Table: kubernetes_network_policy - Query Kubernetes Network Policies using SQL
A Kubernetes Network Policy is a specification of how groups of pods are allowed to communicate with each other and other network endpoints. It provides a way to enforce rules on network traffic within a Kubernetes cluster, thereby enhancing the security of the cluster. Network Policies use labels to select pods and define rules which specify what traffic is allowed to the selected pods.
Table Usage Guide
The kubernetes_network_policy table provides insights into the network policies within a Kubernetes cluster. As a security analyst or a DevOps engineer, explore policy-specific details through this table, including pod selectors, policy types, and ingress and egress rules. Utilize it to uncover information about network traffic rules, such as those allowing or blocking specific types of traffic, thereby helping in assessing and enhancing the security posture of your Kubernetes clusters.
Examples
Basic Info
Explore which network policies are in place within your Kubernetes environment. This allows you to gain insights into the security settings and manage access controls more effectively.
select name, namespace, policy_types, ingress, egress, pod_selector, labels, annotationsfrom kubernetes_network_policy;select name, namespace, policy_types, ingress, egress, pod_selector, labels, annotationsfrom kubernetes_network_policy;List policies that allow all egress
Explore which network policies permit all outgoing traffic in a Kubernetes environment. This can be useful for identifying potential security risks and ensuring that your network configurations adhere to best practices.
select name, namespace, policy_types, pod_selector, egressfrom kubernetes_network_policywhere policy_types @> '["Egress"]' and pod_selector = '{}' and egress @> '[{}]';Error: The corresponding SQLite query is unavailable.List default deny egress policies
Analyze the settings to understand the network policies that default to denying egress. This is particularly useful for enhancing security by identifying policies that prevent outbound network traffic.
select name, namespace, policy_types, pod_selector, egressfrom kubernetes_network_policywhere policy_types @> '["Egress"]' and pod_selector = '{}' and egress is null;Error: The corresponding SQLite query is unavailable.List policies that allow all ingress
Analyze the settings to understand which policies permit all incoming traffic, useful for enhancing security by identifying potential vulnerabilities in your network.
select name, namespace, policy_types, pod_selector, ingressfrom kubernetes_network_policywhere policy_types @> '["Ingress"]' and pod_selector = '{}' and ingress @> '[{}]';Error: The corresponding SQLite query is unavailable.List default deny ingress policies
Discover the segments that have default deny ingress policies in place. This is useful in identifying potential security risks, as it highlights the policies that block all incoming traffic by default.
select name, namespace, policy_types, pod_selector, ingressfrom kubernetes_network_policywhere policy_types @> '["Ingress"]' and pod_selector = '{}' and ingress is null;Error: The corresponding SQLite query is unavailable.View rules for a specific network policy
Explore rules associated with a certain network policy to understand its ingress and egress configurations. This is useful for assessing security measures and traffic flow within a specific network environment.
select name, namespace, policy_types, jsonb_pretty(ingress), jsonb_pretty(egress)from kubernetes_network_policywhere name = 'test-network-policy' and namespace = 'default';select name, namespace, policy_types, ingress, egressfrom kubernetes_network_policywhere name = 'test-network-policy' and namespace = 'default';List manifest resources
Explore the network policies in your Kubernetes environment to understand their configurations and rules. This can be useful to ensure security standards are met and to identify any potential vulnerabilities or misconfigurations.
select name, namespace, policy_types, ingress, egress, pod_selector, labels, annotations, pathfrom kubernetes_network_policywhere path is not null;select name, namespace, policy_types, ingress, egress, pod_selector, labels, annotations, pathfrom kubernetes_network_policywhere path is not null;Control examples
- Namespaces should have a default network policy to deny all egress traffic
- Namespaces should have a default network policy to deny all ingress traffic
- Network policies should not have a default policy to allow all egress traffic
- Network policies should not have a default policy to allow all ingress traffic
Schema for kubernetes_network_policy
| Name | Type | Operators | Description |
|---|---|---|---|
| _ctx | jsonb | Steampipe context in JSON form. | |
| annotations | jsonb | Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. | |
| context_name | text | Kubectl config context name. | |
| creation_timestamp | timestamp with time zone | CreationTimestamp is a timestamp representing the server time when this object was created. | |
| deletion_grace_period_seconds | bigint | Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. | |
| deletion_timestamp | timestamp with time zone | DeletionTimestamp is RFC 3339 date and time at which this resource will be deleted. | |
| egress | jsonb | List of egress rules to be applied to the selected pods. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). | |
| end_line | bigint | The path to the manifest file. | |
| finalizers | jsonb | Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. | |
| generate_name | text | GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. | |
| generation | bigint | A sequence number representing a specific generation of the desired state. | |
| ingress | jsonb | List of ingress rules to be applied to the selected pods. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default) | |
| labels | jsonb | Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. | |
| name | text | Name of the object. Name must be unique within a namespace. | |
| namespace | text | Namespace defines the space within which each name must be unique. | |
| owner_references | jsonb | List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller. | |
| path | text | The path to the manifest file. | |
| pod_selector | jsonb | Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. An empty podSelector matches all pods in this namespace. | |
| policy_types | jsonb | List of rule types that the NetworkPolicy relates to. Valid options are "Ingress", "Egress", or "Ingress,Egress". If this field is not specified, it will default based on the existence of Ingress or Egress rules. | |
| resource_version | text | An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. | |
| source_type | text | The source of the resource. Possible values are: deployed and manifest. If the resource is fetched from the spec file the value will be manifest. | |
| sp_connection_name | text | Steampipe connection name. | |
| sp_ctx | jsonb | Steampipe context in JSON form. | |
| start_line | bigint | The path to the manifest file. | |
| tags | jsonb | A map of tags for the resource. This includes both labels and annotations. | |
| title | text | Title of the resource. | |
| uid | text | UID is the unique in time and space value for this object. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- kubernetesYou can pass the configuration to the command with the --config argument:
steampipe_export_kubernetes --config '<your_config>' kubernetes_network_policy