Skip to main content

Network mapping & network policies

Otterize's open-source Network Mapper and Intents Operator can map your cluster, with zero configuration, low privileges and low resource usage, and automate the management of network policies.

Tutorials

View the tutorials below to learn more about how to get started:

Mapping & visualizing

Otterize's Network Mapper is a zero-config, open-source and non-invasive tool to map your cluster. Deploy it on your cluster to get a graphical, textual or JSON representation of your cluster, and optionally use it to generate ClientIntents, which are declarations of the access each service in your cluster requires.

By connecting your cluster to Otterize Cloud, you'll immediately be presented with an interactive, historic and filterable map of your cluster. You can access the same information in different formats by using the open-source Otterize CLI, with the commands otterize mapper export, otterize mapper list and otterize mapper visualize.

otterize mapper visualize example: visualize example

otterize mapper list example:

client in namespace otterize-tutorial-npol calls:
- server in namespace otterize-tutorial-npol
client-other in namespace otterize-tutorial-npol calls:
- server in namespace otterize-tutorial-npol

otterize mapper export example:

apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
name: client
namespace: otterize-tutorial-npol
spec:
service:
name: client
calls:
- name: server
---
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
name: client-other
namespace: otterize-tutorial-npol
spec:
service:
name: client-other
calls:
- name: server

Access control

By default, Kubernetes pods permit all outgoing and incoming traffic, posing potential security risks.

Kubernetes NetworkPolicies can be employed to limit either egress or ingress traffic, thereby enhancing security and compliance. Having deployed Otterize, you can then apply the ClientIntents generated by the network mapper, or declared by you, to your cluster. The Intents Operator calculates which Network Policies are required to allow the traffic declared by the ClientIntents, enforcing access on your cluster so that only intentional access is allowed.

Read more in the Network Policies Deep Dive.

apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
name: client
namespace: otterize-tutorial-istio
spec:
service:
name: client
calls:
- name: nginx