Contributor Guide

Architecture guide

Netchecks runs in Kubernetes as an operator. Since v0.7.0, the operator is implemented in Rust using kube-rs 3.0. It runs as a minimal distroless container based on chainguard/static.

The netchecks operator:

  • Watches for NetworkAssertion resources across the cluster and reconciles CronJobs (or Jobs) for each of them. CronJobs are tracked via .owns(cronjobs) so changes are automatically detected.
  • Probe pods are created by the CronJob and run the tests that make up a particular network assertion. External data may be mounted into the Pod for use by the probe.
  • Parses assertion results from completed probe Pod logs.
  • Creates and updates PolicyReport resources for each NetworkAssertion in response to the assertion results.
  • Writes status conditions back to NetworkAssertion resources to reflect reconciliation state.
  • Exposes health endpoints (/livez, /readyz) for liveness and readiness probes.
  • Uses structured JSON logging via the tracing crate, with optional OTLP metrics export.

Each probe pod uses the netchecks docker image to run the tests that make up a particular network assertion.

Netchecks high-level lifecycle

The operator watches NetworkAssertions, schedules probe jobs, collects results, and publishes PolicyReports.

External services

DNS

e.g. CloudFlare, Google

HTTP endpoints

externally hosted services

TCP services

arbitrary host:port targets

Kubernetes cluster

Kubernetes API

NetworkAssertion

custom resource defining tests

CronJob / Job

scheduled probe execution

PolicyReport

assertion results per resource

Operator

netchecks-operator

  • Watches NetworkAssertion resources
  • Creates CronJobs (or Jobs) for each assertion
  • Parses results from probe Pod logs
  • Creates and updates PolicyReport resources

Probe

netchecks probe pod

  • Runs DNS, HTTP, and TCP probes
  • Validates responses with CEL expressions
  • Mounts external data (Secrets, ConfigMaps)
  • Outputs structured JSON results

Policy Reporter (optional)

Exposes metrics, dashboards, and notifications from PolicyReport resources

Prometheus metrics

scrape PolicyReport status

Grafana dashboards

visualize assertion results

Alerts & notifications

Slack, email, webhooks

The netchecks probe image is based on the python:3.12-slim-bookworm image.

Kyverno's PolicyReporter is optionally installed alongside Netchecks to provide a convenient way to expose metrics, view the results, and generate notifications.

Previous
Development
Next
Testing