This documentation is for the current version of GKE on AWS, released in November 2021. See the Release notes for more information.

Use network policy logging

This page explains how to enable network policy logging in an GKE cluster and how to export logs.

Overview

Network policies are Pod-level firewalls; they specify the network traffic that Pods are allowed to send and receive. Network policy logs record network policy events. You can log all events or you can choose to log events based on the following criteria:

Allowed connections.
Denied connections.
Connections allowed by specific policies.
Connections denied to Pods in specific namespaces.

Enabling logging

Network policy logging is not enabled by default. For information on enabling logging and selecting which events to log, see Using network policy logging in the Google Kubernetes Engine documentation.

Accessing logs

Network policy logs are automatically uploaded to Cloud Logging. You can access logs through the Logs Explorer or with the Google Cloud CLI. You can also export logs from Cloud Logging to the sink of your choice.

gcloud

gcloud logging read --project "PROJECT_NAME" 'resource.type="k8s_node" \
    resource.labels.location="CLUSTER_LOCATION" \
    resource.labels.cluster_name="awsClusters/CLUSTER_NAME" \
    logName="projects/PROJECT_NAME/logs/policy-action"'

Replace the following:

PROJECT_NAME: your Google Cloud project
CLUSTER_LOCATION: the Google Cloud location your cluster is managed from
CLUSTER_NAME: the name of your cluster

Cloud Logging

Go to the Logs Explorer page in Google Cloud console.

Go to Logs Explorer
Click Query builder.
Use the following query to find all network policy log records:
```
resource.type="k8s_node"
resource.labels.location="CLUSTER_LOCATION"
resource.labels.cluster_name="awsClusters/CLUSTER_NAME"
logName="projects/PROJECT_NAME/logs/policy-action"
```
Replace the following:
- CLUSTER_LOCATION: the Google Cloud location your cluster is managed from
- CLUSTER_NAME: the name of your cluster.
- PROJECT_NAME: your Google Cloud project.

To learn how to use the Logs Explorer, see Using the Logs Explorer.

You can also build a query using the Query builder. To query for network policy logs, select policy-action in the Log name drop-down list. If there are no logs available, policy-action does not appear in the drop- down list.

Local access to network policy logs

If you have access to a node's file system, network policy logs are available on each node in the local file /var/log/network/policy_action.log*. Nodes rotate log files when the current log file reaches 10 MB. Up to five previous log files are stored.

What's next

Learn how to configure network policy logging