{"id":18303121,"url":"https://github.com/monzo/calico-accountant","last_synced_at":"2025-04-05T14:31:51.949Z","repository":{"id":35871998,"uuid":"210162621","full_name":"monzo/calico-accountant","owner":"monzo","description":"A Prometheus exporter for Calico policy packet counts","archived":false,"fork":false,"pushed_at":"2022-05-26T12:38:21.000Z","size":6231,"stargazers_count":92,"open_issues_count":3,"forks_count":9,"subscribers_count":71,"default_branch":"master","last_synced_at":"2025-03-21T06:33:21.778Z","etag":null,"topics":["calico","monitoring","networking","prometheus"],"latest_commit_sha":null,"homepage":null,"language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/monzo.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-09-22T14:41:00.000Z","updated_at":"2024-11-08T23:22:50.000Z","dependencies_parsed_at":"2022-09-08T17:30:51.148Z","dependency_job_id":null,"html_url":"https://github.com/monzo/calico-accountant","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fcalico-accountant","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fcalico-accountant/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fcalico-accountant/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/monzo%2Fcalico-accountant/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/monzo","download_url":"https://codeload.github.com/monzo/calico-accountant/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247352669,"owners_count":20925309,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["calico","monitoring","networking","prometheus"],"created_at":"2024-11-05T15:24:16.649Z","updated_at":"2025-04-05T14:31:46.936Z","avatar_url":"https://github.com/monzo.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# calico-accountant\n\ncalico-accountant is a prometheus exporter that helps you track the consequences of Calico policies. It requests\nstatistics from iptables on the number of packets accepted by each policy for each workload, and the number of packets \ndropped because no policies matched them.\n\ncalico-accountant itself runs as a Pod in your cluster, and needs access only to the Calico datastore. It maintains an\ninternal cache of workloads on the host on which it runs, as well as a mapping from policy chain names to Calico policy\nnames.\n\n## Installation\n\nDownload the source code package:\n```shell\n$ git clone github.com/monzo/calico-accountant\n```\n\nBuild the container from the source code (make sure you have Docker running):\n```shell\n$ cd $GOPATH/src/github.com/monzo/calico-accountant\n$ make container\n```\n\n## Usage \n\n### Examples of use\n1. Use calico-accountant to see how many packets are being passed by each of your calico policies, and how many are dropped because no policies passed them.\nAlert if there are dropped packets, or if a key policy sees less traffic.\n2. Test your policies in a safe way by setting up a high-order allow all policy, then your more restrictive policy (that you hope matches all traffic) on a lower\norder. If no packets are allowed by the allow all policy, then your restrictive policy must fully specify all required traffic.\n\n### Privilege\ncalico-accountant needs root privileges to interact with iptables.\n\n### Container Spec\nWe suggest running calico-accountant as a [Daemonset](https://kubernetes.io/docs/concepts/workloads/controllers/daemonset/) in your cluster. An example of YAML spec file can be found in [demo/](demo/).\n\n### Environment Variables \n\n#### Required: \nYou will need to provide the correct environment variables for the Calico datastore client. This may be as simple as\nproviding `ETCD_ENDPOINTS`. The setup can be copied from the Calico kube-controllers or from Calico node.\n\n#### Optional:\n* `NODENAME`: (string, default: hostname, to match calico node behaviour) Should be equal to `spec.nodeName`, ie the Kubernetes node name. \nSee the demo manifest for one way to provide this. If you don't provide this to calico node, you may not need to provide it here either.\n* `METRICS_SERVER_PORT`: (int, default: **9009**) Port for the service to host its metrics.\n* `MINIMUM_COUNTER`: (int, default **0**) Scrapes where all counts are below this value are dropped. This is to dodge iptables race conditions where counters briefly drop to near-zero and then return.\n\n### Metrics \nMetrics are implemented by Prometheus, which are hosted on the web server at `/metrics`. \n\nEvery scrape leads to a single `iptables-save` command.\n\nExported metrics:\n```go\nvar dropDesc = prometheus.NewDesc(\"no_policy_drop_counter\", \"Number of packets dropped to/from a workload because no policies matched them\", []string{\n\t\"pod\", // the name of the Kubernetes pod, if any\n\t\"app\", // the value of the \"app\" label of the pod, if any\n\t\"ip\", // a comma separated list of ips or subnets associated with the workload\n\t\"type\", // fw = from workload, tw = to workload\n}, nil)\nvar acceptDesc = prometheus.NewDesc(\"policy_accept_counter\", \"Number of packets accepted by a policy on a workload\", []string{\n\t\"pod\",\n\t\"app\",\n\t\"ip\",\n\t\"type\",\n\t\"policy\", // full name of the accepting calico policy, eg default/knp.default.foo\n}, nil)\n```\n\n## Credits\n\nInspiration was taken from [kube-iptables-tailer](https://github.com/box/kube-iptables-tailer)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonzo%2Fcalico-accountant","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmonzo%2Fcalico-accountant","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmonzo%2Fcalico-accountant/lists"}