The get command list the object asked. It could be a single object or a list of multiple objects comma separated. This command is useful to get the status of each object. The output can be formatted to only display some information based on some json search or external tools like tr, sort, uniq.
The default output display some useful information about each services :
Name : the name of the newly created resource
Pod-selector : the labels used to associate the Network Policy with the Pods
Age : the age since his creation
Exercise n°1
kubectl get networkpolicy
NAME POD-SELECTOR AGE
defaultnetworkpolicy <none> 2m
testnetworkpolicy role=db 5s
Describe
Once an object is running, it is inevitably a need to debug problems or check the configuration deployed.
The describe command display a lot of configuration information about the NetworkPolicies (labels, annotations, etc.) and the specific policies associated to the current NetworkPolicy (type, port, selectors, etc).
This command is really useful to introspect and debug an object deployed in a cluster.
Exercise n°1
Describe one of the existing Network Policy in the default namespace.
kubectl describe networkpolicy testnetworkpolicy
Name: testnetworkpolicy
Namespace: default
Created on: 2019-02-13 14:59:12 -0500 EST
Labels: <none>
Annotations: <none>
Spec:
PodSelector: role=db
Allowing ingress traffic:
To Port: 6379/TCP
From IPBlock:
CIDR: 172.17.0.0/16
Except: 172.17.1.0/24
From NamespaceSelector: project=myproject
From PodSelector: role=frontend
Allowing egress traffic:
To Port: 5978/TCP
To IPBlock:
CIDR: 10.0.0.0/24
Except:
Policy Types: Ingress, Egress
Explain
Kubernetes come with a lot of documentation about his objects and the available options in each one. Those information can be fin easily in command line or in the official Kubernetes documentation.
The explain command allows to directly ask the API resource via the command line tools to display information about each Kubernetes objects and their architecture.
Exercise n°1
Get the documentation of a specific field of a resource.
kubectl explain networkpolicy.spec
KIND: NetworkPolicy
VERSION: extensions/v1beta1
RESOURCE: spec <Object>
DESCRIPTION:
Specification of the desired behavior for this NetworkPolicy.
DEPRECATED 1.9 - This group version of NetworkPolicySpec is deprecated by
networking/v1/NetworkPolicySpec.
FIELDS:
egress <[]Object>
List of egress rules to be applied to the selected pods. Outgoing traffic
is allowed if there are no NetworkPolicies selecting the pod (and cluster
policy otherwise allows the traffic), OR if the traffic matches at least
one egress rule across all of the NetworkPolicy objects whose podSelector
matches the pod. If this field is empty then this NetworkPolicy limits all
outgoing traffic (and serves solely to ensure that the pods it selects are
isolated by default). This field is beta-level in 1.8
ingress <[]Object>
List of ingress rules to be applied to the selected pods. Traffic is
allowed to a pod if there are no NetworkPolicies selecting the pod OR if
the traffic source is the pod's local node, OR if the traffic matches at
least one ingress rule across all of the NetworkPolicy objects whose
podSelector matches the pod. If this field is empty then this NetworkPolicy
does not allow any traffic (and serves solely to ensure that the pods it
selects are isolated by default).
podSelector <Object> -required-
Selects the pods to which this NetworkPolicy object applies. The array of
ingress rules is applied to any pods selected by this field. Multiple
network policies can select the same set of pods. In this case, the ingress
rules for each are combined additively. This field is NOT optional and
follows standard label selector semantics. An empty podSelector matches all
pods in this namespace.
policyTypes <[]string>
List of rule types that the NetworkPolicy relates to. Valid options are
Ingress, Egress, or Ingress,Egress. If this field is not specified, it will
default based on the existence of Ingress or Egress rules; policies that
contain an Egress section are assumed to affect Egress, and all policies
(whether or not they contain an Ingress section) are assumed to affect
Ingress. If you want to write an egress-only policy, you must explicitly
specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy
that specifies that no egress is allowed, you must specify a policyTypes
value that include "Egress" (since such a policy would not include an
Egress section and would otherwise default to just [ "Ingress" ]). This
field is beta-level in 1.8
Add the --recursive flag to display all of the fields at once without descriptions.
Delete
The delete command delete resources by filenames, stdin, resources and names, or by resources and label selector.
Be careful on the deletion of a network policy, this can isolate resource or expose it and cause damaged to your services.
Note that the delete command does NOT do resource version checks, so if someone submits an update to a resource right when you submit a delete, their update will be lost along with the rest of the resource.
Exercise n°1
Delete the previous network policy in command line.
