Generate Network Policies using roxctl (npguard) from running deployments.

generate_netpol.sh

if [ $# -eq 0 ]
then
echo  "try: $0 payments-v2 frontend backend"
exit 1
fi

> netpols.yaml

for namespace in $@
do
deployments=$(oc get deployments -n ${namespace} -o custom-columns=NAME:.metadata.name --no-headers)
services=$(oc get services -n ${namespace} -o custom-columns=NAME:.metadata.name --no-headers)
configmaps=$(oc get configmap -n ${namespace} -o custom-columns=NAME:.metadata.name --no-headers)
routes=$(oc get route -n ${namespace} -o custom-columns=NAME:.metadata.name --no-headers)


for deployment in $(echo ${deployments})
do
    oc get deployment/${deployment} -n ${namespace} -o yaml > ${deployment}-deployment.yaml
done

for service in $(echo ${services})
do
    oc get service/${service} -n ${namespace} -o yaml > ${service}-service.yaml
done

for configmap in $(echo ${configmaps})
do
    oc get configmap/${configmap} -n ${namespace} -o yaml > ${configmap}-configmap.yaml
done

for route in $(echo ${routes})
do
    selector=$(oc -n ${namespace} get service/$(oc -n ${namespace} get route ${route} -o jsonpath='{.spec.to.name}') -o jsonpath='{.spec.selector}' | sed -e 's/{//' -e 's/}//' -e 's/"//g' -e 's/:/: /g')

echo "apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-from-openshift-ingress-${route}
  namespace: ${namespace}
spec:
  ingress:
  - from:
    - namespaceSelector:
        matchLabels:
          network.openshift.io/policy-group: ingress
  podSelector:
    matchLabels:
      ${selector}
  policyTypes:
  - Ingress
---
" >> netpols.yaml

done
done
roxctl generate netpol . 2>/dev/null | sed 's/port: 53/port: 5353/' >> netpols.yaml

# To generate the connectivity graph you have to install Network Config Analyzer (NCA)
# pip install network-config-analyzer
# nca --connectivity -r . -o jpg -f connectivity.jpg