AKS -Action Log

doohder · December 18, 2020, 4:31pm

I’m working on some network policies in AKS. I noticed that we currently can’t do a default deny using a global network policy because the name selector doesn’t work until you are version v3.11 and AKS currently installs v3.8.9. Another thing we are doing is trying to log all hits to the rules using “-Action Log” and unable to retrieve the logs. Its really a simple question I’m curious if I’m running into another version issue of when the action for log was added to calico or if its always been there? This would save me a bunch of time trying to get the logs. I’ve been using this deployment but the pods never appear to grab the logs from the host.

gist.github.com

https://gist.github.com/feiskyer/6e3104d3ca63d7b242ff70e90a133ed1

calico-packet-logs.yaml

apiVersion: crd.projectcalico.org/v1
kind: GlobalNetworkPolicy
metadata:
  name: calico-log
spec:
  egress:
  - action: Log
    destination: {}
    protocol: TCP
    source: {}

This file has been truncated. show original

I hope I’m not taking crazy pills and v3.8.9 just doesn’t have the log function. I’m all for diving through release notes just wondering if someone knows off the top of their head? Also is there a location for historical release notes ?

Thanks!

lwr20 · December 21, 2020, 10:04am

https://docs.projectcalico.org/archive/v3.8/reference/resources/globalnetworkpolicy
definitely shows Log as a valid action.

https://docs.projectcalico.org/archive/v3.8/security/calico-network-policy#generate-logs-for-specific-traffic

In the following example, incoming TCP traffic to an application is denied, and each connection attempt is logged to syslog.

Are you looking in syslog for the logs? They won’t appear in the pod logs…

fasaxc · December 22, 2020, 1:42pm

I’m not sure what you mean by “name selector”; do you mean “namespaceSelector”? I’m not 100% sure, but I thought that global network policies matches all namespaces before the namespaceSelector was added.

Log has always been there, but the log is issued from iptables itself so it goes to syslog/kernel log/dmnsg/etc depending on your distro and kernel.

If you’re looking for a solid way to figure out which rules are being hit, you may want to check our Calico Enterprise; it has a GUI that does exactly that.

doohder · December 22, 2020, 6:28pm

Thanks for the reply. Yes I was referring to namespaceSelector, and this was the discussion about AKS using an old version.

I was able to gain ssh access to the node and discovered that it was writing to /var/log/syslog.1 so I modified the deployment and see the calico-packet logs. Does anyone know of any documentation for the syslog fields? It doesn’t appear to have a field for allow or deny in the log. I can guess most of the fields, it just my security team is going to care more about if it was an allow or a deny. These will eventually make it to a log analytics workspace then to splunk for searching.

Dec 22 18:26:49 nodename kernel: [686879.577344] calico-packet: IN=eth0 OUT=azv204d22f3118 MAC=00:22:48:44:62:15:c0:d6:82:94:e6:49:08:00 SRC=172.16.208.33 DST=172.16.208.28 LEN=60 TOS=0x00 PREC=0x00 TTL=62 ID=25858 DF PROTO=TCP SPT=33374 DPT=8443 WINDOW=64240 RES=0x00 SYN URGP=0

Thanks for any help

fasaxc · December 23, 2020, 10:13am

The log action only tells you one thing “the packet hit the log rule”. It doesn’t tell you whether the packet was dropped or allowed in the end. Calico Enterprise is the way to go if you have a security team who need flow logs of denied/allowed packets; its one of its core features.

Topic		Replies	Views
GlobalNetworkPolicy exclude default namespace Open Source Calico Help	6	1778	November 28, 2020
Network policy logs Networking	6	744	December 14, 2022
Can we use more than one option in a single yaml file? EKS-AKS-GKE-IKS aks	6	874	September 21, 2021
Ingress and Egress table in Calico Network policy EKS-AKS-GKE-IKS aks	1	598	September 3, 2021
Why GlobalNetworkPolicy was not applied? Networking	3	498	May 21, 2022

AKS -Action Log

Related Topics