{"id":14384108,"url":"https://github.com/deggja/netfetch","last_synced_at":"2025-05-15T12:06:46.981Z","repository":{"id":208513558,"uuid":"721809757","full_name":"deggja/netfetch","owner":"deggja","description":"Kubernetes tool for scanning clusters for network policies and identifying unprotected workloads.","archived":false,"fork":false,"pushed_at":"2025-04-26T16:09:22.000Z","size":11815,"stargazers_count":436,"open_issues_count":21,"forks_count":24,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-04-26T17:23:14.973Z","etag":null,"topics":["cilium","cli","kubernetes","network","opensource","policy"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/deggja.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-21T20:17:27.000Z","updated_at":"2025-04-26T16:09:25.000Z","dependencies_parsed_at":"2023-11-21T22:25:19.204Z","dependency_job_id":"4c7e676a-4fde-4aa0-8e0f-4cc1f27354f6","html_url":"https://github.com/deggja/netfetch","commit_stats":null,"previous_names":["deggja/netfetch"],"tags_count":108,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deggja%2Fnetfetch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deggja%2Fnetfetch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deggja%2Fnetfetch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/deggja%2Fnetfetch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/deggja","download_url":"https://codeload.github.com/deggja/netfetch/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254337613,"owners_count":22054253,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cilium","cli","kubernetes","network","opensource","policy"],"created_at":"2024-08-28T18:01:07.614Z","updated_at":"2025-05-15T12:06:41.971Z","avatar_url":"https://github.com/deggja.png","language":"Go","readme":"\u003cdiv align=\"center\"\u003e\n  \u003ca href=\"https://go.dev/\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Go-v1.21-brightgreen.svg\" alt=\"go version\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://d3js.org/\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/D3-v7.8.5-brightgreen.svg\" alt=\"d3 version\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://nodejs.org/\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Node-v21.5.0-brightgreen.svg\" alt=\"node version\"\u003e\n  \u003c/a\u003e\n  \u003ca href=\"https://vuejs.org/\"\u003e\n    \u003cimg src=\"https://img.shields.io/badge/Vue-v5.0.8-brightgreen.svg\" alt=\"vue version\"\u003e\n  \u003c/a\u003e\n\u003c/div\u003e\n\n\n\u003cdiv align=\"center\"\u003e\n\n  \u003ch1\u003eNetfetch\u003c/h1\u003e\n  \u003ch3\u003eScan your Kubernetes clusters to identifiy unprotected workloads and map your existing Network policies\u003c/h3\u003e\n  \n  \u003cimg src=\"https://github.com/deggja/netfetch/assets/17279882/64306f2f-abbf-462c-97d6-a326ca70c2ad\" width=\"130px\" alt=\"Netfetch\"/\u003e\n\n\u003c/div\u003e\n\n## Contents\n- [**What is this project?**](#-what-is-this-project-)\n  - [Support](#networkpolicy-type-support-in-netfetch)\n- **[Installation](#installation)**\n  - [Install with brew](#installation-via-homebrew-for-mac-)\n  - [Install in Kubernetes](#installation-via-helm-)\n- [**Usage**](#usage)\n  - [Get started](#get-started)\n  - [Dashboard](#using-the-dashboard-)\n  - [Score](#netfetch-score-)\n  - [Uninstalling](#uninstalling-netfetch)\n- [**Contribute**](#contribute-)\n\n## ⭐ What is this project ⭐\n\nThis project aims to demystify network policies in Kubernetes. It's a work in progress!\n\nThe `netfetch` tool will scan your Kubernetes cluster and let you know if you have any pods running without being targeted by network policies.\n\n| Feature                                                                | CLI  | Dashboard |\n|------------------------------------------------------------------------|------|-----------|\n| Scan cluster identify pods without network policies                    | ✓    | ✓         |\n| Save scan output to a text file                                        | ✓    |           |\n| Visualize network policies and pods in a interactive network map       |      | ✓         |\n| Create default deny network policies where this is missing             | ✓    | ✓         |\n| Get suggestions for network policies based on existing workloads       |      | ✓         |\n| Calculate a security score based on scan findings                      | ✓    | ✓         |\n| Scan a specific policy by name to see what pods it  targets            | ✓    |           |\n\n### NetworkPolicy type support in Netfetch\n\n| Type      | CLI  | Dashboard |\n|-----------|------|-----------|\n| Kubernetes| ✓    | ✓         |\n| Cilium    | ✓    |           |\n\nSupport for additional types of network policies is in the works. No support for the type you need? Check out [issues](https://github.com/deggja/netfetch/issues) for an existing request or create a new one if there is none.\n\n## Installation\n### Installation via Homebrew for Mac 💻\n\nYou can install `netfetch` using our Homebrew tap:\n\n```sh\nbrew tap deggja/netfetch https://github.com/deggja/netfetch\nbrew install netfetch\n```\n\nFor specific Linux distros, Windows and other install binaries, check the latest release.\n\n### Installation via Helm 🎩\n\nYou can deploy the `netfetch` dashboard in your Kubernetes clusters using Helm.\n\n```sh\nhelm repo add deggja https://deggja.github.io/netfetch/\nhelm repo update\nhelm install netfetch deggja/netfetch --namespace netfetch --create-namespace\n```\n\nFollow the instructions after deployment to access the dashboard.\n\n#### Prerequisites 🌌\n\n- Installed `netfetch` via homebrew or a release binary.\n- Access to a Kubernetes cluster with `kubectl` configured.\n- Permissions to read and create network policies.\n\n## Usage\n\n### Get started\n\nThe primary command provided by `netfetch` is `scan`. This command scans all non-system Kubernetes namespaces for network policies.\n\nYou can also scan specific namespaces by specifying the name of that namespace.\n\nYou may add the --dryrun or -d flag to run a dryrun of the scan. The application will not prompt you about adding network policies, but still give you the output of the scan.\n\nRun `netfetch` in dryrun against a cluster.\n\n```sh\nnetfetch scan --dryrun\n```\n\nYou can also specify the desired kubeconfig file by using the `--kubeconfig /path/to/config` flag.\n\n```sh\nnetfetch scan --kubeconfig /Users/xxx/.kube/config\n```\n\nRun `netfetch` in dryrun against a namespace\n\n```sh\nnetfetch scan crossplane-system --dryrun\n```\n\n![netfetch-demo](https://github.com/deggja/netfetch/assets/15778492/015e9d9f-a678-4a14-a8bd-607f02c13d9f)\n\nScan entire cluster.\n\n```sh\nnetfetch scan\n```\n\nScan a namespace called crossplane-system.\n\n```sh\nnetfetch scan crossplane-system\n```\n\nScan entire cluster for Cilium Network Policies and or Cluster Wide Cilium Network Policies.\n\n```sh\nnetfetch scan --cilium\n```\n\nScan a namespace called production for regular Cilium Network Policies.\n\n```sh\nnetfetch scan production --cilium\n```\n\nScan a specific network policy.\n\n```sh\nnetfetch scan --target my-policy-name\n```\n\nScan a specific Cilium Network Policy.\n\n```sh\nnetfetch scan --cilium --target default-cilium-default-deny-all\n```\n\n[![asciicast](https://asciinema.org/a/661200.svg)](https://asciinema.org/a/661200)\n\n### Using the dashboard 📟\n\nLaunch the dashboard:\n\n```sh\nnetfetch dash\n```\n\nYou may also specify a port for the dashboard to run on (default is 8080).\n\n```sh\nnetfetch dash --port 8081\n```\n\n### Dashboard functionality overview\n\nThe Netfetch Dashboard offers an intuitive interface for interacting with your Kubernetes cluster's network policies. Below is a detailed overview of the functionalities available through the dashboard:\n\n| Action               | Description                                                                                                     | Screenshot Link                                                 |\n|----------------------|-----------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------|\n| Scan Cluster         | Initiates a cluster-wide scan to identify pods without network policies, similar to `netfetch scan`.            | ![Netfetch Dashboard](https://github.com/deggja/netfetch/blob/main/frontend/dash/src/assets/new-dash.png) |\n| Scan Namespace       | Scans a selected namespace for pods not covered by network policies, equivalent to `netfetch scan namespace`.   | ![Cluster map](https://github.com/deggja/netfetch/blob/main/frontend/dash/src/assets/new-clustermap.png) |\n| Create Cluster Map   | Generates a D3-rendered network map of all pods and policies across accessible namespaces.                      | ![Network map](https://github.com/deggja/netfetch/blob/main/frontend/dash/src/assets/new-ns.png) |\n| Suggest Policy       | Provides network policy suggestions based on existing workloads within a selected namespace.                     | ![Suggested policies](https://github.com/deggja/netfetch/blob/main/frontend/dash/src/assets/new-suggestpolicy.png) |\n\n### Interactive Features\n\n- **Table View**: Shows pods not targeted by network policies. It updates based on the cluster or namespace scans.\n- **Network Map Visualization**: Rendered using D3 to show how pods and policies interact within the cluster.\n- **Policy Preview**: Double-click network policy nodes within the network map to view policy YAML.\n- **Policy Editing**: Edit suggested policies directly within the dashboard or copy the YAML for external use.\n\n\n### Netfetch score 🥇\n\nThe `netfetch` tool provides a basic score at the end of each scan. The score ranges from 1 to 100, with 1 being the lowest and 100 being the highest possible score.\n\nYour score will decrease based on the amount of workloads in your cluster that are running without being targeted by a network policy.\n\nThe score reflects the security posture of your Kubernetes namespaces based on network policies and general policy coverage. If changes are made based on recommendations from the initial scan, rerunning `netfetch` will likely result in a higher score.\n\n### Uninstalling netfetch\n\nIf you want to uninstall the application - you can do so by running the following commands.\n\n```\nbrew uninstall netfetch\nbrew cleanup -s netfetch\nbrew untap deggja/netfetch https://github.com/deggja/netfetch\n```\n\n## Running Tests\n\nTo run tests for netfetch, follow these steps:\n\n1. Navigate to the root directory of the project in your terminal.\n\n2. Navigate to the backend directory within the project:\n\n```\ncd backend\n```\n\n3. Run the following command to execute all tests in the project:\n\n```\ngo test ./...\n```\n\nThis command will recursively search for tests in all subdirectories (./...) and run them.\n\n4. After executing the command, you will see the test results in the terminal output.\n\n## Contribute 🔨\nThank you to the following awesome people:\n\n- [roopeshsn](https://github.com/roopeshsn)\n- [s-rd](https://github.com/s-rd)\n- [JJGadgets](https://github.com/JJGadgets)\n- [Home Operations Discord](https://github.com/onedr0p/home-ops)\n- [pehlicd](https://github.com/pehlicd)\n\n\nYou are welcome to contribute!\n\nSee [CONTRIBUTING](CONTRIBUTING.md) for instructions on how to proceed.\n\n## Tools 🧰\nNetfetch uses other tools for a plethora of different things. It would not be possible without the following:\n\n- [statik](https://github.com/rakyll/statik)\n- [D3](https://d3-graph-gallery.com/network.html)\n- [Helm](https://helm.sh/docs/)\n- [Brew](https://brew.sh/)\n- [lipgloss](https://github.com/charmbracelet/lipgloss)\n\n## License\n\nNetfetch is distributed under the MIT License. See the [LICENSE](LICENSE) for more information.\n","funding_links":[],"categories":["Go"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeggja%2Fnetfetch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdeggja%2Fnetfetch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdeggja%2Fnetfetch/lists"}