Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.
You can currently query the following attributes and connections on a k8s Network Policy:
type k8sNetworkPolicy {
id: String!
context: String!
apiVersion: String
kind: String
metadata: {
id: String
annotations: {
id: String!
key: String
value: String
}
clusterName: String
creationTimestamp: String
deletionGracePeriodSeconds: Int
deletionTimestamp: String
finalizers: [String]
generateName: String
generation: Int
labels: {
id: String!
key: String
value: String
}
ownerReferences: {
id: String!
apiVersion: String
blockOwnerDeletion: Boolean
controller: Boolean
kind: String
name: String
}
name: String
namespace: String
resourceVersion: String
selfLink: String
}
spec {
egress {
id: String
ports {
id: String
endPort: Int
port: String
protocol: String
}
to {
id: String
ipBlock {
cidr: String
except: [String]
}
namespaceSelector {
matchExpressions {
id: String
key: String
operator: String
values: [String]
}
matchLabels {
id: String
key: String
value: String
}
}
podSelector {
matchExpressions {
id: String
key: String
operator: String
values: [String]
}
matchLabels {
id: String
key: String
value: String
}
}
}
}
ingress {
id: String
ports {
id: String
endPort: Int
port: String
protocol: String
}
from {
id: String
ipBlock {
cidr: String
except: [String]
}
namespaceSelector {
matchExpressions {
id: String
key: String
operator: String
values: [String]
}
matchLabels {
id: String
key: String
value: String
}
}
podSelector {
matchExpressions {
id: String
key: String
operator: String
values: [String]
}
matchLabels {
id: String
key: String
value: String
}
}
}
}
podSelector {
matchExpressions {
id: String
key: String
operator: String
values: [String]
}
matchLabels {
id: String
key: String
value: String
}
}
policyTypes: [String]
}
namespace {
id
}
}
Get data for a single network policy that you know the id for:
query {
getk8sNetworkPolicy(id: "12345") {
id
}
}
Get data for all of the network policies in a certain k8s Context:
query {
queryk8sNetworkPolicy(filter: { context: { eq: "my-context-name" } }) {
id
}
}
Get data for all of the network policies NOT in a certain k8s Context:
query {
queryk8sNetworkPolicy(filter: { not: { context: { eq: "my-context-name" } } }) {
id
}
}
Get data for all of the network policies that have a namespace:
query {
queryk8sNetworkPolicy(filter: { has: namespace }) {
id
}
}
Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the network policies that have a namespace AND kind OR that do not have a spec. Note that you can use has, and, not, or completely independently of each other:
query {
queryk8sNetworkPolicy(
filter: {
has: namespace
and: { has: kind }
or: { not: { has: spec } }
}
) {
id
}
}
You may also filter using a regex when filtering on a string field like, context if you want to look for a value that matches say, some-value (case insensitive):
query {
queryk8sNetworkPolicy(
filter: { context: { regexp: "/.*some-value*./i" } }
) {
id
}
}
You can order the results you get back either asc or desc depending on your preference:
query {
queryk8sNetworkPolicy(order: { desc: context }) {
context
}
}
Only select and return the first two network policies that are found:
query {
queryk8sNetworkPolicy(first: 2, order: { desc: apiVersion }) {
apiVersion
}
}
Only select and return the first two network policies that are found, but offset by one so network policies two & three are returned:
query {
queryk8sNetworkPolicy(first: 2, order: { desc: context }, offset: 1) {
id
context
}
}
Count the number of network policies across all scanned K8s contexts:
query {
aggregatek8sNetworkPolicy {
count
}
}
Count the number of network policies in a single context. Note that you can apply all of the same filters that are listed above to aggregate queries:
query {
aggregatek8sNetworkPolicy(filter: { context: { eq: "my-context-name" } }) {
count
}
}
Putting it all together; get all data for all network policies across all k8s contexts in a single query. For the purposes of this example we will only get direct children of the network policy but if you want to it's easy to go from say, networkPolicy -> namespace -> job ...etc:
query {
queryk8sNetworkPolicy {
id
context
apiVersion
kind
metadata {
id
annotations {
id
key
value
}
clusterName
creationTimestamp
deletionGracePeriodSeconds
deletionTimestamp
finalizers
generateName
generation
labels {
id
key
value
}
ownerReferences {
id
apiVersion
blockOwnerDeletion
controller
kind
name
}
name
namespace
resourceVersion
selfLink
}
spec {
egress {
id
ports {
id
endPort
port
protocol
}
to {
id
ipBlock {
cidr
except
}
namespaceSelector {
matchExpressions {
id
key
operator
values
}
matchLabels {
id
key
value
}
}
podSelector {
matchExpressions {
id
key
operator
values
}
matchLabels {
id
key
value
}
}
}
}
ingress {
id
ports {
id
endPort
port
protocol
}
from {
id
ipBlock {
cidr
except
}
namespaceSelector {
matchExpressions {
id
key
operator
values
}
matchLabels {
id
key
value
}
}
podSelector {
matchExpressions {
id
key
operator
values
}
matchLabels {
id
key
value
}
}
}
}
podSelector {
matchExpressions {
id
key
operator
values
}
matchLabels {
id
key
value
}
}
policyTypes
}
namespace {
id
context
apiVersion
kind
metadata {
id
annotations {
id
key
value
}
clusterName
creationTimestamp
deletionGracePeriodSeconds
deletionTimestamp
finalizers
generateName
generation
labels {
id
key
value
}
ownerReferences {
id
apiVersion
blockOwnerDeletion
controller
kind
name
}
name
namespace
resourceVersion
selfLink
}
spec {
finalizers
}
status {
phase
conditions {
id
lastHeartbeatTime
lastTransitionTime
message
reason
status
type
}
}
networkPolicies {
id
}
nodes {
id
}
pods {
id
}
deployments {
id
}
ingresses {
id
}
secrets {
id
}
services {
id
}
serviceAccounts {
id
}
storageClasses {
id
}
persistentVolumes {
id
}
persistentVolumeClaims {
id
}
roles {
id
}
jobs {
id
}
cronJobs {
id
}
}
}
}
