Kubernetes NetworkPolicy
Import Kubernetes NetworkPolicy resources exported as YAML or JSON. netbobr parses ingress and egress rules, extracting ipBlock CIDRs and port specifications for compliance analysis.
Export command
Export NetworkPolicy resources using kubectl:
# Export all NetworkPolicies in a namespace
kubectl get networkpolicy -n default -o yaml > netpol.yaml
# Export all NetworkPolicies across all namespaces
kubectl get networkpolicy --all-namespaces -o yaml > all-netpol.yaml
# Export a specific policy
kubectl get networkpolicy my-policy -n default -o yaml > policy.yamlThe -o yaml flag is required. JSON output (-o json) is also supported.
Supported YAML structures
netbobr accepts three shapes of NetworkPolicy YAML:
- Single document -- one NetworkPolicy resource
- Multi-document YAML -- multiple policies separated by
--- - Kubernetes List wrapper --
kind: NetworkPolicyListwith anitemsarray
Minimal example
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-https-ingress
namespace: default
spec:
podSelector:
matchLabels:
app: web-server
policyTypes:
- Ingress
ingress:
- from:
- ipBlock:
cidr: 10.0.0.0/8
ports:
- protocol: TCP
port: 443Parser behavior
| Rule type | Source | Destination |
|---|---|---|
ingress | from[].ipBlock.cidr | 0.0.0.0/0 (implicit) |
egress | 0.0.0.0/0 (implicit) | to[].ipBlock.cidr |
- Each
ports[]entry specifies aprotocol(TCP or UDP) and aportnumber. - Every combination of CIDR and port creates a separate flow for analysis.
exceptCIDRs inipBlockare noted but not used for exclusion (see Limitations).- In the browser, the
js-yamllibrary is loaded from CDN for YAML parsing. JSON files are parsed natively.
Limitations and warnings
| Limitation | Detail |
|---|---|
| No ICMP support | Kubernetes NetworkPolicy has no ICMP port specification. ICMP rules from a baseline are expected gaps (15 flows in accuracy testing). |
| Pod selectors | podSelector and namespaceSelector match pods by label, not by IP. These generate warnings because pod IPs are dynamic and cannot be resolved to CIDRs. |
| Port ranges | NetworkPolicy uses single port numbers, not ranges. Port ranges from a baseline are split into individual start-port flows (e.g., 1024-65535 becomes port 1024). |
| Tier 2 rules | K8s rules have either source or destination CIDRs, not both. Rules requiring both a specific source and destination cannot be expressed. |
| except CIDRs | ipBlock.except arrays are recognized but not used to narrow flows. |
| Named ports | Named ports (e.g., port: http) require pod spec resolution and are not supported. |
Accuracy
Accuracy measured against a 400-rule CSV baseline (360 Tier 1 + 40 Tier 2).
| Metric | Value |
|---|---|
| CLI match rate | 66.8% (267/400) |
| Browser match rate | 66.8% (267/400) |
| Tier 1 accuracy | 76.7% (267/348) |
| Tier 2 accuracy | 0% (40 flows -- expected gap) |
| Field accuracy | 100% for matched flows |
| Expected missing | 55 (40 Tier 2 + 15 ICMP) |
| Extra flows | 31 (from port range splitting) |
The lower match rate is primarily due to:
- ICMP gap: 15 rules that use ICMP cannot be expressed in NetworkPolicy format.
- Port range splitting: K8s uses single ports, so ranges like
1024-65535become a single flow for port1024only. - Tier 2 gap: 40 rules requiring both specific source and destination CIDRs cannot be expressed.
Troubleshooting
"No flows parsed"
Verify the file is valid YAML or JSON with kind: NetworkPolicy. Check that apiVersion is networking.k8s.io/v1.
"ICMP rules missing" This is expected. Kubernetes NetworkPolicy has no ICMP port specification. ICMP-based rules cannot be represented and are skipped during parsing.
"Port ranges show as single ports"
This is expected. Kubernetes NetworkPolicy only specifies individual port numbers, so ranges from a baseline become single start-port entries. For example, a range of 8000-9000 becomes a single flow for port 8000.
"Pod selector warning" Rules that match pods by label selector instead of IP blocks generate warnings. Pod IPs are dynamic and change when pods restart, so they cannot be resolved to static CIDRs.
"Missing egress rules"
Verify the policy has policyTypes: [Egress] (or ["Ingress", "Egress"]) and egress: blocks defined. Some policies only define ingress rules.
CLI usage:
npx @netbobr/cli analyze netpol.yaml --cloud-format k8s-netpolBrowser: Drag and drop the .yaml file onto the import area. Kubernetes NetworkPolicy format is auto-detected.