Viewing derived network rules for a container

This document (000020926) is provided subject to the disclaimer at the end of this document.

Resolution

When a deployed network policy is not working as expected, reviewing the derived network rules for the specific container can reveal the fully implemented rules.  The output includes the policy id, from, to, port, application, action, ingress and domain. 

Derived Rule Column Definitions:

policy_idPolicy id as reported in the Console
fromsource IP
todestination IP
portprotocol and port, any equates to any combination of protocol/port
applicationlayer 7 application name
action

check_app=action against application

learn=learned rule

allow=permit traffic

violate=permit traffic but alert on it

deny=block traffic

ingress

True=traffic to

False=traffic from

domain

fqdn (IE: group with address=mail.yahoo.com will result in domain=mail.yahoo.com)

 

Obtain Derived Network Rule List

Login to the CLI

# kubectl -n neuvector exec -it neuvector-manager-pod-name -- cli # #neuvector-svc-controller.neuvector> login

Obtain a list of containers and get network rules for the container

# admin#neuvector-svc-controller.neuvector> show container -c <container_name_substring> 
# admin#neuvector-svc-controller.neuvector> show policy derived -c <container_id>

Exit CLI

# admin#neuvector-svc-controller.neuvector> logout 
# #neuvector-svc-controller.neuvector> exit
 

Example Group Policies (not real world example)

examplegrouppolicies.png

Example of a derived rule list for a container with the above policies under Discover mode:

policy_idfromtoportapplicationactioningressdomain
2192.168.243.22969.147.88.7tcp/997 allowFalsemail.yahoo.com
2192.168.243.22969.147.88.8tcp/997 allowFalsemail.yahoo.com
169.147.88.7192.168.243.229tcp/2022 check_appTruemail.yahoo.com
169.147.88.7192.168.243.229tcp/2022NTP,SSHallowTruemail.yahoo.com
169.147.88.8192.168.243.229tcp/2022 check_appTruemail.yahoo.com
169.147.88.8192.168.243.229tcp/2022NTP,SSHallowTruemail.yahoo.com
10023192.168.49.128192.168.243.229

any

 check_appTrue 
10023192.168.49.128192.168.243.229anyHTTPlearnTrue 
10023192.168.1.192192.168.243.229any check_appTrue 
10023192.168.1.192192.168.243.229anyHTTPlearnTrue 
10023192.168.243.192192.168.243.229any check_appTrue 
10023192.168.243.192192.168.243.229anyHTTPlearnTrue 
10023192.168.162.128192.168.243.229any check_appTrue 
10023192.168.162.128192.168.243.229anyHTTPlearnTrue 

Example of a derived rule list for a container with the above policies under Monitor mode:

policy_idfromtoportapplicationactioningressdomain
2192.168.243.22969.147.88.7tcp/997 allowFalsemail.yahoo.com
2192.168.243.22969.147.88.8tcp/997 allowFalsemail.yahoo.com
169.147.88.7192.168.243.229tcp/2022 check_appTruemail.yahoo.com
169.147.88.7192.168.243.229tcp/2022NTP,SSHallowTruemail.yahoo.com
169.147.88.8192.168.243.229tcp/2022 check_appTruemail.yahoo.com
169.147.88.8192.168.243.229tcp/2022NTP,SSHallowTruemail.yahoo.com
10023192.168.49.128192.168.243.229

any

 check_appTrue 
10023192.168.49.128192.168.243.229anyHTTPallowTrue 
10023192.168.1.192192.168.243.229any check_appTrue 
10023192.168.1.192192.168.243.229anyHTTPallowTrue 
10023192.168.243.192192.168.243.229any check_appTrue 
10023192.168.243.192192.168.243.229anyHTTPallowTrue 
10023192.168.162.128192.168.243.229any check_appTrue 
10023192.168.162.128192.168.243.229anyHTTPallowTrue 
0x.x.x.x192.168.243.229any learnTrue 
........................
0192.168.243.229192.168.243.229any violateTrue 

Example of a derived rule list for a container with the above policies under Protect mode:

policy_idfromtoportapplicationactioningressdomain
2192.168.243.22969.147.88.7tcp/997 allowFalsemail.yahoo.com
2192.168.243.22969.147.88.8tcp/997 allowFalsemail.yahoo.com
169.147.88.7192.168.243.229tcp/2022 check_appTruemail.yahoo.com
169.147.88.7192.168.243.229tcp/2022NTP,SSHallowTruemail.yahoo.com
169.147.88.8192.168.243.229tcp/2022 check_appTruemail.yahoo.com
169.147.88.8192.168.243.229tcp/2022NTP,SSHallowTruemail.yahoo.com
10023192.168.49.128192.168.243.229

any

 check_appTrue 
10023192.168.49.128192.168.243.229anyHTTPallowTrue 
10023192.168.1.192192.168.243.229any check_appTrue 
10023192.168.1.192192.168.243.229anyHTTPallowTrue 
10023192.168.243.192192.168.243.229any check_appTrue 
10023192.168.243.192192.168.243.229anyHTTPallowTrue 
10023192.168.162.128192.168.243.229any check_appTrue 
10023192.168.162.128192.168.243.229anyHTTPallowTrue 
0x.x.x.x192.168.243.229any learnTrue 
........................
0192.168.243.229192.168.243.229any denyTrue 

NOTE: Policy ID 0 is for implied rules.  Under Monitor and Protect mode, the last imply rule will either violate (alert but permit traffic) or deny (block traffic).

 



 

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020926
  • Creation Date: 17-Jan-2023
  • Modified Date:18-Jan-2023
    • SUSE NeuVector

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center
Report a Software Vulnerability Submit Tips, Tricks, and Tools Download Free Tools