{"id":21112,"date":"2019-09-17T08:24:53","date_gmt":"2019-09-17T06:24:53","guid":{"rendered":"https:\/\/www.inovex.de\/blog\/?p=16948"},"modified":"2024-07-09T07:23:09","modified_gmt":"2024-07-09T05:23:09","slug":"illuminatio-kubernetes-network-policy-validator","status":"publish","type":"post","link":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/","title":{"rendered":"illuminatio: the Kubernetes Network Policy Validator"},"content":{"rendered":"<p>Network policy validation basically ensures the functionality of your cluster\u2019s firewall and therefore is a really important topic if you are using <a href=\"https:\/\/www.inovex.de\/de\/leistungen\/cloud\/kubernetes\/\">kubernetes<\/a> and want to control the network behaviour of your pods. During the last months we further developed <a href=\"https:\/\/www.inovex.de\/blog\/test-kubernetes-network-policies\/\">the work of Maximillian Bischoff<\/a> and finally released our kubernetes network policy validator\u2014<a href=\"https:\/\/github.com\/inovex\/illuminatio\">illuminatio<\/a>.<!--more--><\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\"><\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#Why-Do-You-Have-to-Validate-Network-Policies\" >Why Do You Have to Validate Network Policies?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#What-is-illuminatio\" >What is illuminatio?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#How-Does-illuminatio-Work\" >How Does illuminatio Work?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#Getting-Started\" >Getting Started<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#Improvements-Since-the-Original-Implementation\" >Improvements Since the Original Implementation<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#How-illuminatio-Differs-from-Other-Network-Policy-Validation-Tools\" >How illuminatio Differs from Other Network Policy Validation Tools<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#Future-Work\" >Future Work<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#The-End\" >The End<\/a><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"Why-Do-You-Have-to-Validate-Network-Policies\"><\/span>Why Do You Have to Validate Network Policies?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Sometimes network policies are declared but not enforced. This can be the case if the nodes of your cluster do not synchronize the policies in time which can mean that your policies will only take effect on your nodes after plenty of time has passed, maybe minutes, maybe hours. Due to the implementation of network policies in Kubernetes there is currently no feedback whether a plugin has implemented the network policy or not. If your network plugin does not support network policies or implements them incorrectly, you will not receive any error message; the policies could even have unwanted side effects. This can be a security issue for your Kubernetes cluster if you rely on your policies to work properly. It is best to validate them and make sure they are in effect.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"What-is-illuminatio\"><\/span>What is illuminatio?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>illuminatio is a command line tool that automatically tests all your network policies in a Kubernetes cluster. It is written in Python and uses <a href=\"https:\/\/github.com\/kubernetes-client\/python\">the official kubernetes python package<\/a> to interact with a Kubernetes cluster in a similar way to kubectl. It automatically fetches existing network policies from the cluster, creates and executes suitable test cases within the cluster and reports the results.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"How-Does-illuminatio-Work\"><\/span>How Does illuminatio Work?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>illuminatio fetches all network policies of a cluster, evaluates them and creates proper test cases. After that it checks whether there are pods that should be affected by them; when there are pods missing to execute a test case they will be created as dummy pods.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-16949 size-full\" src=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/08\/illuminatio-blog.png\" alt=\"Graphic showing the workflow of illuminatio fetching and validation network policies\" width=\"815\" height=\"389\" srcset=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/08\/illuminatio-blog.png 815w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/08\/illuminatio-blog-300x143.png 300w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/08\/illuminatio-blog-768x367.png 768w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/08\/illuminatio-blog-400x191.png 400w, https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/08\/illuminatio-blog-360x172.png 360w\" sizes=\"auto, (max-width: 815px) 100vw, 815px\" \/><\/p>\n<p>illuminatio will launch the\u00a0<span class=\"lang:default decode:true crayon-inline\">illuminatio runner<\/span> as a pod inside the cluster in the <span class=\"lang:default decode:true crayon-inline\">illuminatio<\/span>\u00a0namespace. The pod needs to be run with the capability <span class=\"lang:default decode:true crayon-inline \">SYS_ADMIN<\/span> because it jumps into Linux network namespaces (not to be confused with Kubernetes namespaces).\u00a0Linux network namespaces are a Linux kernel feature to isolate different processes on the network layer.<\/p>\n<p>The target pod&#8217;s network namespace will be fetched either by the <a href=\"https:\/\/github.com\/docker\/docker-py\">docker python library<\/a> or <a href=\"https:\/\/github.com\/kubernetes-sigs\/cri-tools\/blob\/master\/docs\/crictl.md\">crictl<\/a> depending on whether you are using Docker or a CRI compliant runtime. This is a workaround for the behaviour of the Docker runtime returning incomplete data when queried with crictl.<\/p>\n<p>To check whether a network policy is in effect the\u00a0<span class=\"lang:default decode:true crayon-inline\">illuminatio runner<\/span> jumps into an affected pod and tries to perform network requests that should be affected by the policy. The results telling whether a policy is in effect or not are written into a dedicated config map within the cluster.<\/p>\n<p>The illuminatio CLI tool waits until all results have been written into the config map and prints the overall results to the command line.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Getting-Started\"><\/span>Getting Started<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>illuminatio is available as a PyPi Package and can be easily installed with pip:<\/p>\n<p><span class=\"lang:sh decode:true crayon-inline\">pip install illuminatio<\/span><\/p>\n<p>Now you only need access to a Kubernetes cluster and a suitable kubeconfig file located at<\/p>\n<p><span class=\"lang:sh decode:true crayon-inline\">~\/.kube\/config<\/span><\/p>\n<p>illuminatio will use your kubeconfig to interact with the cluster.<\/p>\n<p>Let\u2019s create some resources to perform tests with. First we will create an nginx server as a deployment:<\/p>\n<p><span class=\"lang:sh decode:true crayon-inline\">kubectl create deployment web &#8211;image=nginx <\/span><\/p>\n<p>However this nginx server can only be reached under a random ip.<\/p>\n<p>With a service we can create a stable endpoint for our nginx deployment, we can implicitly create it by exposing our deployment:<\/p>\n<p><span class=\"lang:sh decode:true crayon-inline\">kubectl expose deployment web &#8211;port 80 &#8211;target-port 80<\/span><\/p>\n<p>Our nginx server can now always be reached on <span class=\"lang:sh decode:true crayon-inline \">http:\/\/web.default:80<\/span>.<\/p>\n<p>Finally we will create a network policy to prohibit any ingress traffic to our nginx deployment:<\/p>\n<pre class=\"lang:sh decode:true\" title=\"Create a NetworkPolicy with kubectl\">cat &lt;&lt;EOF | kubectl apply -f -\r\n\r\nkind: NetworkPolicy\r\n\r\napiVersion: networking.k8s.io\/v1\r\n\r\nmetadata:\r\n\r\nname: web-deny-all\r\n\r\nspec:\r\n\r\npodSelector:\r\n\r\nmatchLabels:\r\n\r\napp: web\r\n\r\ningress: []\r\n\r\nEOF<\/pre>\n<p>Now we are ready to test our setup with illuminatio:<\/p>\n<p><span class=\"lang:sh decode:true crayon-inline\">illuminatio run<\/span><\/p>\n<pre class=\"lang:default decode:true\">Starting test generation and run.\r\n\r\nGot cases: [NetworkTestCase(from=ClusterHost(namespace=default, podLabels={'app': 'web'}), to=ClusterHost(namespace=default, podLabels={'app': 'web'}), port=-*)]\r\n\r\nGenerated 1 cases in 0.0730 seconds\r\n\r\nFROM                      TO                       PORT\r\n\r\ndefault:app=web           default:app=web          -*\r\n\r\nUsing existing cluster role\r\n\r\nCreating cluster role binding\r\n\r\nTestResults: {'default:app=web': {'default:app=web': {'-*': {'success': True}}}}\r\n\r\nFinished running 1 tests in 34.6288 seconds\r\n\r\nFROM                      TO                       PORT      RESULT\r\n\r\ndefault:app=web           default:app=web          -*        success<\/pre>\n<p>As the output <span class=\"lang:default decode:true crayon-inline\">success<\/span> suggests the run has been successful, which means that the tested network policy is in effect as expected. This is far more convenient than testing each policy manually by interactively entering your pods with <span class=\"lang:sh decode:true crayon-inline\">kubectl exec<\/span>.<\/p>\n<p>Within this run illuminatio has created several resources in your cluster which you might want to remove afterwards. This can be easily done with another single command:<\/p>\n<p><span class=\"lang:sh decode:true crayon-inline \">illuminatio clean<\/span><\/p>\n<pre class=\"lang:default decode:true\">Starting cleaning resources with policies ['on-request', 'always']\r\n\r\nDeleting namespaces ['illuminatio'] with cleanup policy on-request\r\n\r\nDeleting namespaces [] with cleanup policy always\r\n\r\n...\r\n\r\nDeleting SAs in default with cleanup policy always\r\n\r\nFinished cleanUp<\/pre>\n<p>Note: If you run illuminatio again on the same cluster make sure to include the clean command, as existing resources will otherwise influence the results:<\/p>\n<p><span class=\"lang:sh decode:true crayon-inline \">illuminatio clean run<\/span><\/p>\n<p>You can run this command as often as you&#8217;d like without affecting other resources in the cluster.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Improvements-Since-the-Original-Implementation\"><\/span>Improvements Since the Original Implementation<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Many things have changed and improved since the initial implementation which <a href=\"https:\/\/www.inovex.de\/blog\/test-kubernetes-network-policies\/\">our last post<\/a> described:<\/p>\n<ul>\n<li>The overall code quality has improved.<\/li>\n<li>Pipelines have been built.<\/li>\n<li>Additionally to CRI compliant runtimes like containerd, illuminatio does now also support the Docker runtime on your Kubernetes nodes.\n<ul>\n<li>This was achieved by inspecting the so called pause container.<\/li>\n<li>Each Kubernetes pod contains an additional pause container which itself contains information like the network namespace in which the pod is running.<\/li>\n<\/ul>\n<\/li>\n<li>The functionality of illuminatio is now also tested inside the pipeline by spawning Kubernetes clusters, creating network policies with suitable resources and then running illuminatio against each cluster to validate the policies.\n<ul>\n<li>Initially only Minikube was used as a test environment both locally and in the pipeline. However, despite our efforts it was not possible to run Minikube within a Travis CI VM with the containerd runtime. With a new version of Minikube it was finally possible to run it with containerd in travis.<\/li>\n<\/ul>\n<\/li>\n<li>illuminatio was also <a href=\"https:\/\/pypi.org\/project\/illuminatio\/\">released as a Python package<\/a> on PyPI using PyScaffold.<\/li>\n<li>illuminatio received documentation for both users and developers to get an overview of its design and use.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"How-illuminatio-Differs-from-Other-Network-Policy-Validation-Tools\"><\/span>How illuminatio Differs from Other Network Policy Validation Tools<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Another tool for network policy validation is <a href=\"https:\/\/github.com\/controlplaneio\/netassert\">netassert<\/a>.\u00a0Netassert requires you to provide a config with the test cases to be executed and requires direct SSH access to the Kubernetes node on which your test pods are running. Another restriction is that this only works if your pods have been created by deployment.<\/p>\n<p>Netassert uses the <span class=\"lang:default decode:true crayon-inline \">docker run &#8211;net<\/span> feature to enter the network namespace of the pod\u2019s pause container. Its biggest restriction\u2014other than the tedious work of writing your own test cases\u2014is, however, that you can only use it in a Kubernetes cluster using the Docker runtime. Clusters using other runtimes like containerd cannot use netassert at all.<\/p>\n<p>Also, there is\u00a0<a href=\"https:\/\/github.com\/heptio\/sonobuoy\">sonobuoy<\/a>. Sonobuoy is actually a diagnostic tool to do things like conformance testing of Kubernetes clusters, however you can also <a href=\"https:\/\/alexbrand.dev\/post\/testing-kubernetes-network-policy-enforcement-with-sonobuoy\/\">execute NetworkPolicy e2e tests with it<\/a>.<\/p>\n<p>You only need access to a Kubernetes cluster with a proper kubeconfig and sonobuoy will be ready to use for this purpose. I haven&#8217;t had much experience with this tool, but it struck me that it takes plenty of time until you receive any results at all from it; a notice in the command line even tells you that it can take up to 60 minutes until the run is complete.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Future-Work\"><\/span>Future Work<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>illuminatio is still in its early days and has a bunch of issues we want to address in the future:<\/p>\n<ul>\n<li>Egress policies are not supported yet.<\/li>\n<li>There is no validation of the e2e test results yet.<\/li>\n<li>Each new run requires a <em>clean<\/em>\u00a0beforehand because the runner does not continuously look for new cases.<\/li>\n<li>Only policies affecting intra-cluster traffic are examined.<\/li>\n<li>CIDR notation in policies is not supported yet.<\/li>\n<\/ul>\n<p>You can find the entire issue list on <a href=\"https:\/\/github.com\/inovex\/illuminatio\/issues\">Github<\/a>.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"The-End\"><\/span>The End<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Thanks a lot for reading this blog post! If you liked it or want to provide any feedback make sure to <a href=\"https:\/\/github.com\/inovex\/illuminatio\">checkout our Github<\/a> and share your wishes and experiences with illuminatio. We are excited to see your contributions in the next release of illuminatio!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Network policy validation basically ensures the functionality of your cluster\u2019s firewall and therefore is a really important topic if you are using kubernetes and want to control the network behaviour of your pods. During the last months we further developed the work of Maximillian Bischoff and finally released our kubernetes network policy validator\u2014illuminatio.<\/p>\n","protected":false},"author":127,"featured_media":17104,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"ep_exclude_from_search":false,"footnotes":""},"tags":[71],"service":[414,423],"coauthors":[{"id":127,"display_name":"Henning H\u00e4cker","user_nicename":"hhaecker"}],"class_list":["post-21112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-cloud","service-cloud","service-kubernetes"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>illuminatio: the Kubernetes Network Policy Validator - inovex GmbH<\/title>\n<meta name=\"description\" content=\"Network policy validation basically ensures the functionality of your cluster\u2019s firewall and therefore is a really important topic if you are using kubernetes and want to control the network behaviour of your pods.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/\" \/>\n<meta property=\"og:locale\" content=\"de_DE\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"illuminatio: the Kubernetes Network Policy Validator - inovex GmbH\" \/>\n<meta property=\"og:description\" content=\"Network policy validation basically ensures the functionality of your cluster\u2019s firewall and therefore is a really important topic if you are using kubernetes and want to control the network behaviour of your pods.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/\" \/>\n<meta property=\"og:site_name\" content=\"inovex GmbH\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/inovexde\" \/>\n<meta property=\"article:published_time\" content=\"2019-09-17T06:24:53+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-09T05:23:09+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/09\/illumination-hero.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1920\" \/>\n\t<meta property=\"og:image:height\" content=\"1080\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Henning H\u00e4cker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/09\/illumination-hero-1024x576.png\" \/>\n<meta name=\"twitter:creator\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:site\" content=\"@inovexgmbh\" \/>\n<meta name=\"twitter:label1\" content=\"Verfasst von\" \/>\n\t<meta name=\"twitter:data1\" content=\"Henning H\u00e4cker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Gesch\u00e4tzte Lesezeit\" \/>\n\t<meta name=\"twitter:data2\" content=\"7\u00a0Minuten\" \/>\n\t<meta name=\"twitter:label3\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data3\" content=\"Henning H\u00e4cker\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/\"},\"author\":{\"name\":\"Henning H\u00e4cker\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/3aef956c75ff02436df245a9038fd190\"},\"headline\":\"illuminatio: the Kubernetes Network Policy Validator\",\"datePublished\":\"2019-09-17T06:24:53+00:00\",\"dateModified\":\"2024-07-09T05:23:09+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/\"},\"wordCount\":1307,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/illumination-hero.png\",\"keywords\":[\"Cloud\"],\"articleSection\":[\"English Content\",\"General\",\"Infrastructure\"],\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/\",\"name\":\"illuminatio: the Kubernetes Network Policy Validator - inovex GmbH\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/illumination-hero.png\",\"datePublished\":\"2019-09-17T06:24:53+00:00\",\"dateModified\":\"2024-07-09T05:23:09+00:00\",\"description\":\"Network policy validation basically ensures the functionality of your cluster\u2019s firewall and therefore is a really important topic if you are using kubernetes and want to control the network behaviour of your pods.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/#breadcrumb\"},\"inLanguage\":\"de\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/illumination-hero.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2019\\\/09\\\/illumination-hero.png\",\"width\":1920,\"height\":1080,\"caption\":\"The illuminatio network policy validation anglerfish\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/illuminatio-kubernetes-network-policy-validator\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"illuminatio: the Kubernetes Network Policy Validator\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#website\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"name\":\"inovex GmbH\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"de\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#organization\",\"name\":\"inovex GmbH\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"contentUrl\":\"https:\\\/\\\/www.inovex.de\\\/wp-content\\\/uploads\\\/2021\\\/03\\\/inovex-logo-16-9-1.png\",\"width\":1921,\"height\":1081,\"caption\":\"inovex GmbH\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/inovexde\",\"https:\\\/\\\/x.com\\\/inovexgmbh\",\"https:\\\/\\\/www.instagram.com\\\/inovexlife\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/inovex\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC7r66GT14hROB_RQsQBAQUQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/#\\\/schema\\\/person\\\/3aef956c75ff02436df245a9038fd190\",\"name\":\"Henning H\u00e4cker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"de\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0bb3d5b998e37ba91c66403d38ba66a9f2fec669dc1d479400af8beac8184cfb?s=96&d=retro&r=g31669ec535534e5525b20c986e89c5ba\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0bb3d5b998e37ba91c66403d38ba66a9f2fec669dc1d479400af8beac8184cfb?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/0bb3d5b998e37ba91c66403d38ba66a9f2fec669dc1d479400af8beac8184cfb?s=96&d=retro&r=g\",\"caption\":\"Henning H\u00e4cker\"},\"url\":\"https:\\\/\\\/www.inovex.de\\\/de\\\/blog\\\/author\\\/hhaecker\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"illuminatio: the Kubernetes Network Policy Validator - inovex GmbH","description":"Network policy validation basically ensures the functionality of your cluster\u2019s firewall and therefore is a really important topic if you are using kubernetes and want to control the network behaviour of your pods.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/","og_locale":"de_DE","og_type":"article","og_title":"illuminatio: the Kubernetes Network Policy Validator - inovex GmbH","og_description":"Network policy validation basically ensures the functionality of your cluster\u2019s firewall and therefore is a really important topic if you are using kubernetes and want to control the network behaviour of your pods.","og_url":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/","og_site_name":"inovex GmbH","article_publisher":"https:\/\/www.facebook.com\/inovexde","article_published_time":"2019-09-17T06:24:53+00:00","article_modified_time":"2024-07-09T05:23:09+00:00","og_image":[{"width":1920,"height":1080,"url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/09\/illumination-hero.png","type":"image\/png"}],"author":"Henning H\u00e4cker","twitter_card":"summary_large_image","twitter_image":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/09\/illumination-hero-1024x576.png","twitter_creator":"@inovexgmbh","twitter_site":"@inovexgmbh","twitter_misc":{"Verfasst von":"Henning H\u00e4cker","Gesch\u00e4tzte Lesezeit":"7\u00a0Minuten","Written by":"Henning H\u00e4cker"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#article","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/"},"author":{"name":"Henning H\u00e4cker","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/3aef956c75ff02436df245a9038fd190"},"headline":"illuminatio: the Kubernetes Network Policy Validator","datePublished":"2019-09-17T06:24:53+00:00","dateModified":"2024-07-09T05:23:09+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/"},"wordCount":1307,"commentCount":0,"publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/09\/illumination-hero.png","keywords":["Cloud"],"articleSection":["English Content","General","Infrastructure"],"inLanguage":"de","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/","url":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/","name":"illuminatio: the Kubernetes Network Policy Validator - inovex GmbH","isPartOf":{"@id":"https:\/\/www.inovex.de\/de\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#primaryimage"},"image":{"@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/09\/illumination-hero.png","datePublished":"2019-09-17T06:24:53+00:00","dateModified":"2024-07-09T05:23:09+00:00","description":"Network policy validation basically ensures the functionality of your cluster\u2019s firewall and therefore is a really important topic if you are using kubernetes and want to control the network behaviour of your pods.","breadcrumb":{"@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#breadcrumb"},"inLanguage":"de","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/"]}]},{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#primaryimage","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/09\/illumination-hero.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2019\/09\/illumination-hero.png","width":1920,"height":1080,"caption":"The illuminatio network policy validation anglerfish"},{"@type":"BreadcrumbList","@id":"https:\/\/www.inovex.de\/de\/blog\/illuminatio-kubernetes-network-policy-validator\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inovex.de\/de\/"},{"@type":"ListItem","position":2,"name":"illuminatio: the Kubernetes Network Policy Validator"}]},{"@type":"WebSite","@id":"https:\/\/www.inovex.de\/de\/#website","url":"https:\/\/www.inovex.de\/de\/","name":"inovex GmbH","description":"","publisher":{"@id":"https:\/\/www.inovex.de\/de\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inovex.de\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"de"},{"@type":"Organization","@id":"https:\/\/www.inovex.de\/de\/#organization","name":"inovex GmbH","url":"https:\/\/www.inovex.de\/de\/","logo":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/","url":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","contentUrl":"https:\/\/www.inovex.de\/wp-content\/uploads\/2021\/03\/inovex-logo-16-9-1.png","width":1921,"height":1081,"caption":"inovex GmbH"},"image":{"@id":"https:\/\/www.inovex.de\/de\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/inovexde","https:\/\/x.com\/inovexgmbh","https:\/\/www.instagram.com\/inovexlife\/","https:\/\/www.linkedin.com\/company\/inovex","https:\/\/www.youtube.com\/channel\/UC7r66GT14hROB_RQsQBAQUQ"]},{"@type":"Person","@id":"https:\/\/www.inovex.de\/de\/#\/schema\/person\/3aef956c75ff02436df245a9038fd190","name":"Henning H\u00e4cker","image":{"@type":"ImageObject","inLanguage":"de","@id":"https:\/\/secure.gravatar.com\/avatar\/0bb3d5b998e37ba91c66403d38ba66a9f2fec669dc1d479400af8beac8184cfb?s=96&d=retro&r=g31669ec535534e5525b20c986e89c5ba","url":"https:\/\/secure.gravatar.com\/avatar\/0bb3d5b998e37ba91c66403d38ba66a9f2fec669dc1d479400af8beac8184cfb?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0bb3d5b998e37ba91c66403d38ba66a9f2fec669dc1d479400af8beac8184cfb?s=96&d=retro&r=g","caption":"Henning H\u00e4cker"},"url":"https:\/\/www.inovex.de\/de\/blog\/author\/hhaecker\/"}]}},"_links":{"self":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/21112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/users\/127"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/comments?post=21112"}],"version-history":[{"count":2,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/21112\/revisions"}],"predecessor-version":[{"id":55547,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/posts\/21112\/revisions\/55547"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media\/17104"}],"wp:attachment":[{"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/media?parent=21112"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/tags?post=21112"},{"taxonomy":"service","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/service?post=21112"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.inovex.de\/de\/wp-json\/wp\/v2\/coauthors?post=21112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}