Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CFP: Correlate policy verdicts to network policies #26438

Closed
sypakine opened this issue Jun 23, 2023 · 4 comments · Fixed by #27854
Closed

CFP: Correlate policy verdicts to network policies #26438

sypakine opened this issue Jun 23, 2023 · 4 comments · Fixed by #27854
Labels
kind/cfp kind/feature This introduces new functionality. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Comments

@sypakine
Copy link

sypakine commented Jun 23, 2023
edited by gandro

Cilium Feature Proposal

Desired Feature

Policy verdict correlation

When a policy verdict event is produced for a flow, correlate the set of network policies that result in that verdict.

Example output for a flow:

{
  "flow": {
    "time": "2023-06-22T17:23:02.204172941Z",
    "verdict": "FORWARDED",
    "ethernet": {
      "source": "9e:b2:fc:ca:4b:7a",
      "destination": "a6:35:14:0d:02:64"
    },
    "IP": {
      "source": "10.128.0.22",
      "destination": "10.48.1.17",
      "ipVersion": "IPv4"
    },
    "l4": {
      "TCP": {
        "source_port": 80,
        "destination_port": 55555,
        "flags": {
          "SYN": true,
          "ACK": true
        }
      }
    },
    "source": {
      "identity": 2,
      "labels": [
        "reserved:world"
      ]
    },
    "destination": {
      "ID": 3798,
      "identity": 31051,
      "namespace": "default",
      "labels": [
        "k8s:io.cilium.k8s.namespace.labels.kubernetes.io/metadata.name=default",
        "k8s:io.cilium.k8s.policy.cluster=default",
        "k8s:io.cilium.k8s.policy.serviceaccount=default",
        "k8s:io.kubernetes.pod.namespace=default"
      ],
      "pod_name": "client-7494b5866d-w69gw",
      "workloads": [
        {
          "name": "client",
          "kind": "Deployment"
        }
      ]
    },
    "Type": "L3_L4",
    "node_name": "gke-cluster-default-pool-025d71ba-q92f",
    "event_type": {
      "type": 5
    },
    "source_service": {
      "name": "service",
      "namespace": "default"
    },
    "traffic_direction": "INGRESS",
    "policy_match_type": 4,
    "policies":[                                 #<--- new field
      {
         "kind":"NetworkPolicy",
         "name":"allow-all",
         "namespace":"default"
      },
      {
         "kind":"CiliumClusterwideNetworkPolicy",
         "name":"allow-all",
      },
    ], 
    "is_reply": false,
    "Summary": "TCP Flags: SYN, ACK"
  },
  "node_name": "gke-cluster-default-pool-025d71ba-q92f",
  "time": "2023-06-22T17:23:02.204172941Z"
}

Proposed Solution

Proposal is outlined in the following Google Doc:

https://docs.google.com/document/d/1puY1kAwZ7QK4Kfpn3kDjo3tCh5OzgOIkxL3rQzosVFI/edit#
@sypakine sypakine added the kind/feature This introduces new functionality. label Jun 23, 2023
@ti-mo ti-mo added sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. kind/cfp labels Jun 23, 2023
@gandro
Copy link
Member

gandro commented Jun 26, 2023

Thanks for the CFP. I think the high-level motivation makes sense.

Overall, I'd like to understand the meaning of a "correlated policy", since CFP is also very short on the actual implementation of the "correlator". What are the condition for a policy to be correlated? An entry in the policy map? A matching L7 rule? The actual criteria here defines how expensive correlation is. If we only correlate on policy map entries, then that's cheaper than having an exact L7 policy match, but it's also less precise, since all L7 polices share a policy map entry, but not all of them will necessary have allowed the flow.

@gandro gandro mentioned this issue Jul 6, 2023
Open
@michi-covalent
Copy link
Contributor

i reviewed the CFP. the high level motivations make sense 🚀. @sypakine could you take another look at the google docs? there are some questions / comments there 🙏

@chancez chancez mentioned this issue Aug 31, 2023
Merged
@xmulligan
Copy link
Member

@sypakine would you mind adding the CFP to the design repo? https://github.com/cilium/design-cfps

@xmulligan
Copy link
Member

@sypakine do you want me to add it to the repo instead?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/cfp kind/feature This introduces new functionality. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Correlate flows with CiliumNetworkPolicies cilium/cilium
5 participants
@gandro @ti-mo @sypakine @michi-covalent @xmulligan