scope icon indicating copy to clipboard operation
scope copied to clipboard

Published 20 hours ago verified publisher icon weaveworks

FEATURE REQUEST: Generate networkpolicy rules from collected data

Open bernardmaltais opened this issue 4 years ago • 6 comments

  • why: Weave Scope provide very valuable information about pod network access. Having the ability to accumulate connection information from pod over a long period of time help with the definition of Network Policies that should be implemented to better secure the applications.

  • what:

  1. It would be awesome if there was a way to configure the live buffer time in the UI (from, say, 15s to infinite).
  2. It would be even better if there was a way to report in a Network Policy format all network access observed. This way one could copy the reported networkpolicy rules and implement with minor tweaking. This would be such a time saver as there is no good way to do this at the moment.

bernardmaltais avatar Mar 18 '20 13:03 bernardmaltais

This can be configured like -app.window=60s

Note Scope is merging all data - pods, sockets, processes, metrics, etc., in the window, so if you extend it you will see things that are now dead. Also it will use more memory and CPU to chew through the extra data.

The Network Policy report is a good idea; not 100% in tune with how Scope was designed but maybe will spark some ideas. Perhaps best to re-title this issue if I answered your 15s question already.

bboreham avatar Mar 18 '20 14:03 bboreham

Thank you @bboreham

How do I apply this on a kubernetes deployment of weave scope? I looked in the https://cloud.weave.works/k8s/scope.yaml and can't find where I can pass this parameter. Do you have an example?

Sorry if this is a lame question ;-)

bernardmaltais avatar Mar 18 '20 14:03 bernardmaltais

I don't think there is a way to request individual parameter changes via the yaml generator, so you'd need to capture the output and edit it, then re-apply to your cluster.

It would go right after the existing args on the app:

        spec:
          containers:
            - name: app
              args:
                - '--mode=app'
                - '--app.window=60s'

bboreham avatar Mar 18 '20 14:03 bboreham

I don't think there is a way to request individual parameter changes via the yaml generator, so you'd need to capture the output and edit it, then re-apply to your cluster.

It would go right after the existing args on the app:

        spec:
          containers:
            - name: app
              args:
                - '--mode=app'
                - '--app.window=60s'

Awesome. I might create a helm chart to do that ;-)

bernardmaltais avatar Mar 18 '20 14:03 bernardmaltais

Oh there is a helm chart but I don't use it myself. https://github.com/helm/charts/tree/master/stable/weave-scope

bboreham avatar Mar 18 '20 14:03 bboreham

This is great. Will only need to tweak a few things in there to add support for custom live windows then. Many thanks. Might submit it back as a pull request if all goes well.

EDIT:

Look like no update will be required as the chart already allow to pass custom args ;-)

args:
            - "--no-probe"
            {{- range $arg := .Values.flags }}
            - {{ $arg | quote }}
            {{- end }}

bernardmaltais avatar Mar 18 '20 14:03 bernardmaltais