Stay organized with collections
Save and categorize content based on your preferences.
This page explains how to enable network policy logging in a GKE on-prem
user cluster and how to export logs. See Using network policy
logging to learn how to
configure which events are logged and how logs are formatted.
Overview
Network
polices
are Pod-level firewalls; they specify network traffic that Pods are allowed to
send and receive. Network policy logs record network policy events. You can
log all events or you can configure logging
selectively
based on the following criteria:
Allowed connections.
Denied connections.
Connections allowed by specific policies.
Denied connections to Pods in specific namespaces.
Before you begin
Network policy logging is supported in user clusters that use
Dataplane V2. You can enable
Dataplane V2 when creating a new user cluster by using the
enableDataplaneV2
field in the user cluster configuration file.
Enabling logging
Network policy logging is not enabled by default. For information on enabling
logging and selecting which events to log, see Configuring network policy
logging.
Accessing logs
The network policy logs generated on each cluster node are available locally on
the cluster nodes at
/var/log/network/policy_actiontimestamp.log. A new
timestamped log file is created when the current log file reaches 10 MB. Up to
five previous log files are stored.
Exporting logs
We recommend you use Fluent Bit to export
logs from your cluster nodes. Fluent Bit is an open source log processor
and forwarder that supports exporting to
Cloud Logging and many other data
sinks.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-03-25 UTC."],[[["Network policies act as Pod-level firewalls, defining allowed network traffic for Pods, and network policy logging records these events."],["Network policy logging can be enabled to record all events or selectively configured to capture specific events, such as allowed or denied connections, or connections related to specific policies or namespaces."],["Network policy logging is supported in user clusters using Dataplane V2, which can be enabled during user cluster creation via the `enableDataplaneV2` field."],["Logs are stored locally on each cluster node at `/var/log/network/policy_action`\u003cvar translate=\"no\"\u003etimestamp\u003c/var\u003e`.log`, with a new log file created at 10 MB, and up to five previous log files being stored."],["Fluent Bit is recommended for exporting logs from cluster nodes to Cloud Logging or other data sinks."]]],[]]
