Skip to content

Kubernetes tool for scanning clusters for network policies and identifying unprotected workloads.

License

Notifications You must be signed in to change notification settings

Blue-infosec/netfetch

 
 

Repository files navigation

Netfetch

Scan your Kubernetes clusters to identifiy unprotected workloads and map your existing Network policies

Netfetch

Contents

⭐ What is this project ⭐

This project aims to demystify network policies in Kubernetes. It's a work in progress!

The netfetch tool will scan your Kubernetes cluster and let you know if you have any pods running without being targeted by network policies.

Feature CLI Dashboard
Scan cluster identify pods without network policies
Save scan output to a text file
Visualize network policies and pods in a interactive network map
Create default deny network policies where this is missing
Get suggestions for network policies based on existing workloads
Calculate a security score based on scan findings
Scan a specific policy by name to see what pods it targets

NetworkPolicy type support in Netfetch

Type CLI Dashboard
Kubernetes
Cilium

Support for additional types of network policies is in the works. No support for the type you need? Check out issues for an existing request or create a new one if there is none.

Installation

Installation via Homebrew for Mac 💻

You can install netfetch using our Homebrew tap:

brew tap deggja/netfetch https://github.com/deggja/netfetch
brew install netfetch

For specific Linux distros, Windows and other install binaries, check the latest release.

Installation via Helm 🎩

You can deploy the netfetch dashboard in your Kubernetes clusters using Helm.

helm repo add deggja https://deggja.github.io/netfetch/
helm repo update
helm install netfetch deggja/netfetch --namespace netfetch --create-namespace

Follow the instructions after deployment to access the dashboard.

Prerequisites 🌌

  • Installed netfetch via homebrew or a release binary.
  • Access to a Kubernetes cluster with kubectl configured.
  • Permissions to read and create network policies.

Usage

Get started

The primary command provided by netfetch is scan. This command scans all non-system Kubernetes namespaces for network policies.

You can also scan specific namespaces by specifying the name of that namespace.

You may add the --dryrun or -d flag to run a dryrun of the scan. The application will not prompt you about adding network policies, but still give you the output of the scan.

Run netfetch in dryrun against a cluster.

netfetch scan --dryrun

Run netfetch in dryrun against a namespace

netfetch scan crossplane-system --dryrun

netfetch-demo

Scan entire cluster.

netfetch scan

Scan a namespace called crossplane-system.

netfetch scan crossplane-system

Scan entire cluster for Cilium Network Policies and or Cluster Wide Cilium Network Policies.

netfetch scan --cilium

Scan a namespace called production for regular Cilium Network Policies.

netfetch scan production --cilium

Scan a specific network policy.

netfetch scan --target my-policy-name

Scan a specific Cilium Network Policy.

netfetch scan --cilium --target default-cilium-default-deny-all

asciicast

Using the dashboard 📟

Launch the dashboard:

netfetch dash

You may also specify a port for the dashboard to run on (default is 8080).

netfetch dash --port 8081

Dashboard functionality overview

The Netfetch Dashboard offers an intuitive interface for interacting with your Kubernetes cluster's network policies. Below is a detailed overview of the functionalities available through the dashboard:

Action Description Screenshot Link
Scan Cluster Initiates a cluster-wide scan to identify pods without network policies, similar to netfetch scan. Netfetch Dashboard
Scan Namespace Scans a selected namespace for pods not covered by network policies, equivalent to netfetch scan namespace. Cluster map
Create Cluster Map Generates a D3-rendered network map of all pods and policies across accessible namespaces. Network map
Suggest Policy Provides network policy suggestions based on existing workloads within a selected namespace. Suggested policies

Interactive Features

  • Table View: Shows pods not targeted by network policies. It updates based on the cluster or namespace scans.
  • Network Map Visualization: Rendered using D3 to show how pods and policies interact within the cluster.
  • Policy Preview: Double-click network policy nodes within the network map to view policy YAML.
  • Policy Editing: Edit suggested policies directly within the dashboard or copy the YAML for external use.

Netfetch score 🥇

The netfetch tool provides a basic score at the end of each scan. The score ranges from 1 to 42, with 1 being the lowest and 42 being the highest possible score.

Your score will decrease based on the amount of workloads in your cluster that are running without being targeted by a network policy.

The score reflects the security posture of your Kubernetes namespaces based on network policies and general policy coverage. If changes are made based on recommendations from the initial scan, rerunning netfetch will likely result in a higher score.

Uninstalling netfetch

If you want to uninstall the application - you can do so by running the following commands.

brew uninstall netfetch
brew cleanup -s netfetch
brew untap deggja/netfetch https://github.com/deggja/netfetch

Running Tests

To run tests for netfetch, follow these steps:

  1. Navigate to the root directory of the project in your terminal.

  2. Navigate to the backend directory within the project:

cd backend
  1. Run the following command to execute all tests in the project:
go test ./...

This command will recursively search for tests in all subdirectories (./...) and run them.

  1. After executing the command, you will see the test results in the terminal output.

Contribute 🔨

Thank you to the following awesome people:

You are welcome to contribute!

See CONTRIBUTING for instructions on how to proceed.

Tools 🧰

Netfetch uses other tools for a plethora of different things. It would not be possible without the following:

License

Netfetch is distributed under the MIT License. See the LICENSE for more information.

About

Kubernetes tool for scanning clusters for network policies and identifying unprotected workloads.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 57.1%
  • Vue 40.5%
  • Smarty 1.0%
  • Dockerfile 0.5%
  • Ruby 0.4%
  • HTML 0.3%
  • JavaScript 0.2%