This page explains how to enable network policy logging in an GKE cluster and how to export logs.
Overview
Network policies are Pod-level firewalls; they specify the network traffic that Pods are allowed to send and receive. Network policy logs record network policy events. You can log all events or you can choose to log events based on the following criteria:
- Allowed connections.
- Denied connections.
- Connections allowed by specific policies.
- Connections denied to Pods in specific namespaces.
Enabling logging
Network policy logging is not enabled by default. For information on enabling logging and selecting which events to log, see Using network policy logging in the Google Kubernetes Engine documentation.
Accessing logs
Network policy logs are automatically uploaded to Cloud Logging. You can access logs through the Logs Explorer or with the Google Cloud CLI. You can also export logs from Cloud Logging to the sink of your choice.
gcloud
gcloud logging read --project "PROJECT_NAME" 'resource.type="k8s_node" \
resource.labels.location="CLUSTER_LOCATION" \
resource.labels.cluster_name="awsClusters/CLUSTER_NAME" \
logName="projects/PROJECT_NAME/logs/policy-action"'
Replace the following:
PROJECT_NAME
: your Google Cloud projectCLUSTER_LOCATION
: the Google Cloud location your cluster is managed fromCLUSTER_NAME
: the name of your cluster
Cloud Logging
Go to the Logs Explorer page in Google Cloud console.
Click Query builder.
Use the following query to find all network policy log records:
resource.type="k8s_node" resource.labels.location="CLUSTER_LOCATION" resource.labels.cluster_name="awsClusters/CLUSTER_NAME" logName="projects/PROJECT_NAME/logs/policy-action"
Replace the following:
CLUSTER_LOCATION
: the Google Cloud location your cluster is managed fromCLUSTER_NAME
: the name of your cluster.PROJECT_NAME
: your Google Cloud project.
To learn how to use the Logs Explorer, see Using the Logs Explorer.
You can also build a query using the Query builder. To query for network policy logs, select policy-action in the Log name drop-down list. If there are no logs available, policy-action does not appear in the drop- down list.
Local access to network policy logs
If you have access to a node's file system, network policy logs are available on
each node in the local file /var/log/network/policy_action.log*
. Nodes
rotate log files when the current log file reaches 10 MB. Up to five previous
log files are stored.