Periodically probe the network to detect when security assumptions are violated.

Netchecks takes a cloud native, policy as code approach, making no assumptions about how your security controls are implemented.

k8s-api-assertion.yaml
dns-assertion.yaml
apiVersion: netchecks.io/v1
kind: NetworkAssertion
metadata:
name: http-k8s-api-should-work
namespace: default
annotations:
description: Assert pod can connect to k8s API
spec:
schedule: "@hourly"
rules:
- name: kubernetes-version
type: http
url: https://kubernetes/version
verify-tls-cert: false
expected: pass
validate:
message: Http request to Kubernetes API should succeed.

Introduction

Getting started

Learn how to get Netchecks set up in your own Kubernetes cluster.


Why does this exist?

Like all software, security controls such as firewalls and network policies need validation to ensure they are working as intended. This is often done manually as part of a one-off cyber-security review. Best practice is to configure automated checks that notify team members when a security control is not working as expected. These can be as simple as a curl command in a cron job that tries to access a service that should be blocked and alerts if it succeeds. With Netchecks, you declare these checks declaratively and have them run automatically on a schedule, Netchecks will create PolicyReports that can be used for audit purposes, to trigger actions, alerts and notifications.

Quick start

The Netchecks operator is a Kubernetes operator that helps users verify network policies and connectivity within their clusters. By creating NetworkAssertions, users can automate and schedule network tests, making it easier to ensure the network is operating as expected.

Prerequisites

Before installing the Netchecks operator, ensure you have the following:

  • A Kubernetes cluster up and running
  • Kubectl installed and configured to communicate with your cluster

Installation

Install the Netchecks operator with:

kubectl create namespace netchecks
kubectl apply -f https://github.com/hardbyte/netchecks/raw/main/operator/manifests/deploy.yaml

Wait until the netchecks namespace is running a Deployment with a ready Pod:

kubectl wait Deployment -n netchecks -l app.kubernetes.io/instance=netchecks-operator --for condition=Available --timeout=90s

Basic Usage

Create and apply your NetworkAssertions as any other Kubernetes resource.

For example a NetworkAssertion with a single rule that checks HTTP requests to the Kubernetes API should succeed:

apiVersion: netchecks.io/v1
kind: NetworkAssertion
metadata:
  name: http-k8s-api-should-work
  namespace: default
  annotations:
    description: Assert pod can connect to k8s API
spec:
  template:
    metadata:
      labels:
        optional-label: applied-to-test-pod
  schedule: "@hourly"
  rules:
    - name: kubernetes-version
      type: http
      url: https://kubernetes/version
      verify-tls-cert: false
      expected: pass
      validate:
        message: Http request to Kubernetes API should succeed.

What happens next?

Once you have applied the NetworkAssertion, Netchecks reacts by creating a CronJob in the same namespace to probe the network according to your schedule. After the first test has run Netchecks creates a PolicyReport resource with the same name in the same namespace as the NetworkAssertion. The PolicyReport contains information about the test run and the results of the test.

Installation

Step-by-step guides to setting up your system and installing the library.

Architecture guide

Learn how the internals work and contribute.

API reference

Learn to easily customise and modify your app's visual design to fit your brand.

Examples

See how others are using the library in their projects.