np-guard/netpol-analyzer

# netpol-analyzer ## 关于 netpol-analyzer 该仓库包含一个 Golang 库和 CLI，用于分析 k8s 连接配置资源（即 network policies）。 ## CLI 用法 ### Evaluate 命令 ``` Evaluate if a specific connection allowed Usage: netpol-analyzer evaluate [flags] Aliases: evaluate, eval, check, allow Examples: # Evaluate if a specific connection is allowed on given resources from dir path netpol-analyzer eval --dirpath ./resources_dir/ -s pod-1 -d pod-2 -p 80 # Evaluate if a specific connection is allowed on a live k8s cluster netpol-analyzer eval -k ./kube/config -s pod-1 -d pod-2 -p 80 Flags: --destination-ip string Destination (external) IP address --destination-namespace string Destination pod namespace (default "default") -d, --destination-pod string Destination pod name -p, --destination-port string Destination port (name or number) -h, --help help for evaluate --protocol string Protocol in use (tcp, udp, sctp) (default "tcp") --source-ip string Source (external) IP address -n, --source-namespace string Source pod namespace (default "default") -s, --source-pod string Source pod name, required Global Flags: -c, --context string Kubernetes context to use when evaluating connections in a live cluster --dirpath string Resources dir path when evaluating connections from a dir --fail fail on the first encountered error --include-json consider JSON manifests (in addition to YAML) when analyzing from dir -k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster --multiple-networks Enables analysis of multi-network resources such as UserDefinedNetwork, NetworkAttachmentDefinition, and MultiNetworkPolicy. If disabled, these resources will be ignored (default "true"). -q, --quiet Runs quietly, reports only severe errors and results -v, --verbose Runs with more informative messages printed to log ``` ### List 命令 ``` Lists all allowed connections based on the workloads, network policies, and Ingress/Route resources defined. Connections between workload to itself are excluded from the output. Usage: netpol-analyzer list [flags] Examples: # Get list of allowed connections from resources dir path netpol-analyzer list --dirpath ./resources_dir/ # Get list of allowed connections from live k8s cluster netpol-analyzer list -k ./kube/config Flags: --explain Enhance the analysis of permitted connectivity with explainability information --exposure Enhance the analysis of permitted connectivity with exposure analysis -f, --file string Write output to specified file --focusworkload string Focus connections of specified workload(s) in the output, supports comma-separated names (workload name format: or ) --focusworkload-peer string Focus connections of specified workload(s) with this peer(s), applies only when focusworkload is used; supports comma-separated names (focusworkload-peer name format is same as focusworkload) --focus-direction string Focus connections of specified workload(s) on one direction, applies only when focusworkload is used; must be one of ingress,egress --explain-only string Filter explain output to show only allowed or denied connections, applies only when explain is used; must be one of allow,deny --focus-conn string Filter output to show results for a specific connection (connection format ) -h, --help help for list -o, --output string Required output format; must be one of txt,json,dot,svg,csv,md (default "txt") Global Flags: -c, --context string Kubernetes context to use when evaluating connections in a live cluster --dirpath string Resources dir path when evaluating connections from a dir --fail fail on the first encountered error -k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster --multiple-networks Enables analysis of multi-network resources such as UserDefinedNetwork, NetworkAttachmentDefinition, and MultiNetworkPolicy. If disabled, these resources will be ignored (default "true"). -q, --quiet runs quietly, reports only severe errors and results -v, --verbose runs with more informative messages printed to log ``` ### Diff 命令 ``` Reports all differences in allowed connections between two different directories of YAML manifests. Usage: netpol-analyzer diff [flags] Examples: # Get list of different allowed connections between two resources dir paths netpol-analyzer diff --dir1 ./resources_dir/ --dir2 ./other_resources_dir/ Flags: --dir1 string First resources dir path --dir2 string Second resources dir path to be compared with the first dir path -f, --file string Write output to specified file -o, --output string Required output format; must be one of txt,csv,md,dot,svg (default "txt") -h, --help help for diff Global Flags: -c, --context string Kubernetes context to use when evaluating connections in a live cluster --dirpath string Resources dir path when evaluating connections from a dir --fail fail on the first encountered error --include-json consider JSON manifests (in addition to YAML) when analyzing from dir -k, --kubeconfig string Path and file to use for kubeconfig when evaluating connections in a live cluster --multiple-networks Enables analysis of multi-network resources such as UserDefinedNetwork, NetworkAttachmentDefinition, and MultiNetworkPolicy. If disabled, these resources will be ignored (default "true"). -q, --quiet Runs quietly, reports only severe errors and results -v, --verbose Runs with more informative messages printed to log ``` ### 示例输出： ``` $ netpol-analyzer eval --dirpath tests/onlineboutique -s adservice-77d5cd745d-t8mx4 -d emailservice-54c7c5d9d-vp27n -p 80 default/adservice-77d5cd745d-t8mx4 => default/emailservice-54c7c5d9d-vp27n over tcp/80: false $ netpol-analyzer list --dirpath tests/onlineboutique_workloads 0.0.0.0-255.255.255.255 => default/redis-cart[Deployment] : All Connections default/checkoutservice[Deployment] => default/cartservice[Deployment] : TCP 7070 default/checkoutservice[Deployment] => default/currencyservice[Deployment] : TCP 7000 default/checkoutservice[Deployment] => default/emailservice[Deployment] : TCP 8080 default/checkoutservice[Deployment] => default/paymentservice[Deployment] : TCP 50051 default/checkoutservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 default/checkoutservice[Deployment] => default/shippingservice[Deployment] : TCP 50051 default/frontend[Deployment] => default/adservice[Deployment] : TCP 9555 default/frontend[Deployment] => default/cartservice[Deployment] : TCP 7070 default/frontend[Deployment] => default/checkoutservice[Deployment] : TCP 5050 default/frontend[Deployment] => default/currencyservice[Deployment] : TCP 7000 default/frontend[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 default/frontend[Deployment] => default/recommendationservice[Deployment] : TCP 8080 default/frontend[Deployment] => default/shippingservice[Deployment] : TCP 50051 default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080 default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections $ ./bin/netpol-analyzer diff --dir1 tests/onlineboutique_workloads --dir2 tests/onlineboutique_workloads_changed_netpols Connectivity diff: source: default/checkoutservice[Deployment], destination: default/cartservice[Deployment], dir1: TCP 7070, dir2: TCP 8000, diff-type: changed source: default/checkoutservice[Deployment], destination: default/emailservice[Deployment], dir1: TCP 8080, dir2: TCP 8080,9555, diff-type: changed source: default/cartservice[Deployment], destination: default/emailservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added source: default/checkoutservice[Deployment], destination: default/adservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added source: 128.0.0.0-255.255.255.255, destination: default/redis-cart[Deployment], dir1: All Connections, dir2: No Connections, diff-type: removed source: default/checkoutservice[Deployment], destination: default/currencyservice[Deployment], dir1: TCP 7000, dir2: No Connections, diff-type: removed source: default/frontend[Deployment], destination: default/adservice[Deployment], dir1: TCP 9555, dir2: No Connections, diff-type: removed source: default/redis-cart[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed ``` 有关连接分析及其输出的更多详细信息，请参阅[此处](docs/connlist_output.md)。 有关可解释性分析（`list` 命令的 `--explain` 标志）的更多详细信息，请参阅[此处](docs/explain_analysis.md)。 有关暴露分析（`list` 命令的 `--exposure` 标志）的更多详细信息，请参阅[此处](docs/exposure_analysis.md)。 有关连接 diff 命令及其输出的更多详细信息，请参阅[此处](docs/diff_output.md)。 ## 构建项目 请确保您的平台上已安装 golang 1.23+ ``` git clone git@github.com:np-guard/netpol-analyzer.git cd netpol-analyzer make mod make build ``` 通过运行 `./bin/netpol-analyzer -h` 来测试您的构建。

标签：DevSecOps, EVTX分析, Golang, Go语言, NetworkPolicy, Web截图, 上游代理, 子域名突变, 安全编程, 容器安全, 文档结构分析, 日志审计, 程序破解, 网络审计, 网络策略, 网络策略分析, 网络连通性, 网络配置, 防火墙规则