Skip to content

Ivanhahanov/hubble2np

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.github/workflows
.github/workflows
 
 
cmd
cmd
 
 
pkg
pkg
 
 
.gitignore
.gitignore
 
 
.goreleaser.yaml
.goreleaser.yaml
 
 
.releaserc.yml
.releaserc.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

hubble2np

Utility to analyze Hubble Flow and convert it to Cilium Network Policies

Install

You can download hubble2np from Github Releases

Macos

Download for MacOS on ARM

wget -c https://github.com/Ivanhahanov/hubble2np/releases/download/0.1.0/hubble2np_Darwin_arm64.tar.gz -O - | tar -xz

Linux

Download for Linux on AMD

wget -c https://github.com/Ivanhahanov/hubble2np/releases/download/0.1.0/hubble2np_Linux_x86_64.tar.gz
 -O - | tar -xz

Move to system PATH

Move the hubble2np binary to a file location on your system PATH

sudo mv ./hubble2np /usr/local/bin/hubble2np

Usage

hubble2np works with hubble flow in json format. To generate a policy or graph you need to pass json as input using stdin.

hubble observe -n dev --since 1m -o json | hubble2np

Tip

Generated policies can be redirected to a file

... | hubble2np > policies.json

To get the flow you can use the hubble utility. You need port-forward to access the hubble api.

cilium hubble port-forward&

You can also start port-forward with kubectl.

Read from file

If there is no direct access to the hubble api, you can read the stream from a prepared file.

# export flow to json
hubble observe -n dev --since 1m -o json > flow.json
# generate policies
cat flow.json | hubble2np

Show Graph

To view the graph you can use the corresponding command

cat flow.json | hubble2np graph

Tip

This graph can be used for debugging or checking the correctness of input data for policy generation

Options

NAME:
   hubble2np - generate Cilium Network Policies from Hubble flow

USAGE:
   hubble2np [global options] [command [command options]]

COMMANDS:
   graph    Show graph
   help, h  Shows a list of commands or help for one command

GLOBAL OPTIONS:
   --nodns      disable dns (default: false)
   --ports, -p  enable ports (default: false)
   --help, -h   show help

Example Policy

# cat flow.json | hubble2np -p
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  creationTimestamp: null
  name: app
  namespace: test
spec:
  egress:
  - toEndpoints:
    - matchLabels:
        app: app
        io.kubernetes.pod.namespace: dev
    toPorts:
    - ports:
      - port: "8080"
  - toEndpoints:
    - matchLabels:
        k8s-app: kube-dns
        io.kubernetes.pod.namespace: kube-system
    toPorts:
    - ports:
      - port: "53"
        protocol: UDP
      rules:
        dns:
        - matchPattern: '*'
  enableDefaultDeny: {}
  endpointSelector:
    matchLabels:
      app: app
      io.kubernetes.pod.namespace: test
  ingress:
  - fromEndpoints:
    - matchLabels:
        app: api
        io.kubernetes.pod.namespace: dev
    toPorts:
    - ports:
      - port: "8080"
  - fromEndpoints:
    - matchLabels:
        app: app
        io.kubernetes.pod.namespace: dev
    toPorts:
    - ports:
      - port: "8080"

Example graph

# cat flow.json | hubble2np graph
[test/app] -> dev/app -> [test/app,dev/api]
[dev/app,dev/api] -> test/app -> [dev/app]
[dev/app] -> dev/api -> [test/app]

About

Convert Hubble Flow to Cilium Network Policies

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 1

0.1.0 Latest
Jan 5, 2025

Packages

 
 
 

Contributors

Languages