website logo
HomeGithubSlack
⌘K
Overview
Quick Start
Supported Services
Running CloudGraph in EKS
Compliance
Rules Engine
AWS
Querying AWS Data
AWS Policy Packs
Billing Data
Services
Azure
Querying Azure Data
Azure Policy Packs
Services
GCP
Querying GCP Data
GCP Policy Packs
Services
K8s
Querying Kubernetes Data
Services
Docs powered by
Archbee
K8s
Services

Network Policy

15min

Note: if you are running CloudGraph locally you can view the interactive, automatically generated documentation in either GraphQL Playground or Altair by clicking the docs button on the right-hand side of the screen. After reading the below information we highly suggest you use one of these tools to test your queries as they will autocomplete fields for you and let you know if your queries are valid before you even submit them.

Overview

You can currently query the following attributes and connections on a k8s Network Policy:

GraphQL
|
type k8sNetworkPolicy {
  id: String!
  context: String!
  apiVersion: String
  kind: String
  metadata: {
    id: String
    annotations: {
      id: String!
      key: String
      value: String
    }
    clusterName: String
    creationTimestamp: String
    deletionGracePeriodSeconds: Int
    deletionTimestamp: String
    finalizers: [String]
    generateName: String
    generation: Int
    labels: {
      id: String!
      key: String
      value: String
    }
    ownerReferences: {
      id: String!
      apiVersion: String
      blockOwnerDeletion: Boolean
      controller: Boolean
      kind: String
      name: String
    }
    name: String
    namespace: String
    resourceVersion: String
    selfLink: String
  }
  spec {
    egress {
      id: String
      ports {
        id: String
        endPort: Int
        port: String
        protocol: String
      }
      to {
        id: String
        ipBlock {
          cidr: String
          except: [String]
        }
        namespaceSelector {
          matchExpressions {
            id: String
            key: String
            operator: String
            values: [String]
          }
          matchLabels {
            id: String
            key: String
            value: String
          }
        }
        podSelector {
          matchExpressions {
            id: String
            key: String
            operator: String
            values: [String]
          }
          matchLabels {
            id: String
            key: String
            value: String
          }
        }
      }
    }
    ingress {
      id: String
      ports {
        id: String
        endPort: Int
        port: String
        protocol: String
      }
      from {
        id: String
        ipBlock {
          cidr: String
          except: [String]
        }
        namespaceSelector {
          matchExpressions {
            id: String
            key: String
            operator: String
            values: [String]
          }
          matchLabels {
            id: String
            key: String
            value: String
          }
        }
        podSelector {
          matchExpressions {
            id: String
            key: String
            operator: String
            values: [String]
          }
          matchLabels {
            id: String
            key: String
            value: String
          }
        }
      }
    }
    podSelector {
      matchExpressions {
        id: String
        key: String
        operator: String
        values: [String]
      }
      matchLabels {
        id: String
        key: String
        value: String
      }
    }
    policyTypes: [String]
  }
  namespace {
    id
    # Other namespace fields
  }
}


Filtering

Get data for a single network policy that you know the id for:

GraphQL
|
query {
  getk8sNetworkPolicy(id: "12345") {
    id
    # Other fields and connections here...
  }
}


Get data for all of the network policies in a certain k8s Context:

GraphQL
|
query {
  queryk8sNetworkPolicy(filter: { context: { eq: "my-context-name" } }) {
    id
    # Other fields and connections here...
  }
}


Get data for all of the network policies NOT in a certain k8s Context:

GraphQL
|
query {
  queryk8sNetworkPolicy(filter: { not: { context: { eq: "my-context-name" } } }) {
    id
    # Other fields and connections here...
  }
}




Advanced Filtering

Get data for all of the network policies that have a namespace:

GraphQL
|
query {
  queryk8sNetworkPolicy(filter: { has: namespace }) {
    id
    # Other fields and connections here...
  }
}

# Note that in addition to "namespace" you can filter
# Using "has" based on any of the following attributes:

# apiVersion
# kind
# spec


Use multiple filter selectors, (i.e. has, and, not, or) to get data for all of the network policies that have a namespace AND kind OR that do not have a spec. Note that you can use has, and, not, or completely independently of each other:

GraphQL
|
query {
  queryk8sNetworkPolicy(
    filter: {
      has: namespace
      and: { has: kind }
      or: { not: { has: spec } }
    }
  ) {
    id
    # Other fields and connections here...
  }
}


You may also filter using a regex when filtering on a string field like, context if you want to look for a value that matches say, some-value (case insensitive):

GraphQL
|
query {
  queryk8sNetworkPolicy(
    filter: { context: { regexp: "/.*some-value*./i" } }
  ) {
    id
    # Other fields and connections here...
  }
}


Ordering

You can order the results you get back either asc or desc depending on your preference:

GraphQL
|
query {
  queryk8sNetworkPolicy(order: { desc: context }) {
    context
    # Other fields and connections here...
  }
}

# Note that in addition to "context" you can filter
# Using "asc" or "desc" based on any of the following attributes:

# id
# kind
# apiVersion


Only select and return the first two network policies that are found:

GraphQL
|
query {
  queryk8sNetworkPolicy(first: 2, order: { desc: apiVersion }) {
    apiVersion
    # Other fields and connections here...
  }
}


Only select and return the first two network policies that are found, but offset by one so network policies two & three are returned:

GraphQL
|
query {
  queryk8sNetworkPolicy(first: 2, order: { desc: context }, offset: 1) {
    id
    context
    # Other fields and connections here...
  }
}


Aggregation

Count the number of network policies across all scanned K8s contexts:

GraphQL
|
query {
  aggregatek8sNetworkPolicy {
    count
    # Other fields and connections here...
  }
}

# Note that in addition to "count" you can request the
# Following min and max values based on attributes of your Namespaces:

# idMin
# idMax
# contextMin
# contextMax
# kindMin
# kindMax
# apiVersionMin
# apiVersionMax


Count the number of network policies in a single context. Note that you can apply all of the same filters that are listed above to aggregate queries:

GraphQL
|
query {
  aggregatek8sNetworkPolicy(filter: { context: { eq: "my-context-name" } }) {
    count
    # Other fields and connections here...
  }
}


Kitchen Sink

Putting it all together; get all data for all network policies across all k8s contexts in a single query. For the purposes of this example we will only get direct children of the network policy but if you want to it's easy to go from say, networkPolicy -> namespace -> job ...etc:

GraphQL
|
query {
  queryk8sNetworkPolicy {
    id
    context
    apiVersion
    kind
    metadata {
      id
      annotations {
        id
        key
        value
      }
      clusterName
      creationTimestamp
      deletionGracePeriodSeconds
      deletionTimestamp
      finalizers
      generateName
      generation
      labels {
        id
        key
        value
      }
      ownerReferences {
        id
        apiVersion
        blockOwnerDeletion
        controller
        kind
        name
      }
      name
      namespace
      resourceVersion
      selfLink
    }
    spec {
      egress {
        id
        ports {
          id
          endPort
          port
          protocol
        }
        to {
          id
          ipBlock {
            cidr
            except
          }
          namespaceSelector {
            matchExpressions {
              id
              key
              operator
              values
            }
            matchLabels {
              id
              key
              value
            }
          }
          podSelector {
            matchExpressions {
              id
              key
              operator
              values
            }
            matchLabels {
              id
              key
              value
            }
          }
        }
      }
      ingress {
        id
        ports {
          id
          endPort
          port
          protocol
        }
        from {
          id
          ipBlock {
            cidr
            except
          }
          namespaceSelector {
            matchExpressions {
              id
              key
              operator
              values
            }
            matchLabels {
              id
              key
              value
            }
          }
          podSelector {
            matchExpressions {
              id
              key
              operator
              values
            }
            matchLabels {
              id
              key
              value
            }
          }
        }
      }
      podSelector {
        matchExpressions {
          id
          key
          operator
          values
        }
        matchLabels {
          id
          key
          value
        }
      }
      policyTypes
    }
    namespace {
      id
      context
      apiVersion
      kind
      metadata {
        id
        annotations {
          id
          key
          value
        }
        clusterName
        creationTimestamp
        deletionGracePeriodSeconds
        deletionTimestamp
        finalizers
        generateName
        generation
        labels {
          id
          key
          value
        }
        ownerReferences {
          id
          apiVersion
          blockOwnerDeletion
          controller
          kind
          name
        }
        name
        namespace
        resourceVersion
        selfLink
      }
      spec {
        finalizers
      }
      status {
        phase
        conditions {
          id
          lastHeartbeatTime
          lastTransitionTime
          message
          reason
          status
          type
        }
      }
      networkPolicies {
          id
          # any networkPolicy properties
      }
      nodes {
          id
          # any node properties
      }
      pods {
          id
          # any pod properties
      }
      deployments {
          id
          # any deployment properties
      }
      ingresses {
          id
          # any ingress properties
      }
      secrets {
          id
          # any secret properties
      }
      services {
          id
          # any service properties
      }
      serviceAccounts {
          id
          # any serviceAccount properties
      }
      storageClasses {
          id
          # any storageClass properties
      }
      persistentVolumes {
          id
          # any persistentVolume properties
      }
      persistentVolumeClaims {
          id
          # any persistentVolumeCalim properties
      }
      roles {
          id
          # any role properties
      }
      jobs {
          id
          # any job properties
      }
      cronJobs {
          id
          # any cronJob properties
      }
    }
  }
}


References

Dgraph documentation on querying

K8s Network Policy documentation

Updated 03 Mar 2023
Did this page help you?
PREVIOUS
Namespace
NEXT
Node
Docs powered by
Archbee
TABLE OF CONTENTS
Overview
Filtering
Advanced Filtering
Ordering
Aggregation
Kitchen Sink
References
Docs powered by
Archbee