Skip to content

/audit-network

The /audit-network skill looks for broken or missing pieces in cluster networking: NetworkPolicy instances that don’t match anything, Service instances with no endpoints, Ingress and GatewayAPI routes that won’t resolve, DNS problems, and workloads talking in plaintext when a mesh is available.

Run it without arguments for a full sweep, or name a workflow to scope the report.

/audit-network                         # full sweep
/audit-network policies                # single workflow
/audit-network ingress in prod

Natural-language scoping (namespaces, label selectors, workload names) is supported on every workflow (see Overview).

Workflows

Section titled “Workflows”

1. NetworkPolicy

Section titled “1. NetworkPolicy”

Sources: Kubernetes API.

2. Service

Section titled “2. Service”

Sources: Kubernetes API.

3. Ingress & GatewayAPI

Section titled “3. Ingress & GatewayAPI”

Sources: Kubernetes API, including gateway.networking.k8s.io when the CRDs are installed.

4. DNS

Section titled “4. DNS”

Sources: the CoreDNS Deployment, its ConfigMap, and its Prometheus metrics when exposed.

5. Encryption & mTLS

Section titled “5. Encryption & mTLS”

Sources: Istio, Linkerd, or Cilium CRDs — only runs when one of these meshes is detected.

What the agent is told

Section titled “What the agent is told”

Beyond the workflows, the skill briefs the agent on how to scope and report:

  • Skip the mesh and Gateway API workflows unless the relevant CRDs are installed — absence is not a finding.
  • For TLS checks, note when Secret contents can’t be read due to RBAC rather than reporting a false “expired”.
  • For DNS active-probe checks, state the probe source (in-cluster pod used for resolution) so failures can be interpreted.
  • Group findings by workflow and include the evidence (selectors, endpoints, ConfigMap keys) rather than only the verdict.
  • Hand off to /logs for CoreDNS logs, or /investigate when a single workload is the root cause.