• Support for installing on Linux via brew (current tap installs the macOS binary onto an amd64 Linux machine instead of failing)
• Add support for installing as an asdf plugin for use with either asdf or mise (formerly rtx)

theres currently no tests in place for the code, this should be implemented.

we should look into adding a prometheus endpoint for netfetch

The remediate action should in addition to applying a default deny network policy, also give the user a suggestion on a network policy that will allow traffic for the pods in a namespace.

Application throws an error when selecting the default namespace and clicking the Suggest policies button,

App.vue:525 Error suggesting policies: TypeError: Cannot read properties of null (reading 'app.kubernetes.io/name')
    at App.vue:541:29
    at Array.forEach (<anonymous>)
    at Proxy.suggestNetworkPolicy (App.vue:540:17)
    at Proxy.suggestPolicy (App.vue:513:40)

A wild idea, how about integrate this scanner with K9s, as a K9s plugin perhaps, to allow running it and viewing the report in K9s directly, instead of a web page?

IMHO, I'd make the HTML, Markdown, etc. a secondary output and by default output to terminal in textual form, human-friendly form and machine-friendly (e.g. JSON).

When I run a scan against a local cluster it will prompt to add a default deny all policy to every namespace that has unprotected pods.
For example:

netfetch scan                                   

Unprotected Pods found in namespace hello-world:
hello-world hello-world-manager-6564bd6bcf-8hfqg 10.232.4.217
? Do you want to add a default deny all network policy to the namespace hello-world? No

This should allow a default answer to be set from the CLI for unattended mode.
For example:

netfetch scan --add-default-deny=no

Unprotected Pods found in namespace hello-world:
hello-world hello-world-manager-6564bd6bcf-8hfqg 10.232.4.217
  Not adding a default deny all network policy to the namespace hello-world

running netfetch scan namespace-name where the namespace does not exist will return a perfect score as there are no missing policies, but thats because the namespace does not exist.

scanning non-existant namespaces should return a message to the user saying the namespace does not exist.

The dashboard is served on localhost:8080 which is a quite frequently used port. We should implement logic to the backend, so that if 8080 is busy, select the next port available.

Will be updated with more information later. Network policy suggestions end up setting the name to unknown on certain occassions.

The suggestNetworkPolicy function expects the recommended kubernetes.io/name label on applications, if this is missing, no name will be set for the netpol.

Can you please consider adding support for scanning Ingress resources in the netfetchtool.

This will help users identify potential security gaps related to external access and traffic routing in their Kubernetes clusters.

Thank you !!

We should implement proper error handling for scenarios where the user is not yet properly connected to the cluster they are trying to scan (e.g set context for cluster but not authenticated).

We should implement the ability to create cronjobs directly in the helm chart.

Description:

The app should be checking whether a default deny all policy applies to both ingress and egress rules within the network policy - and not just if one of these are true.

Description:

if there is a cluster wide default deny policy in place - the scan will stop, and all pods in the cluster are deemed covered by that policy. It would be cool if it was possible to exclude a single policy with e.g:

netfetch scan --exclude cluster-wide-default-deny-all

It would then be possible to scan the rest of the cluster, even when a default deny all is in place.

Description:

It would be very cool if the user could specify a singular policy to scan.

e.g: netfetch scan --target grafana-egress-network-policy

This would then list the pods that this policy targets. It could also list some more information about what the policy actually does and how it applies to the pod.

Description:

Currently, a pod will be marked as covered if it is targeted by a policy. We dont do much as far as analysing the ingress and egress rules inside the policy goes. We simply check if it has rules or not to determine what type of policy it is.

Goal:

We should improve the scanning logic so that once it has detected a policy, this poilicy should be scanned to determine what the policy is actually doing for the pod as far as cover go.

Description:

If you use the remediate function when scanning a specific namespace, a cluster wide scan will be initiated afterwards. This should invoke a namespace specific scan to fetch new viz data. Not a cluster scan.

How to reproduce:

1. Scan a cluster with untargeted and targeted pods.
2. Remediate untargeted pods.

Result:

The table will refresh with the results of a cluster wide scan.

When doing a cluster scan in the dashboard, no visualization should be shown after using the remediate function.

Prerequisites:

1. Namespace with pods protected by network policies (which will trigger visualization)
2. Unprotected pods in the same namespace.
3. Some other namespace with unprotected pods.

How to reproduce:

1. Click "Scan cluster"
2. Click "Remediate" on the other namespaces unprotected pods

Result:

Visualisation will render for the namespace left in the list, because the namespace is being scanned after the remediate function is used and the namespace has both unprotected pods (in the table) and protected pods (in the network map visualisation).

Currently, the implementation fetches policies from namespaces, and some logic is based on there being a namespace field in the structure of the kubernetes resource.

At some point it would be nice to add support for global network policies from e.g Calico and others. These policies do not have a namespace field and wont be included currently.

type PolicyVisualization struct {
	Name       string   `json:"name"`
	Namespace  string   `json:"namespace"`
	TargetPods []string `json:"targetPods"`
}

Description:

Currently, all pods in a non-system namespace will be scanned. That includes pods in a completed or a failing state. I cant think of any scenarios where this would be useful, so we should opt to exclude pods with this status from the scans.

After running the dashboard multiple times (10+), caching issues will appear and the dashboard will stop working until you clear the cache

Component:

Netfetch Dashboard

How to reproduce:

1. User selects a namespace in the scan namespace dropdown.
2. User clicks scan cluster
3. User selects to remediate a missing policy

Result:

Table content is refreshed based on namespace selection. The table should be refreshed on a cluster level, as the cluster scan function was used.

When you create a multiple network policies with the same name but in different namespaces they should be limited to the namespace but they are shown incorrectly in the cluster map.

Example policy

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-unknown-app-5000-tcp-nfpol
  namespace: test
spec:
  podSelector:
    matchLabels: {}
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from: []
      ports:
        - protocol: TCP
          port: 5000
  egress:
    - to:
        - ipBlock:
            cidr: 0.0.0.0/0

If there is another policy with the same name for example in namespace test2 all of the pods across the two namespaces that are withing the policy scope will be linked in the cluster map to only one of these policies.

We should use deployments instead of pods where applicable. Naked pods should still be included, but if pods are part of a deployment, use the deployment in the network map instead.

General info

First of, totally fair if this project do NOT want to support below 22.04. Then it would be great if this is mentioned in the docs. ( I can create a PR containing such a mention if this is a great idea ).

So e.g. executing netfetch dash gives:

netfetch: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by netfetch)
netfetch: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by netfetch)

Looking into the issue I found:

• https://github.com/deggja/netfetch/blob/main/.github/workflows/release.yml#L14 < is pointing to Ubuntu latest. Which is certainly not 20.04 that I'm on
• At https://packages.ubuntu.com/search?keywords=libc6 we can see that v2.35 of libc is available on v22.04. So being above v2.34 we should be good - correct?
• I can't just upgrade to a later version on Ubuntu 20.04. Getting info that I'm already on latest of libc when trying

Consequences

Because of this challenge I can't try out: #48 (comment) ... aka running the netfetch cli to try out the Cilium Network Policies scanning and generation.

Sounding of

• Would below 22.04 Ubuntu versions be supported? ... or asked in another way, is libc at v2.34 a hard requirement for netfetch?

Thank you very much. This project and the idea of it is really great. Much needed.

we should add a network sniffer to the suggestions api, this should create a tcp dump that we base the suggestions off in terms of where communication should go when defining the netpol

this can be done with ksniff

Feature for previewing the yaml of a given network policy in network viz map when double clicking on node.

Currently, we are checking network policies and their podSelectors + pods and their labels to match pods against the policies targeting them.

However, a networkPolicy in kubernetes can use a namespaceSelector which would apply to all pods within a specific namespace. We should implement logic to uncover these as well.

This would include changes to the ScanNetworkPolicies function.

Description:
its possible to get a duplicate of network maps when you are scanning specific namespaces and using the suggest policy function.

How to reproduce:

Scan a namespace with "Scan namespace" that has existing policies and generate a network visualisation.
Change the dropdown to another namespace and get policy suggestions using the suggest policy button.
Create one of the suggested policies, this will update the visualisation of that namespace.

Result:

The create of the suggested policy will update the network map for that namespace, while the first namespace you scanned is still being visualised, giving you two network maps.

Potential fix:

When create is used on a suggested policy, we could remove all visualisations and refetch the visualisation for that specific namespace, cleaning up the view.

Currently, the network map instructions are all put on top of the svg where the network map is generated.

we should implement some way of showing the user how to interact with the network map without having to put it inside the svg like this, but not sure how.

Description:
When clicking suggest policy once you have scanned a namespace -> the score container will disappear.

How to reproduce:

1. Scan a specific namespace using scan namespace.
2. Click suggest policy

Result:

The score container dissappears.

How to fix:
We should make sure that the score container is represented for the current namespace, even if suggestions are triggered.

Currently, we have a script that handles updates to the version of the application, however this is quite simple and as of now, only handles patch updates. We need to implement proper semantic versioning. As a sidenote, we should also implement some dynamic update to the version of the application, specified as a const in the backend at the moment.

Here in the code: https://github.com/deggja/netfetch/blob/88a7580393fd0317f7709e76c48cf48797433f8e/backend/cmd/root.go#L10C1-L10C24 the version is a constant. So the same version will always be reported when using netfetch version. I don't know how to fix this in go.

Now "we" know.

Thank you for this great tool.

Good idea behind your tool. Consider looking at Cilium as well as Cilium Network Policies are becoming very commonly used.

https://docs.cilium.io/en/stable/security/policy/

Currently, when using the CLI, denying the application of default deny policies in a namespace will be weighted on your total score. This is not reflected in the dashboard.

Fix:

We should not weight this into the score.

if !hasDenyAll {
		score -= 15
}

Edit:
Score reduction for answering no to default deny all policy application has been patched. This issue is partially solved.

Todos:
We should implement a more complex scoring logic.