How to write test cases for Calico Network Policy

Question

I have implemented Calico Network Polices in our AKS cluster. I want to write some automated tests to validate Network Policies whenever I make any changes in them.

I googled and didn't find any testing tool.

Let me know if anyone has used any testing tool for Network policies.

Also, is there any Web UI for monitoring the Network Policies Allow/Deny traffic flows?

Answer 1

There are a few tools available for testing network policies in Kubernetes. One such tool is Kyverno, which is a policy engine for Kubernetes that can be used to validate network policies and it can be used to validate network policies. Another tool that you can use to test network policies is kube-hunter. kube-hunter is a penetration testing tool for Kubernetes that can be used to identify security vulnerabilities in your cluster, including network policy misconfigurations.

For monitoring network policy traffic flows, Calico provides a web UI called Calico Enterprise that can be used to monitor network policy traffic flows. However, Calico Enterprise is a commercial product.

You can also use the calicoctl command-line tool to view network policy traffic flows for example calicoctl status command can be used to view the status of network policies and the traffic flows that they allow or deny.

Below is a sample test case using testing frameworks like pytest or unittest to write these test cases.

import subprocess
import time
import unittest


class TestNetworkPolicies(unittest.TestCase):

def test_network_policy(self):

#Apply your network policy

subprocess.run(['kubectl', 'apply', '-f', 'network-policy.yaml'])

  

#Create the test pods

subprocess.run(['kubectl', 'run', 'test-pod-a', '--image=nginx'])

subprocess.run(['kubectl', 'run', 'test-pod-b', '--image=nginx'])

  

#Wait for the pods to start

time.sleep(10)

  

#Test that traffic is allowed between the pods

result = subprocess.run(['kubectl', 'exec', 'test-pod-a', '--', 'curl', 'test-pod-b'], capture_output=True)

self.assertEqual(result.returncode, 0)

  

#Test that traffic is denied between the pods

result = subprocess.run(['kubectl', 'exec', 'test-pod-a', '--', 'curl', 'google.com'], capture_output=True)

self.assertNotEqual(result.returncode, 0)

  

#Delete the test pods

subprocess.run(['kubectl', 'delete', 'pod', 'test-pod-a'])

subprocess.run(['kubectl', 'delete', 'pod', 'test-pod-b'])

  

#Delete the network policy

subprocess.run(['kubectl', 'delete', '-f', 'network-policy.yaml'])

Output:

.
----------------------------------------------------------------------
Ran 1 test in 15.123s

OK

This indicates that the test case has passed, and the output shows that the test case ran for 15.123 seconds and passed 1 test.

Reference Documents for Writing Calico Network Policy Test Cases:

Calico Network Policy Reference

Calico Network Policy Tutorial

Calicoctl documentation

pytest

unittest

Test network policy

Answer 2

You don't mention if you're using Calico Open Source, or whether you're open to or have explored Calico's commercial offerings. Calico Cloud has the ability to connect to your AKS cluster and would provide most of what you want.

I'm not sure about automated tests, unless there's a way of using a service or pod to make requests that you'd expect to be allowed or denied and then report back if any of the requests don't have the expected response? Or something that should be allowed times out?

If you did want to explore Calico Cloud there is a UI for both policies (Policy Board) and Service Graph/Visualization. Policy board lets you stage policies before you enforce them, which could be a good way of checking whether the policy is having the intended effect before you enforce it. You can also see all of your policies in a cluster in one view and see if they're allowing/denying traffic.

Service Graph and Flow Visualization also show you all of the flows and connectivty within your cluster and show what policies have been applied to those flows, and whether the policies are allowing/denying that traffic.

I know some people use Istio with other 3rd party/os tools but I haven't personally ever set that up. I have heard Istio can take up a lot of resources on a node so if you're running in AKS you should factor in that potential cost.

I actually ran a workshop on some of this stuff yesterday. If you're interested I'd take a peek at the docs or this workshop: Visualize cluster traffic and identify security gaps workshop (self-paced, hands on). Modules 1, 2, 4 would be what I recommend you look at. If you want to watch a replay for more context you do that here.

Doc links if you want a browse: Stage, preview impacts, and enforce policy Service Graph tutorial I also wrote a blog on using web ui to monitoring/observing network policies in Calico