Network

Sysdig Network Security tracks ingress and egress communication from every pod. The Network Security Policy tool allows you to generate Kubernetes Network Policies based on the traffic allowed or denied as defined in the Ingress and Egress tabs. The UI also allows you to view which policies are being applied in real time.

Prerequisites

Sysdig agent: 10.7.0+

If necessary, install or upgrade your agents.

Note: If you are upgrading and not using Helm, you will need to update the clusterrole.yaml manually.

Supported CNI Plugins:

  • Calico
  • Weave
  • Cillium
  • OVS

Coverage Limits

  • Communications to/from k8s nodes are not recorded
  • Workloads with no recorded communications are not present in workloads list

Understanding the Network Security Policy Tool

By default, all pods within a Kubernetes cluster can communicate with each other without any restrictions. Kubernetes Network Policies help you isolate the microservice applications from each other, to limit the blast radius and improve the overall security posture.

With the Network Security Policy tool, you can generate and fine-tune Kubernetes network policies within Sysdig Secure. Use it to generate a “least-privilege” policy to protect your workloads, or view existing network policies that have been applied to you workloads. Sysdig leverages native kubernetes features and doesn’t require any additionl networking requirements other than the CNIs already supported.

Benefits

Key features include:

  • Out-of-the-box visibility into network traffic between applications and services, with a visual topology map to help identify communications.
  • A baseline network policy that you can directly refine and modify to match your desired declarative state.
  • Automated KNP generation based on the network communication baseline + user-defined adjustments.
  • Least-privilege: KNPs follow an allow-only model, any communication that is not explicitly allowed will be forbidden
  • Enforcement delegated to the Kubernetes control plane, avoiding additional instrumentation or directly tampering with the host’s network configuration
  • Map workloads to network policies applied to your cluster, helping operators and developers understand why a pods communicaiton may or may not be blocked
  • The ability to view the network policies applied to a cluster for a particular workload or workloads, with drill-down details to the raw yaml

Access the Tool

  1. Ensure your environment meets the Prerequisites.

  2. Log in to Sysdig Secure and select Network. You will be prompted to select a cluster and namespace, then taken to the Network Security Policies page.

Next Steps

You can now generate policies, review and tune them, and finesse configurations or troubleshoot.



Last modified June 23, 2022