Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Display host firewall status in cilium status #14749

Closed
pchaigno opened this issue Jan 27, 2021 · 9 comments · Fixed by #17165
Closed

Display host firewall status in cilium status #14749

pchaigno opened this issue Jan 27, 2021 · 9 comments · Fixed by #17165
Assignees
@pchaigno
Labels
area/host-firewall Impacts the host firewall or the host endpoint. kind/feature This introduces new functionality. pinned These issues are not marked stale by our issue bot.

Comments

@pchaigno
Copy link
Member

Before we move the host firewall out of beta, it would be good to have its status reported in cilium status. Ideally, we would also inherit its enforcement status (enabled/disabled/audit, ingress/egress) from the host endpoint. If the host firewall is disabled, we could print its status only in cilium status --verbose to reduce noise.
@pchaigno pchaigno added good-first-issue Good starting point for new developers, which requires minimal understanding of Cilium. kind/feature This introduces new functionality. area/host-firewall Impacts the host firewall or the host endpoint. labels Jan 27, 2021
@AnishShah
Copy link
Contributor

I would like to work on this.

@pchaigno
Copy link
Member Author

@AnishShah I've assigned you. Don't hesitate to reach out on Slack/#development or here if you have any question.

@AnishShah
Copy link
Contributor

any idea where do we implement GetHealthz call?

cilium/cilium/cmd/status.go

Line 82 in 90c1aca

if resp, err := client.Daemon.GetHealthz(params); err != nil {

@pchaigno
Copy link
Member Author

pchaigno commented Feb 5, 2021

I would say here:

cilium/api/v1/client/daemon/daemon_client.go

Line 163 in 90c1aca

func (a *Client) GetHealthz(params *GetHealthzParams) (*GetHealthzOK, error) {

It might be easier to tackle this issue by looking for a commit that implemented a similar feature though. Commit c285ca0, for example, added the host routing status.

@AnishShah
Copy link
Contributor

Thanks @pchaigno. That was helpful.

Ideally, we would also inherit its enforcement status (enabled/disabled/audit, ingress/egress) from the host endpoint

Any idea how do I fetch this information? options.Config.EnableHostFirewall will tell me whether enforcement status is enabled or disabled. What about audit, ingress, egress?

@pchaigno
Copy link
Member Author

pchaigno commented Feb 5, 2021

Ideally, we would also inherit its enforcement status (enabled/disabled/audit, ingress/egress) from the host endpoint

Any idea how do I fetch this information? options.Config.EnableHostFirewall will tell me whether enforcement status is enabled or disabled. What about audit, ingress, egress?

I'm not sure exactly, but it should be possible given cilium endpoint list and cilium endpoint get -l reverse:host have this information. Maybe see:

cilium/cilium/cmd/endpoint_get.go

Lines 46 to 51 in 265d677

params := endpointApi.NewGetEndpointParams().WithLabels(lbls).WithTimeout(api.ClientTimeout)
result, err := client.Endpoint.GetEndpoint(params)
if err != nil {
Fatalf("Cannot get endpoints for given list of labels %s: %s\n", lbls, err)
}
endpointInst = result.Payload

@pchaigno
Copy link
Member Author

@AnishShah Are you still working on this? I'd like to get it in 1.10, but can take care of it if you're on other things.

@pchaigno pchaigno added release-blocker/1.10 and removed good-first-issue Good starting point for new developers, which requires minimal understanding of Cilium. labels Mar 25, 2021
@AnishShah
Copy link
Contributor

Sorry @pchaigno. I was not able to make progress on this. Please unassign me

@stale
Copy link

stale bot commented Jun 20, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

@stale stale bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Jun 20, 2021
@pchaigno pchaigno added pinned These issues are not marked stale by our issue bot. and removed stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. labels Jun 21, 2021
@pchaigno pchaigno self-assigned this Aug 16, 2021
@pchaigno pchaigno mentioned this issue Aug 16, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pchaigno pchaigno

Labels
area/host-firewall Impacts the host firewall or the host endpoint. kind/feature This introduces new functionality. pinned These issues are not marked stale by our issue bot.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Display host firewall status in cilium status pchaigno/cilium
2 participants
@pchaigno @AnishShah