calicoq
calicoq is the Calico Enterprise policy query utility. It is a command line tool that
makes it easy to check your Calico Enterprise security policies.
See Installing calicoq for
how to download and install calicoq.
Datastore configuration​
calicoq works by querying the Calico Enterprise datastore. For this configuration calicoq uses exactly the same
setup as calicoctl, which means that:
-
You can create a YAML or JSON config file, and specify that with
calicoq's-coption. This is the best option if you have already created that file for use withcalicoctl. -
Or you can set environment variables to specify the datastore type and location:
DATASTORE_TYPEand so on.
For more detail, see Configuring calicoq.
Commands​
The calicoq command line interface provides a number of policy inspection
commands to allow you to confirm that your security policies are configured
as intended.
- The endpoint command shows you the Calico Enterprise policies and profiles that relate to specified endpoints.
- The eval command displays the endpoints that a selector selects.
- The host command displays the policies and profiles that are relevant to all endpoints on a given host.
- The policy command shows the endpoints that are relevant to a given policy.
- The version command displays the version of the tool.
Overview of usage and options​
To access the help:
calicoq -h
The help output follows.
Calico query tool.
Usage:
calicoq [--debug] [--config=<config>] eval <selector>
calicoq [--debug] [--config=<config>] policy <policy-name> [--hide-selectors|-s] [--hide-rule-matches|-r]
calicoq [--debug] [--config=<config>] endpoint <substring> [--hide-selectors|-s] [--hide-rule-matches|-r]
calicoq [--debug] [--config=<config>] host <hostname> [--hide-selectors|-s] [--hide-rule-matches|-r]
calicoq [--debug] version
Description:
The calicoq command line tool is used to check Calico security policies.
calicoq eval <selector> is used to display the endpoints that are matched by <selector>.
calicoq policy <policy-name> shows the endpoints that are relevant to the named policy,
comprising:
- the endpoints that the policy applies to (for which ingress or egress traffic is policed
according to the rules in that policy)
- the endpoints that match the policy's rule selectors (that are allowed or disallowed as data
sources or destinations).
calicoq endpoint <substring> shows you the Calico policies and profiles that relate to endpoints
whose full ID includes <substring>.
calicoq host <hostname> shows you the endpoints that are hosted on <hostname> and all the Calico
policies and profiles that relate to those endpoints.
Notes:
When specifying a namespaced NetworkPolicy name, the namespace should also be included by
specifying the <policy-name> in the format "<namespace>/<policy-name>". If the namespace is
omitted it is assumed the name refers to a GlobalNetworkPolicy.
When a Calico policy is mapped from a Kubernetes resource, the name will be prefixed with
"knp.default". For example to query the Kubernetes NetworkPolicy "test-policy" in the Namespace
"demo-ns" use the following command:
calicoq policy demo-ns/knp.default.test-policy
For an endpoint, the full Calico ID is "<host>/<orchestrator>/<workload-name>/<endpoint-name>".
In the Kubernetes case "<orchestrator>" is always "k8s", "<workload-name>" is "<pod
namespace>.<pod name>", and "<endpoint-name>" is always "eth0".
Options:
-c <config> --config=<config> Path to the file containing connection
configuration in YAML or JSON format.
[default: /etc/calico/calicoctl.cfg]
-r --hide-rule-matches Don't show the list of policies and profiles whose
rule selectors match the specified endpoint (or an
endpoint on the specified host) as an allowed or
disallowed source/destination.
-s --hide-selectors Don't show the detailed selector expressions involved
(that cause each displayed policy or profile to apply to or match
various endpoints).
-d --debug Log debugging information to stderr.
-o <output> --output=<output> Output format. Either yaml, json, or ps.
[default: ps]