{"id":13821131,"url":"https://github.com/inovex/illuminatio","last_synced_at":"2025-05-16T12:32:35.916Z","repository":{"id":53533121,"uuid":"193933013","full_name":"inovex/illuminatio","owner":"inovex","description":"The kubernetes network policy validator.","archived":true,"fork":false,"pushed_at":"2021-03-25T22:43:10.000Z","size":2191,"stargazers_count":243,"open_issues_count":37,"forks_count":14,"subscribers_count":6,"default_branch":"master","last_synced_at":"2025-04-16T10:37:48.988Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/inovex.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":null,"support":null}},"created_at":"2019-06-26T15:37:31.000Z","updated_at":"2025-01-07T14:55:56.000Z","dependencies_parsed_at":"2022-08-20T12:20:29.006Z","dependency_job_id":null,"html_url":"https://github.com/inovex/illuminatio","commit_stats":null,"previous_names":[],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inovex%2Filluminatio","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inovex%2Filluminatio/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inovex%2Filluminatio/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/inovex%2Filluminatio/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/inovex","download_url":"https://codeload.github.com/inovex/illuminatio/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254530481,"owners_count":22086623,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T08:01:16.013Z","updated_at":"2025-05-16T12:32:30.906Z","avatar_url":"https://github.com/inovex.png","language":"Python","funding_links":[],"categories":["Python","others","Networking","NetWork"],"sub_categories":["[Jenkins](#jenkins)"],"readme":"# illuminatio - The kubernetes network policy validator\n\n[![Build Status](https://travis-ci.org/inovex/illuminatio.svg?branch=master)](https://travis-ci.org/inovex/illuminatio)\n[![codecov](https://codecov.io/gh/inovex/illuminatio/branch/master/graph/badge.svg)](https://codecov.io/gh/inovex/illuminatio)\n\n![logo](/img/logo_small.png)\n\nilluminatio is a tool for automatically testing kubernetes network policies.\nSimply execute `illuminatio clean run`\nand illuminatio will scan your kubernetes cluster for network policies, build test cases accordingly and execute them\nto determine if the policies are in effect.\n\nAn overview of the concept is visualized in [the concept doc](docs/concept.md).\n\n## Demo\n\n![Demo with NetworkPolicy enabled](img/demo-netpol-enabled.gif)\n\nWatch it on asciinema with [NetworkPolicy enabled](https://asciinema.org/a/273548) or with [NetworkPolicy disabled](https://asciinema.org/a/273556).\n\n## Getting started\n\nFollow these instructions to get illuminatio up and running.\n\n## Prerequisites\n\n- Python 3.6 or greater\n- Pip 3\n\n## Installation\n\nwith pip:\n\n```bash\npip3 install illuminatio\n```\n\nor directly from the repository:\n\n```bash\npip3 install git+https://github.com/inovex/illuminatio\n```\n\n### Kubectl plugin\n\nIn order to use `illuminatio` as a [kubectl plugin](https://kubernetes.io/docs/tasks/extend-kubectl/kubectl-plugins) run the following command:\n\n```bash\nln -s $(which illuminatio) /usr/local/bin/kubectl-illuminatio\n```\n\nAnd now cross check that the plugin exists:\n\n```bash\nkubectl plugin list --name-only | grep illuminatio\nThe following compatible plugins are available:\n\nkubectl-illuminatio\n```\n\n## Example Usage\n\nCreate a Deployment to test with:\n\n```bash\nkubectl create deployment web --image=nginx\nkubectl expose deployment web --port 80 --target-port 80\n```\n\nDefine and create a NetworkPolicy for your Deployment:\n\n```bash\ncat \u003c\u003cEOF | kubectl create -f -\nkind: NetworkPolicy\napiVersion: networking.k8s.io/v1\nmetadata:\n  name: web-deny-all\nspec:\n  podSelector:\n    matchLabels:\n      app: web\n  ingress: []\nEOF\n```\n\nTest your newly created NetworkPolicy:\n\n```bash\nilluminatio clean run\nStarting cleaning resources with policies ['on-request', 'always']\nDeleting namespaces [] with cleanup policy on-request\nDeleting namespaces [] with cleanup policy always\nDeleting DSs in default with cleanup policy on-request\nDeleting pods in default with cleanup policy on-request\nDeleting svcs in default with cleanup policy on-request\nDeleting CfgMaps in default with cleanup policy on-request\nDeleting CRBs  with cleanup policy on-request globally\nDeleting SAs in default with cleanup policy on-request\nDeleting DSs in default with cleanup policy always\nDeleting pods in default with cleanup policy always\nDeleting svcs in default with cleanup policy always\nDeleting CfgMaps in default with cleanup policy always\nDeleting CRBs  with cleanup policy always globally\nDeleting SAs in default with cleanup policy always\nFinished cleanUp\n\nStarting test generation and run.\nGot cases: [NetworkTestCase(from=ClusterHost(namespace=default, podLabels={'app': 'web'}), to=ClusterHost(namespace=default, podLabels={'app': 'web'}), port=-*)]\nGenerated 1 cases in 0.0701 seconds\nFROM             TO               PORT\ndefault:app=web  default:app=web  -*\n\nUsing existing cluster role\nCreating cluster role binding\nTestResults: {'default:app=web': {'default:app=web': {'-*': {'success': True}}}}\nFinished running 1 tests in 18.7413 seconds\nFROM             TO               PORT  RESULT\ndefault:app=web  default:app=web  -*    success\n```\n\nThe `clean` keyword assures that illuminatio clears all potentially existing resources created in past illuminatio runs to prevent potential issues, however no user generated resources are affected.\n\n*PLEASE NOTE* that currently each new run requires a clean, as the runners do not continuously look for new cases.\n\nFor the case that you really want to keep the generated resources you are free to omit the `clean` keyword.\n\nIf you are done testing you might want to easily delete all resources created by illuminatio:\n\n```bash\nilluminatio clean\n```\n\nTo preview generated test cases without running tests use `illuminatio run`'s `--dry` option:\n\n```bash\nilluminatio run --dry\nStarting test generation and run.\nGot cases: [NetworkTestCase(from=ClusterHost(namespace=default, podLabels={'app': 'web'}), to=ClusterHost(namespace=default, podLabels={'app': 'web'}), port=-*)]\nGenerated 1 cases in 0.0902 seconds\nFROM             TO               PORT\ndefault:app=web  default:app=web  -*\n\nSkipping test execution as --dry was set\n```\n\nAll options and further information can be found using the `--help` flag on any level:\n\n```bash\nilluminatio --help\n```\n\n```Bash\nUsage: illuminatio [OPTIONS] COMMAND1 [ARGS]... [COMMAND2 [ARGS]...]...\n\nOptions:\n  -v, --verbosity LVL  Either CRITICAL, ERROR, WARNING, INFO or DEBUG\n  --incluster\n  --help               Show this message and exit.\n\nCommands:\n  clean\n  run\n```\n\n## Docker Usage\n\nInstead of installing the `illumnatio` cli on your machine you can also use our Docker image.\nYou will need to provide the `kubeconfig` to the container and probably some certificates:\n\n```bash\ndocker run -ti -v ~/.kube/config:/kubeconfig:ro inovex/illuminatio illuminatio clean run\n```\n\nPlease note that some external authentication mechanisms (e.g. GCP / gcloud CLI) don't work correctly inside the container.\n\n### Minikube\n\nMinikube will store the certificates in the users home so we need to pass these to the container:\n\n```bash\ndocker run -ti -v \"${HOME}/.minikube\":\"${HOME}/.minikube\" -v \"${HOME}/.kube:\"/home/illuminatio/.kube:ro inovex/illuminatio illuminatio clean run\n```\n\nIf the minikube VM is not reachable from your container try to pass the `--net=host` flag to the docker run command.\n\n## Compatibility\n\nilluminatio 1.1 was tested using:\n\n- python 3.5.2\n- pip 19.2.1\n\nilluminatio 1.1 is confirmed to be working properly with the following kubernetes environments:\n\n- minikube v0.34.1, kubernetes v1.13.3\n- Google Kubernetes Engine, v1.12.8-gke.10\n- kubeadm 1.15.0-00, kubernetes v1.15.2\n\n### PodSecurityPolicy\n\nIf your cluster has the [PodSecurityPolicy](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#podsecuritypolicy) Admission Controller you must ensure that the illuminatio runner has the following rights to be created:\n\n- Wants to run as root\n- Needs the `SYS_ADMIN` capability\n- Needs `allowPrivilegeEscalation: true`\n- Needs access to the `hostPath` for the network namespaces and the cri socket\n\nA `PodSecurityPolicy` granting these privileges needs to be bound to the `illuminatio-runner` `ServiceAccount` in the `illuminatio` namespace.\nFor more details look at the [illuminatio DaemonSet](src/illuminatio/manifests/containerd-daemonset.yaml)\n\n## References\n\nThe logo was created by Pia Blum.\n\nExample Network Policies are inspired by\n[kubernetes-network-policy-recipes](https://github.com/ahmetb/kubernetes-network-policy-recipes)\n\nPresentation from [ContainerDays 2019](https://www.youtube.com/watch?v=eEkTvAez8HA\u0026list=PLHhKcdBlprMdg-fwPD1b3IjBRR_Ga09H0\u0026index=36), [slides](https://www.inovex.de/de/content-pool/vortraege/network-policies)\n\nThere is also a blog post about the background of illuminatio: [illuminatio-kubernetes-network-policy-validator](https://www.inovex.de/blog/illuminatio-kubernetes-network-policy-validator/)\n\n## Contributing\n\nWe are happy to read your [issues](https://github.com/inovex/illuminatio/issues) and accept your [Pull Requests.](https://github.com/inovex/illuminatio/compare)\nThis project uses the [standard github flow](https://help.github.com/en/articles/creating-a-pull-request-from-a-fork).\nFor more information on developing illuminatio refer to [the development docs](docs/developing.md).\n\n## License\n\nThis project excluding the logo is licensed under the terms of the Apache 2.0 license.\nThe logo is licensed under the terms of the CC BY-NC-ND 4.0 license.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finovex%2Filluminatio","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finovex%2Filluminatio","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finovex%2Filluminatio/lists"}