New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: Policy Audit Mode improvements #23591
docs: Policy Audit Mode improvements #23591
Conversation
1ddfaa5
to
b94f98d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. It's surprisingly complex to run the command on all Pods from the Deployment (but I don't know how to shorten it). Although, I'm somewhat disappointed to see there's no awk
involved here :).
For this particular guide, I think we should scale the deathstar svc to 1 Pod. Then, we wouldn't need to loop through the deathstar endpoints to enable/disable Policy Audit Mode and also we wouldn't need to worry about which cilium Pod to exec into for |
Yes, I think that's a good idea |
b94f98d
to
a139bda
Compare
@qmonnet made many improvements on the way, please take another look and let me know if you think the commits should be squashed 🙏 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@qmonnet made many improvements on the way, please take another look and let me know if you think the commits should be squashed 🙏
Looks good! Yes, ideally squashing or reorganising the commits would be good, so we don't add this for
loop to remove it two commits later
* Scale down the deathstar Deployment to one so that it's easier to observe ingoing flows (as there is only one backend to the service and thus one node to observe from) and enable Policy Audit Mode for a specific endpoint. * Check that Policy Audit Mode is enabled/disabled using `cilium endpoint get`. * Use Hubble to observe instead of cilium monitor, and check the verdict once Policy Audit Mode is disabled. * Add the empire-default-deny CNP to the cleanup section. * Misc improvements / rewording on the way. Signed-off-by: Alexandre Perrin <alex@isovalent.com>
a139bda
to
47f454a
Compare
Deployment
to one so that it's easier to observe ingoing flows (as there is only one backend to the service and thus one node to observe from) and enable Policy Audit Mode for a specific endpoint.cilium endpoint get
.cilium monitor
, and check the verdict once Policy Audit Mode is disabled.empire-default-deny
CNP to the cleanup section.