4

I am new to Kubernetes NetworkPolicy and the Network plugin calico.

I have successfully implemented calico in my Kubernetes cluster:

[root@node1 ~]# kubectl get po --all-namespaces -o wide | grep calico
kube-system     calico-kube-controllers-5d8b5bc986-sllmk                          1/1       Running
kube-system     calico-node-4wk8f                                                 1/1       Running
kube-system     calico-node-5kz99                                                 1/1       Running
kube-system     calico-node-bfk9w                                                 1/1       Running
kube-system     calico-node-f2tb2                                                 1/1       Running
kube-system     calico-node-hrcf4                                                 1/1       Running
kube-system     calico-node-wvh8d                                                 1/1       Running

I have also configured relevant network policies and they work perfectly fine.

The only only I am concerned about is logging. I am unable to find any logs that could tell me whether some request is being accepted or blocked.

Ive tried checking the logs of the calico-nodes-* pods but they do not provide any reasonable logs.

Are there any others logs that I can look at ?

lexsys
  • 497
  • 4
  • 24

2 Answers2

2

Kubernetes NetworkPolicy doesn't support logging, but Calico's native NetworkPolicy supports a "log" action that allows you to log packets to the system log.

Tigera's (disclaimer: I work for Tigera) commercial product, CNX, which is built on Calico offers additional auditing and compliance features so you might want to check that out.

Nicola Ben
  • 7,258
  • 5
  • 31
  • 51
Fasaxc
  • 746
  • 4
  • 17
1

You can inspect calico-node containers logs across your Kubernetes cluster within this path /var/log/calico, or it can be modified via --log-dir parameter used in calicoctl node run command, as described in this link.

However, if you want to observe logs along CNI Network, please visit this page.

I found it very helpful to log out events from Calico CNI using kubelet as target point and then collect them via systemd, besides you can specify a value for log_level parameter.

Nick_Kh
  • 4,098
  • 2
  • 5
  • 13