Skip to main content

Network mapping & network policies

Otterize's open-source Network Mapper and Intents Operator can map your cluster, with zero configuration, low privileges and low resource usage, and automate the management of network policies.

Tutorials

View the tutorials below to learn more about how to get started:

Visualizing a Kubernetes Network
Map network traffic in a cluster and view the connections
Create and manage network policies
Create Kubernetes network policies using IBAC
Protecting a service with network policies
An example on how to secure a single service
AWS EKS network policies with the VPC CNI
Leverage AWS VPC CNI to apply network policies in EKS

Mapping & visualizing

Otterize's Network Mapper is a zero-config, open-source and non-invasive tool to map your cluster. Deploy it on your cluster to get a graphical, textual or JSON representation of your cluster, and optionally use it to generate ClientIntents, which are declarations of the access each service in your cluster requires.

By connecting your cluster to Otterize Cloud, you'll immediately be presented with an interactive, historic and filterable map of your cluster. You can access the same information in different formats by using the open-source Otterize CLI, with the commands otterize mapper export, otterize mapper list and otterize mapper visualize.

otterize mapper visualize example: visualize example

otterize mapper list example:

client in namespace otterize-tutorial-npol calls:
  - server in namespace otterize-tutorial-npol
client-other in namespace otterize-tutorial-npol calls:
  - server in namespace otterize-tutorial-npol

otterize mapper export example:

apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
  name: client
  namespace: otterize-tutorial-npol
spec:
  service:
    name: client
  calls:
    - name: server
---
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
  name: client-other
  namespace: otterize-tutorial-npol
spec:
  service:
    name: client-other
  calls:
    - name: server

Access control

By default, Kubernetes pods permit all outgoing and incoming traffic, posing potential security risks.

Kubernetes NetworkPolicies can be employed to limit either egress or ingress traffic, thereby enhancing security and compliance. Having deployed Otterize, you can then apply the ClientIntents generated by the network mapper, or declared by you, to your cluster. The Intents Operator calculates which Network Policies are required to allow the traffic declared by the ClientIntents, enforcing access on your cluster so that only intentional access is allowed.

Read more in the Network Policies Deep Dive.

apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
  name: client
  namespace: otterize-tutorial-istio
spec:
  service:
    name: client
  calls:
    - name: nginx