resources dir path when evaluating connections from a dir --fail fail on the first encountered error --include-json consider JSON manifests (in addition to YAML) when analyzing from dir -k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster --multiple-networks Enables analysis of multi-network resources such as UserDefinedNetwork, NetworkAttachmentDefinition, and MultiNetworkPolicy. If disabled, these resources will be ignored (default "true"). -q, --quiet Runs quietly, reports only severe errors and results -v, --verbose Runs with more informative messages printed to log 

$ netpol-analyzer eval --dirpath tests/onlineboutique -s adservice-77d5cd745d-t8mx4 -d emailservice-54c7c5d9d-vp27n -p 80 default/adservice-77d5cd745d-t8mx4 => default/emailservice-54c7c5d9d-vp27n over tcp/80: false $ netpol-analyzer list --dirpath tests/onlineboutique_workloads 0.0.0.0-255.255.255.255 => default/redis-cart[Deployment] : All Connections default/checkoutservice[Deployment] => default/cartservice[Deployment] : TCP 7070 default/checkoutservice[Deployment] => default/currencyservice[Deployment] : TCP 7000 default/checkoutservice[Deployment] => default/emailservice[Deployment] : TCP 8080 default/checkoutservice[Deployment] => default/paymentservice[Deployment] : TCP 50051 default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 default/checkoutservice[Deployment] => default/shippingservice[Deployment] : TCP 50051 default/frontend[Deployment] => default/adservice[Deployment] : TCP 9555 default/frontend[Deployment] => default/cartservice[Deployment] : TCP 7070 default/frontend[Deployment] => default/checkoutservice[Deployment] : TCP 5050 default/frontend[Deployment] => default/currencyservice[Deployment] : TCP 7000 default/frontend[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 default/frontend[Deployment] => default/recommendationservice[Deployment] : TCP 8080 default/frontend[Deployment] => default/shippingservice[Deployment] : TCP 50051 default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080 default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections $ ./bin/netpol-analyzer diff --dir1 tests/onlineboutique_workloads --dir2 tests/onlineboutique_workloads_changed_netpols Connectivity diff: source: default/checkoutservice[Deployment], destination: default/cartservice[Deployment], dir1: TCP 7070, dir2: TCP 8000, diff-type: changed source: default/checkoutservice[Deployment], destination: default/emailservice[Deployment], dir1: TCP 8080, dir2: TCP 8080,9555, diff-type: changed source: default/cartservice[Deployment], destination: default/emailservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added source: default/checkoutservice[Deployment], destination: default/adservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added source: 128.0.0.0-255.255.255.255, destination: default/redis-cart[Deployment], dir1: All Connections, dir2: No Connections, diff-type: removed source: default/checkoutservice[Deployment], destination: default/currencyservice[Deployment], dir1: TCP 7000, dir2: No Connections, diff-type: removed source: default/frontend[Deployment], destination: default/adservice[Deployment], dir1: TCP 9555, dir2: No Connections, diff-type: removed source: default/redis-cart[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed 

git clone git@github.com:np-guard/netpol-analyzer.git cd netpol-analyzer make mod make build