This is a cache of https://docs.openshift.com/acs/4.5/cli/command-reference/roxctl-netpol.html. It is a snapshot of the page at 2024-11-27T18:10:20.153+0000.
roxctl netpol - roxctl CLI command reference | roxctl CLI | Red Hat Advanced Cluster Security for Kubernetes 4.5
×

Commands related to the network policies.

Usage
$ roxctl netpol [command] [flags]
Table 1. Available commands
Command Description

connectivity

Connectivity analysis of the network policy resources.

generate

Recommend network policies based on the deployment information.

roxctl netpol command options inherited from the parent command

The roxctl netpol command supports the following options inherited from the parent roxctl command:

Option Description

--ca string

Specify a custom CA certificate file path for secure connections. Alternatively, you can specify the file path by using the ROX_CA_CERT_FILE environment variable.

--direct-grpc

Set --direct-grpc for improved connection performance. Alternatively, by setting the ROX_DIRECT_GRPC_CLIENT environment variable to true, you can enable direct gRPC . The default value is false.

-e, --endpoint string

Set the endpoint for the service to contact. Alternatively, you can set the endpoint by using the ROX_ENDPOINT environment variable. The default value is localhost:8443.

--force-http1

Force the use of HTTP/1 for all connections. Alternatively, by setting the ROX_CLIENT_FORCE_HTTP1 environment variable to true, you can force the use of HTTP/1. The default value is false.

--insecure

Enable insecure connection options. Alternatively, by setting the ROX_INSECURE_CLIENT environment variable to true, you can enable insecure connection options. The default value is false.

--insecure-skip-tls-verify

Skip the TLS certificate validation. Alternatively, by setting the ROX_INSECURE_CLIENT_SKIP_TLS_VERIFY environment variable to true, you can skip the TLS certificate validation. The default value is false.

--no-color

Disable the color output. Alternatively, by setting the ROX_NO_COLOR environment variable to true, you can disable the color output. The default value is false.

-p, --password string

Specify the password for basic authentication. Alternatively, you can set the password by using the ROX_ADMIN_PASSWORD environment variable.

--plaintext

Use an unencrypted connection. Alternatively, by setting the ROX_PLAINTEXT environment variable to true, you can enable an unencrypted connection. The default value is false.

-s, --server-name string

Set the TLS server name to use for SNI. Alternatively, you can set the server name by using the ROX_SERVER_NAME environment variable.

--token-file string

Use the API token provided in the specified file for authentication. Alternatively, you can set the token by using the ROX_API_TOKEN environment variable.

These options are applicable to all the sub-commands of the roxctl netpol command.

roxctl netpol generate

Recommend network policies based on the deployment information.

Usage
$ roxctl netpol generate <folder_path> [flags] (1)
1 For <folder_path>, specify the path to the directory containing your Kubernetes deployment and service configuration files.
Table 2. Options
Option Description

--dnsport uint16

Specify the DNS port that you want to use in the egress rules of synthesized network policies. The default value is 53.

--fail

Fail on the first encountered error. The default value is false.

-d, --output-dir string

Save generated policies into the target folder.

-f, --output-file string

Save and merge generated policies into a single YAML file.

--remove

Remove the output path if it already exists. The default value is false.

--strict

Treat warnings as errors. The default value is false.

roxctl netpol connectivity

Commands related to the connectivity analysis of the network policy resources.

Usage
$ roxctl netpol connectivity [flags]

roxctl netpol connectivity map

Analyze connectivity based on the network policies and other resources.

Usage
$ roxctl netpol connectivity map <folder_path> [flags] (1)
1 For <folder_path>, specify the path to the directory containing your Kubernetes deployment and service configuration files.
Table 3. Options
Option Description

--exposure

Enhance the analysis of permitted connectivity by using exposure analysis. The default value is false.

--fail

Fail on the first encountered error. The default value is false.

--focus-workload string

Focus on connections of the specified workload name in the output.

-f, --output-file string

Save the connections list output into a specific file.

-o, --output-format string

Configure the connections list in a specific format. Supported formats include txt, json, md, dot, and csv. The default value is txt.

--remove

Remove the output path if it already exists. The default value is false.

--save-to-file

Define whether you want to save the output of the connection list in the default file. The default value is false.

--strict

Treat warnings as errors. The default value is false.

roxctl netpol connectivity diff

Report connectivity differences based on two network policy directories and YAML manifests with workload resources.

Usage
$ roxctl netpol connectivity diff [flags]
Table 4. Options
Option Description

--dir1 string

Specify the first directory path of the input resources. This value is mandatory.

--dir2 string

Specify the second directory path of the input resources that you want to compare with the first directory path. This value is mandatory.

--fail

Fail on the first encounter. The default value is false.

-f, --output-file string

Save the output of the connectivity difference command into a specific file.

-o, --output-format string

Configure the output of the connectivity difference command in a specific format. Supported formats include txt, md, csv. The default value is txt..

--remove

Remove the output path if it already exists. The default value is false.

--save-to-file

Define whether you want to store the output of the connectivity differences in the default file. The default value is false.

--strict

Treat warnings as errors. The default value is false.