Network policies

This section provides the configuration to troubleshoot network policies.

Benefits of network policy audit logging

The network policies that are shipped with IBM Fusion enforce traffic rules silently, allowing or denying connections based on predefined policies. When an application fails to connect, the lack of visibility into these decisions makes it difficult to determine whether the issue is caused by a network misconfiguration, a code defect, or a security policy violation.

Enabling network policy audit logging provides the following benefits:

  • Granular visibility: Records detailed information for each dropped packet, including the source IP address, destination port, and the specific network policy responsible for the decision.
  • Faster troubleshooting: Allows administrators to quickly determine whether an OVN-Kubernetes access control list (ACL) denies traffic, eliminating guesswork during connectivity issues.
  • Security compliance: Provides a verifiable audit trail that helps security teams confirm that default-deny policies are enforced correctly and detect potential lateral movement or unauthorized access attempts within the cluster.
  • Policy refinement: Enables administrators to assess the impact of policies before enforcing them strictly in production by identifying legitimate traffic that can otherwise be blocked, helping to prevent unintended service disruptions.

Configuration

Instruct your cluster administrator to apply the following configuration:
  1. Apply cluster configuration.

    If logging is not configured, the cluster administrator must patch the cluster network operator.

    Note: Consult your security team if they have a preferred audit log destination. Setting the destination to libc forwards the logs to the node's systemd-journald. Ensure maxFileSize is measured in bytes, not megabytes (for example, 50000000 is 50 MB).
    oc patch network.operator.openshift.io cluster --type=merge -p '{
  "spec": {
    "defaultNetwork": {
      "ovnKubernetesConfig": {
        "policyAuditConfig": {
          "destination": "libc",
          "maxFileSize": 50000000,
          "maxLogFiles": 5,
          "rateLimit": 20,
          "syslogFacility": "local0"
        }
      }
    }
  }
}'
  2. Find the logs.

    After you apply the configuration, query the audit log destination for deny alerts.

    If you configured the destination as libc, query the system journal on the nodes where the application pods are running to see the dropped traffic:

    oc debug node/<node-name> -- chroot /host journalctl | grep acl_log