Project calico documentation: Expand calico network policy log documentation #540
Comments
|
To my first note: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
As a Kubernetes beginner, I started to secure the K8s Cluster with Calico Network Policyies and also wanted to log a few of them. I had to struggle with some problems there at the beginning, because I didn't understand how logging works at calico. Therefore I had looked for help in Slack (and got it successfully) :)
To make it easier for more beginners I made some notes and thought about what could be added in the documentation.
I figured out (maybe a bug) that if you want to allow/deny and log something, the "Log" action have to be always before the allow/deny action in the order . When not, nothing will be logged, because that creates two iptables rules. I would name this on the documentation
It would have been a great help to me if the logging of Calico's network policies had been better described . Before I had an conversation with Lance from calico, I didn´t know anything about that. I would explain that calico "only" adds some parameter to the iptables rule like the logging and prefix parameter. Also that the responsibility of calico ends (at least currently) there. Maybe also the standard syslog path like /var/log/messages or /var/log/syslog. I was only looking before at /var/log/calico/...
Best Practise Network Policy Logging: e.g. Global Deny, that logs each connection attempt, which will be dropped
Example Calico Network Policy Log
The text was updated successfully, but these errors were encountered: