Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Project calico documentation: Expand calico network policy log documentation #540

Open
Tim-herbie opened this issue Apr 5, 2023 · 1 comment

Comments

@Tim-herbie
Copy link

As a Kubernetes beginner, I started to secure the K8s Cluster with Calico Network Policyies and also wanted to log a few of them. I had to struggle with some problems there at the beginning, because I didn't understand how logging works at calico. Therefore I had looked for help in Slack (and got it successfully) :)

To make it easier for more beginners I made some notes and thought about what could be added in the documentation.

  1. I figured out (maybe a bug) that if you want to allow/deny and log something, the "Log" action have to be always before the allow/deny action in the order . When not, nothing will be logged, because that creates two iptables rules. I would name this on the documentation

  2. It would have been a great help to me if the logging of Calico's network policies had been better described . Before I had an conversation with Lance from calico, I didn´t know anything about that. I would explain that calico "only" adds some parameter to the iptables rule like the logging and prefix parameter. Also that the responsibility of calico ends (at least currently) there. Maybe also the standard syslog path like /var/log/messages or /var/log/syslog. I was only looking before at /var/log/calico/...

  3. Best Practise Network Policy Logging: e.g. Global Deny, that logs each connection attempt, which will be dropped

  4. Example Calico Network Policy Log

@Tim-herbie
Copy link
Author

To my first note:
It´s definitly not a bug, because I learnt that when a action log will be performed, it will continues. But when a action is deny or allow, no further rules will be processed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant