Network Access report
To create an Inventory report, create a GlobalReport with the reportType
set to network-access.
The following sample command creates a GlobalReport that results in a daily network access report for
endpoints in the public namespace.
kubectl apply -f - << EOF
apiVersion: projectcalico.org/v3
kind: GlobalReport
metadata:
name: daily-public-network-access-report
labels:
deployment: production
spec:
reportType: network-access
endpoints:
namespaces:
names:
- public
schedule: 0 0 * * *
EOF
There is a known issue that audit logs do not contain deletion events for resources that were deleted implicitly as part of a namespace deletion event. Currently, this means policies and pods that have been deleted in this way may still appear in the reports that cover any period within the next day.
Downloadable reports
summary.csv
A summary CSV file that includes details about the report parameters and the top level counts.
| Heading | Description | Format |
|---|---|---|
| startTime | The report interval start time. | RFC3339 string |
| endTime | The report interval end time. | RFC3339 string |
| endpointSelector | The endpoint selector used to restrict in-scope endpoints by endpoint label selection. | selector string |
| namespaceNames | The set of namespace names used to restrict in-scope endpoints by namespace. | ";" separated list of namespace names |
| namespaceSelector | The namespace selector used to restrict in-scope endpoints by namespace label selection. | selector string |
| serviceAccountNames | The set of service account names used to restrict in-scope endpoints by service account. | ";" separated list of service account names |
| serviceAccountSelectors | The service account selector used to restrict in-scope endpoints by service account label selection. | selector string |
| endpointsNumIngressProtected | The number of in-scope endpoints that were always ingress protected during the report interval. | number |
| endpointsNumEgressProtected | The number of in-scope endpoints that were always egress protected during the report interval. | number |
| endpointsNumIngressUnprotected | The number of in-scope endpoints that were ingress unprotected at any point during the report interval. | number |
| endpointsNumEgressUnprotected | The number of in-scope endpoints that were egress unprotected at any point during the report interval. | number |
| endpointsNumIngressFromInternet | The number of in-scope endpoints that allowed ingress traffic from the public internet at any point during the report interval. | number |
| endpointsNumEgressToInternet | The number of in-scope endpoints that allowed egress traffic to the public internet at any point during the report interval. | number |
| endpointsNumIngressFromOtherNamespace | The number of in-scope endpoints that allowed ingress traffic from another namespace at any point during the report interval. | number |
| endpointsNumEgressToOtherNamespace | The number of in-scope endpoints that allowed egress traffic to another namespace at any point during the report interval. | number |
| endpointsNumEnvoyEnabled | The number of in-scope endpoints that were always Envoy enabled during the report interval. | number |
endpoints.csv
An endpoints CSV file that includes per-endpoint information.
| Heading | Description | Format |
|---|---|---|
| endpoint | The name of the endpoint. | string |
| ingressProtected | Whether the endpoint was always ingress protected during the report interval. | bool |
| egressProtected | Whether the endpoint was always egress protected during the report interval. | bool |
| ingressFromInternet | Whether the endpoint allowed ingress traffic from the public internet at any point during the report interval. | number |
| egressToInternet | Whether the endpoint allowed egress traffic to the public internet at any point during the report interval. | number |
| ingressFromOtherNamespace | Whether the endpoint allowed ingress traffic from another namespace at any point during the report interval. | number |
| egressToOtherNamespace | Whether the endpoint allowed egress traffic to another namespace at any point during the report interval. | number |
| envoyEnabled | Whether the endpoint was always Envoy enabled during the report interval. | bool |
| appliedPolicies | The full set of policies that applied to the endpoint at any time during the report interval. | ";" separated list of policy names |
| services | The full set of services that included this endpoint at any time during the report interval. | ";" separated list of service names |
| trafficAggregationPrefix* | The flow log aggregation prefix. | string |
| endpointsGeneratingTrafficToThisEndpoint* | The set of endpoints that were generating traffic to this endpoint. | ";" separated list of service names |
| endpointsReceivingTrafficFromThisEndpoint* | The set of endpoints that this endpoint is generating traffic to. | ";" separated list of service names |
* Traffic data is determined from flow logs. By default, Calico Enterprise aggregates flow logs so that flows to and from pods in the same replica set are summarized if the flows are accepted. (Denied flows are not aggregated this way by default). This means that the per-endpoint traffic details do not refer specifically to that endpoint, but rather the set of endpoints specified by the trafficAggregationPrefix.
If you want per-endpoint detail you should turn down the level of aggregation. To do so,
set the value of flowLogsFileAggregationKindForAllowed to 1 using a FelixConfiguration