feat: Kubernetes network policy

zeroc0d3 · zeroc0d3 · commit 8fddbd6acbca · 2026-03-20T18:44:42.000+07:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -110,6 +110,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Fixed
 
+- **Default endpoint config** (`configs/tfo-agent.yaml`): Corrected default `TELEMETRYFLOW_ENDPOINT` from `http://localhost:3000/api/v2/monitoring` to `http://localhost:3000/api/v2` — aligns with all Kubernetes Helm templates, Docker Compose, and platform config files which consistently use `/api/v2` as base URL. Agent API paths already include `/monitoring/` prefix, so the previous default caused double `/monitoring` when using the built-in fallback
 - **Config env var expansion** (`internal/config/loader.go`): Viper-based config loader now calls `os.ExpandEnv()` on YAML content before parsing, resolving `${VAR}` placeholders in config values (e.g., `${NODE_IP}` in cAdvisor endpoint). Previously, env var references in config values were passed as literal strings, causing URL parse failures
 - **cAdvisor kubelet HTTPS** (`internal/collector/cadvisor/cadvisor.go`): HTTP client now respects `insecure_skip_verify` config and includes ServiceAccount bearer token in requests. Previously, HTTPS kubelet endpoints failed with `x509: certificate signed by unknown authority` and `403 Forbidden`
 - **cAdvisor Prometheus parser** (`internal/collector/cadvisor/cadvisor.go`): Switched to `LegacyValidation` parser to support traditional `container_*` and `machine_*` metric names; optional `metric_names` allowlist for selective collection
diff --git a/configs/tfo-agent.yaml b/configs/tfo-agent.yaml
@@ -14,7 +14,7 @@
 #   TELEMETRYFLOW_API_KEY_SECRET  - API Key Secret for authentication (format: tfs_xxx)
 #   TELEMETRYFLOW_ENDPOINT        - TFO backend base URL
 #                                     gRPC:  tfo-collector:4317
-#                                     HTTP:  http://tfo-backend:3000/api/v2/monitoring
+#                                     HTTP:  http://tfo-backend:3000/api/v2
 #   TELEMETRYFLOW_AGENT_ID        - Unique agent ID (optional, auto-generated if unset)
 #   TELEMETRYFLOW_AGENT_NAME      - Human-readable agent name (optional)
 #   TELEMETRYFLOW_ENVIRONMENT     - Deployment environment tag, e.g. production (optional)
@@ -26,7 +26,7 @@
 # Example .env file:
 #   TELEMETRYFLOW_API_KEY_ID=tfk_your_key_id
 #   TELEMETRYFLOW_API_KEY_SECRET=tfs_your_key_secret
-#   TELEMETRYFLOW_ENDPOINT=http://tfo-backend:3000/api/v2/monitoring   # HTTP mode
+#   TELEMETRYFLOW_ENDPOINT=http://tfo-backend:3000/api/v2   # HTTP mode
 #   # TELEMETRYFLOW_ENDPOINT=tfo-collector:4317                        # gRPC mode
 #
 # =============================================================================
@@ -42,10 +42,10 @@ telemetryflow:
   api_key_secret: "${TELEMETRYFLOW_API_KEY_SECRET}"
   # TFO backend endpoint — format depends on protocol:
   #   grpc: bare host:port     (e.g., tfo-collector:4317)
-  #   http: full HTTP base URL (e.g., http://tfo-backend:3000/api/v2/monitoring)
+  #   http: full HTTP base URL (e.g., http://tfo-backend:3000/api/v2)
   # Used for agent heartbeat/registration and as OTLP base URL when no
   # per-signal endpoint override is configured in exporter.otlp.*.endpoint.
-  endpoint: "${TELEMETRYFLOW_ENDPOINT:-http://localhost:3000/api/v2/monitoring}"
+  endpoint: "${TELEMETRYFLOW_ENDPOINT:-http://localhost:3000/api/v2}"
   # Protocol: grpc (OTLP native) or http (REST + OTLP/HTTP)
   protocol: http
   # TLS settings for backend connection
diff --git a/internal/collector/kubernetes/kubernetes.go b/internal/collector/kubernetes/kubernetes.go
@@ -267,6 +267,17 @@ func (k *KubernetesCollector) Collect(ctx context.Context) ([]collector.Metric,
 		}
 	}
 
+	// --- Network Policies ---
+	{
+		npMetrics, nps, err := collectNetworkPolicies(ctx, k.clientset, k.cfg, k.cfg.ClusterName)
+		if err != nil {
+			k.logger.Warn("Failed to collect network policy state", zap.Error(err))
+		} else {
+			allMetrics = append(allMetrics, npMetrics...)
+			state.NetworkPolicies = nps
+		}
+	}
+
 	// --- Events ---
 	if k.cfg.Events {
 		metrics, events, err := collectEvents(ctx, k.clientset, k.cfg, k.cfg.ClusterName)
diff --git a/internal/collector/kubernetes/network_policies.go b/internal/collector/kubernetes/network_policies.go
@@ -0,0 +1,178 @@
+// Package kubernetes collects resource and performance metrics from a Kubernetes
+// cluster via the API server and Kubelet stats endpoints, covering nodes, pods,
+// deployments, services, namespaces, storage, network policies, HPAs, PDBs,
+// workload controllers, events, and pod logs.
+//
+// TelemetryFlow Agent - Community Enterprise Observability Platform
+// Copyright (c) 2024-2026 TelemetryFlow. All rights reserved.
+// Open Source Software built by DevOpsCorner Indonesia.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package kubernetes
+
+import (
+	"context"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
+
+	"github.com/telemetryflow/telemetryflow-agent/internal/collector"
+)
+
+// collectNetworkPolicies gathers Kubernetes NetworkPolicy resources.
+func collectNetworkPolicies(
+	ctx context.Context,
+	cs kubernetes.Interface,
+	cfg Config,
+	cluster string,
+) ([]collector.Metric, []NetworkPolicyState, error) {
+	npList, err := cs.NetworkingV1().NetworkPolicies("").List(ctx, metav1.ListOptions{})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	var metrics []collector.Metric
+	var states []NetworkPolicyState
+	nsCounts := make(map[string]int)
+
+	for i := range npList.Items {
+		np := &npList.Items[i]
+
+		if !cfg.shouldCollectNamespace(np.Namespace) {
+			continue
+		}
+
+		nsCounts[np.Namespace]++
+
+		// Policy types
+		var policyTypes []string
+		for _, pt := range np.Spec.PolicyTypes {
+			policyTypes = append(policyTypes, string(pt))
+		}
+
+		// Pod selector (which pods this policy applies to)
+		podSelector := make(map[string]string)
+		for k, v := range np.Spec.PodSelector.MatchLabels {
+			podSelector[k] = v
+		}
+
+		// Ingress rules count
+		ingressRuleCount := len(np.Spec.Ingress)
+
+		// Egress rules count
+		egressRuleCount := len(np.Spec.Egress)
+
+		// Build ingress rules detail
+		var ingressRules []NetworkPolicyRule
+		for _, rule := range np.Spec.Ingress {
+			var ports []NetworkPolicyPort
+			for _, p := range rule.Ports {
+				npp := NetworkPolicyPort{
+					Protocol: "TCP",
+				}
+				if p.Protocol != nil {
+					npp.Protocol = string(*p.Protocol)
+				}
+				if p.Port != nil {
+					npp.Port = p.Port.String()
+				}
+				ports = append(ports, npp)
+			}
+			var fromPeers []NetworkPolicyPeer
+			for _, from := range rule.From {
+				peer := NetworkPolicyPeer{}
+				if from.PodSelector != nil {
+					peer.PodSelector = from.PodSelector.MatchLabels
+				}
+				if from.NamespaceSelector != nil {
+					peer.NamespaceSelector = from.NamespaceSelector.MatchLabels
+				}
+				if from.IPBlock != nil {
+					peer.IPBlock = &NetworkPolicyIPBlock{
+						CIDR:   from.IPBlock.CIDR,
+						Except: from.IPBlock.Except,
+					}
+				}
+				fromPeers = append(fromPeers, peer)
+			}
+			ingressRules = append(ingressRules, NetworkPolicyRule{
+				Ports: ports,
+				Peers: fromPeers,
+			})
+		}
+
+		// Build egress rules detail
+		var egressRules []NetworkPolicyRule
+		for _, rule := range np.Spec.Egress {
+			var ports []NetworkPolicyPort
+			for _, p := range rule.Ports {
+				npp := NetworkPolicyPort{
+					Protocol: "TCP",
+				}
+				if p.Protocol != nil {
+					npp.Protocol = string(*p.Protocol)
+				}
+				if p.Port != nil {
+					npp.Port = p.Port.String()
+				}
+				ports = append(ports, npp)
+			}
+			var toPeers []NetworkPolicyPeer
+			for _, to := range rule.To {
+				peer := NetworkPolicyPeer{}
+				if to.PodSelector != nil {
+					peer.PodSelector = to.PodSelector.MatchLabels
+				}
+				if to.NamespaceSelector != nil {
+					peer.NamespaceSelector = to.NamespaceSelector.MatchLabels
+				}
+				if to.IPBlock != nil {
+					peer.IPBlock = &NetworkPolicyIPBlock{
+						CIDR:   to.IPBlock.CIDR,
+						Except: to.IPBlock.Except,
+					}
+				}
+				toPeers = append(toPeers, peer)
+			}
+			egressRules = append(egressRules, NetworkPolicyRule{
+				Ports: ports,
+				Peers: toPeers,
+			})
+		}
+
+		states = append(states, NetworkPolicyState{
+			Name:             np.Name,
+			Namespace:        np.Namespace,
+			PolicyTypes:      policyTypes,
+			PodSelector:      podSelector,
+			IngressRuleCount: ingressRuleCount,
+			EgressRuleCount:  egressRuleCount,
+			IngressRules:     ingressRules,
+			EgressRules:      egressRules,
+			Labels:           np.Labels,
+			CreatedAt:        np.CreationTimestamp.UnixMilli(),
+		})
+	}
+
+	// Metrics: network policy count per namespace
+	for ns, count := range nsCounts {
+		metrics = append(metrics,
+			collector.NewMetric("k8s.networkpolicy.count", float64(count), collector.MetricTypeGauge).
+				WithLabel("cluster", cluster).
+				WithLabel("namespace", ns).
+				WithDescription("NetworkPolicy count per namespace"),
+		)
+	}
+
+	return metrics, states, nil
+}
diff --git a/internal/collector/kubernetes/types.go b/internal/collector/kubernetes/types.go
@@ -39,6 +39,7 @@ type ClusterState struct {
 	Services         []ServiceState          `json:"services,omitempty"`
 	Endpoints        []EndpointState         `json:"endpoints,omitempty"`
 	Ingresses        []IngressState          `json:"ingresses,omitempty"`
+	NetworkPolicies  []NetworkPolicyState    `json:"network_policies,omitempty"`
 	PVs              []PVState               `json:"pvs,omitempty"`
 	PVCs             []PVCState              `json:"pvcs,omitempty"`
 	Events           []EventState            `json:"events,omitempty"`
@@ -411,6 +412,45 @@ type EventState struct {
 	LastTimestamp  int64  `json:"last_timestamp"`  // Unix millis
 }
 
+// NetworkPolicyState represents a Kubernetes NetworkPolicy resource.
+type NetworkPolicyState struct {
+	Name             string              `json:"name"`
+	Namespace        string              `json:"namespace"`
+	PolicyTypes      []string            `json:"policy_types,omitempty"` // Ingress, Egress
+	PodSelector      map[string]string   `json:"pod_selector,omitempty"`
+	IngressRuleCount int                 `json:"ingress_rule_count"`
+	EgressRuleCount  int                 `json:"egress_rule_count"`
+	IngressRules     []NetworkPolicyRule `json:"ingress_rules,omitempty"`
+	EgressRules      []NetworkPolicyRule `json:"egress_rules,omitempty"`
+	Labels           map[string]string   `json:"labels,omitempty"`
+	CreatedAt        int64               `json:"created_at,omitempty"` // Unix millis
+}
+
+// NetworkPolicyRule represents a single ingress or egress rule.
+type NetworkPolicyRule struct {
+	Ports []NetworkPolicyPort `json:"ports,omitempty"`
+	Peers []NetworkPolicyPeer `json:"peers,omitempty"`
+}
+
+// NetworkPolicyPort represents a port allowed by a network policy.
+type NetworkPolicyPort struct {
+	Protocol string `json:"protocol"`
+	Port     string `json:"port,omitempty"` // port number or named port
+}
+
+// NetworkPolicyPeer represents a source/destination peer in a network policy.
+type NetworkPolicyPeer struct {
+	PodSelector       map[string]string     `json:"pod_selector,omitempty"`
+	NamespaceSelector map[string]string     `json:"namespace_selector,omitempty"`
+	IPBlock           *NetworkPolicyIPBlock `json:"ip_block,omitempty"`
+}
+
+// NetworkPolicyIPBlock represents a CIDR block in a network policy.
+type NetworkPolicyIPBlock struct {
+	CIDR   string   `json:"cidr"`
+	Except []string `json:"except,omitempty"`
+}
+
 // ResourceCounts holds per-namespace resource counts for the overview dashboard.
 type ResourceCounts struct {
 	Secrets    map[string]int `json:"secrets,omitempty"`
diff --git a/internal/exporter/network_flows.go b/internal/exporter/network_flows.go
