Skip to content

Produces a set of network policies, given a json describing the connectivity in a given cluster

License

Notifications You must be signed in to change notification settings

np-guard/netpol-synthesizer

Folders and files

NameName
Last commit message
Last commit date

Latest commit

7a30aa7 · Feb 17, 2025

History

79 Commits
Dec 26, 2023
Jun 2, 2021
Feb 28, 2022
Dec 15, 2022
Feb 7, 2022
Dec 15, 2022
May 20, 2021
Jun 1, 2021
Aug 4, 2021
May 20, 2021
Feb 17, 2025
May 20, 2021

Repository files navigation

Warning

This repo is no longer being maintained.

netpol-synthesizer

This application takes a JSON file, describing the connectivity in a given Kubernetes cluster, and produces a set of policies (Kubernetes NetworkPolicies or Istio AuthorizationPolicies) that allow only the specified connectivity and nothing more.

Requirements:

  • Python 3.8 or above

Installation:

git clone --recurse-submodules https://github.com/np-guard/netpol-synthesizer.git
cd netpol-synthesizer
python3 -m venv venv
source venv/bin/activate.csh  # the exact script may depend on the shell you are using
pip install -r requirements.txt

Usage:

python src/netpol_synth.py [-o <output_file>] [-b baseline_rules_file] [--policy_type=<policy_type_str>] <connectivity_file>
  • connectivity_file is the path to a JSON file describing connectivity. This should be the output of running the Network Topology Analyzer.
  • output_file (optional) is a path to output file where the resulting policy resources will be dumped (in YAML format). If omitted, output will be sent to stdout.
  • baseline_rules_file is a yaml file containing a list of baseline rules. See these examples
  • policy_type_str is one of the values: ['k8s', 'istio'], default: k8s

For example:

 python src/netpol_synth.py -o test.yaml -b baseline-rules/examples/allow_load_generation.yaml tests/connectivity_jsons/microservices-demo.json