Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Policy Audit Mode improvements #23591

Merged
merged 1 commit into from Feb 8, 2023
Merged

docs: Policy Audit Mode improvements #23591

merged 1 commit into from Feb 8, 2023

Conversation

kaworu
Copy link
Member

@kaworu kaworu commented Feb 6, 2023
edited

  • Scale down the deathstar Deployment to one so that it's easier to observe ingoing flows (as there is only one backend to the service and thus one node to observe from) and enable Policy Audit Mode for a specific endpoint.
  • Check that Policy Audit Mode is enabled/disabled using cilium endpoint get.
  • Use Hubble to observe instead of cilium monitor, and check the verdict once Policy Audit Mode is disabled.
  • Add the empire-default-deny CNP to the cleanup section.
  • Misc improvements / rewording on the way.

@kaworu kaworu added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/misc This PR makes changes that have no direct user impact. labels Feb 6, 2023
@kaworu kaworu requested review from a team as code owners February 6, 2023 13:13
@kaworu kaworu force-pushed the pr/kaworu/doc/enable-policy-audit-mode-specific-endpoint-fix branch from 1ddfaa5 to b94f98d Compare February 6, 2023 13:17
qmonnet
qmonnet approved these changes Feb 6, 2023
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. It's surprisingly complex to run the command on all Pods from the Deployment (but I don't know how to shorten it). Although, I'm somewhat disappointed to see there's no awk involved here :).

@kaworu
Copy link
Member Author

kaworu commented Feb 6, 2023

It's surprisingly complex to run the command on all Pods from the Deployment (but I don't know how to shorten it).

For this particular guide, I think we should scale the deathstar svc to 1 Pod. Then, we wouldn't need to loop through the deathstar endpoints to enable/disable Policy Audit Mode and also we wouldn't need to worry about which cilium Pod to exec into for hubble observe. What do you think? @qmonnet

@qmonnet
Copy link
Member

qmonnet commented Feb 6, 2023

Yes, I think that's a good idea

@kaworu kaworu force-pushed the pr/kaworu/doc/enable-policy-audit-mode-specific-endpoint-fix branch from b94f98d to a139bda Compare February 7, 2023 13:56
@kaworu kaworu requested a review from qmonnet February 7, 2023 13:56
@kaworu
Copy link
Member Author

kaworu commented Feb 7, 2023

@qmonnet made many improvements on the way, please take another look and let me know if you think the commits should be squashed 🙏

qmonnet
qmonnet approved these changes Feb 7, 2023
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@qmonnet made many improvements on the way, please take another look and let me know if you think the commits should be squashed 🙏

Looks good! Yes, ideally squashing or reorganising the commits would be good, so we don't add this for loop to remove it two commits later

@kaworu
docs: Policy Audit Mode improvements
47f454a 
* Scale down the deathstar Deployment to one so that it's easier to
  observe ingoing flows (as there is only one backend to the service and
  thus one node to observe from) and enable Policy Audit Mode for a
  specific endpoint.
* Check that Policy Audit Mode is enabled/disabled using `cilium
  endpoint get`.
* Use Hubble to observe instead of cilium monitor, and check the verdict
  once Policy Audit Mode is disabled.
* Add the empire-default-deny CNP to the cleanup section.
* Misc improvements / rewording on the way.

Signed-off-by: Alexandre Perrin <alex@isovalent.com>
@kaworu kaworu force-pushed the pr/kaworu/doc/enable-policy-audit-mode-specific-endpoint-fix branch from a139bda to 47f454a Compare February 7, 2023 15:09
@kaworu kaworu changed the title docs: fix specific endpoint Policy Audit Mode docs: Policy Audit Mode improvements Feb 7, 2023
@pchaigno pchaigno merged commit 4c11183 into cilium:master Feb 8, 2023
@kaworu kaworu deleted the pr/kaworu/doc/enable-policy-audit-mode-specific-endpoint-fix branch February 8, 2023 18:22
@kaworu kaworu mentioned this pull request Feb 27, 2023
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@qmonnet qmonnet qmonnet approved these changes

@aditighag aditighag aditighag approved these changes

Assignees
No one assigned
Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@kaworu @qmonnet @aditighag @pchaigno