Handle audit mode in cilium endpoint list and kubectl get cep #11011

ap4y · 2020-04-16T02:10:46Z

This patch improve enforcement status reporting for
'cilium endpoint list' and 'kubectl get cep'. Former will have a new
audit status and later will show Enforcing=false when policy audit
mode is enabled.

cilium endpoint list:

ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])                                                                   IPv6   IPv4           STATUS   
           ENFORCEMENT        ENFORCEMENT                                                                                                                                      
144        Audit              Disabled          52972      k8s:app=review-with-maste-d9llml                                                                     10.111.0.90    ready   
                                                           k8s:io.cilium.k8s.namespace.labels.app.gitlab.com/app=gitlab-org-defend-network-policy-demo                                 
                                                           k8s:io.cilium.k8s.namespace.labels.app.gitlab.com/env=review-with-maste-d9llml                                              
                                                           k8s:io.cilium.k8s.policy.cluster=default                                                                                    
                                                           k8s:io.cilium.k8s.policy.serviceaccount=default                                                                             
                                                           k8s:io.kubernetes.pod.namespace=network-policy-demo-15787276-review-with-maste-d9llml                                       
                                                           k8s:release=review-with-maste-d9llml                                                                                        
                                                           k8s:tier=web                                                                                                                
                                                           k8s:track=stable

kubectl get cep:

NAME                                        ENDPOINT ID   IDENTITY ID   INGRESS ENFORCEMENT   EGRESS ENFORCEMENT   VISIBILITY POLICY   ENDPOINT STATE   IPV4          IPV6
review-with-maste-d9llml-769d6d66d5-vvqx4   144           52972         false                 false                                    ready            10.111.0.90

maintainer-s-little-helper · 2020-04-16T02:10:49Z

Please set the appropriate release note label.

coveralls · 2020-04-16T02:54:42Z

Coverage decreased (-0.007%) to 44.689% when pulling 983b4bd on ap4y:endpoint-audit-status into fff6d6c on cilium:master.

aanm

Can you clarify the PR description a little bit? You're saying the if audit mode is set the cilium endpoint list will show Ingress/Egress policy as "Disabled"?

aanm · 2020-04-16T10:26:43Z

test-me-please

ap4y · 2020-04-16T22:22:13Z

@aanm I have updated description with examples of both commands to make it more clear.

joestringer

CLI LGTM.

aanm

From a usability PoV it is not clear to me what "Audit" means, it's not clear if a policy is being enforced or not. I would prefer to see "Disabled (audit)"

ap4y · 2020-04-21T03:16:06Z

Updated state label from Audit to Disabled (Audit).

aanm · 2020-04-21T19:05:49Z

test-me-please

joestringer · 2020-04-22T01:16:03Z

CI (Ginkgo) failure seems related to the latest change, GKE looks more like a flake. PTAL.

This patch improve enforcement status reporting for 'cilium endpoint list' and 'kubectl get cep'. Former will have a new audit status and later will show Enforcing=false when policy audit mode is enabled. Signed-off-by: Arthur Evstifeev <aevstifeev@gitlab.com>

ap4y · 2020-04-22T02:31:42Z

@joestringer Fixed regex escaping in the Gingko spec

aanm · 2020-04-22T08:12:02Z

test-me-please

api/v1/models/endpoint_policy_enabled.go

PR #11011 added only the generated APIs, but not the changes to openapi.yaml and embedded_spec.go. Otherwise the respective consts are removed when regenerating the API. Add them to api/v1/openapi.yaml now. Fixes: 514a38b ("Handle audit mode in cilium endpoint list and kubectl get cep") Signed-off-by: Tobias Klauser <tklauser@distanz.ch>

[ upstream commit 0a173dc ] PR #11011 added only the generated APIs, but not the changes to openapi.yaml and embedded_spec.go. Otherwise the respective consts are removed when regenerating the API. Add them to api/v1/openapi.yaml now. Fixes: 514a38b ("Handle audit mode in cilium endpoint list and kubectl get cep") Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Chris Tarazi <chris@isovalent.com>

ap4y requested review from a team as code owners April 16, 2020 02:10

maintainer-s-little-helper bot added the dont-merge/needs-release-note label Apr 16, 2020

maintainer-s-little-helper bot added this to In progress in 1.8.0 Apr 16, 2020

ap4y force-pushed the endpoint-audit-status branch from 7289410 to c8367ce Compare April 16, 2020 02:20

aanm added pending-review release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Apr 16, 2020

maintainer-s-little-helper bot removed the dont-merge/needs-release-note label Apr 16, 2020

aanm reviewed Apr 16, 2020

View reviewed changes

joestringer approved these changes Apr 16, 2020

View reviewed changes

aanm requested changes Apr 20, 2020

View reviewed changes

ap4y force-pushed the endpoint-audit-status branch from c8367ce to 14579a5 Compare April 20, 2020 22:20

ap4y requested a review from aanm April 21, 2020 03:16

aanm approved these changes Apr 21, 2020

View reviewed changes

aanm requested a review from joestringer April 21, 2020 19:05

joestringer approved these changes Apr 22, 2020

View reviewed changes

ap4y force-pushed the endpoint-audit-status branch from 14579a5 to 983b4bd Compare April 22, 2020 02:26

aanm merged commit 514a38b into cilium:master Apr 24, 2020

1.8.0 automation moved this from In progress to Merged Apr 24, 2020

ap4y deleted the endpoint-audit-status branch April 24, 2020 21:25

tklauser reviewed Jul 24, 2020

View reviewed changes

api/v1/models/endpoint_policy_enabled.go Show resolved Hide resolved

tklauser mentioned this pull request Jul 24, 2020

api: add missing audit mode enum values for EndpointPolicyEnabled #12652

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Handle audit mode in cilium endpoint list and kubectl get cep #11011

Handle audit mode in cilium endpoint list and kubectl get cep #11011

ap4y commented Apr 16, 2020 •

edited

maintainer-s-little-helper bot commented Apr 16, 2020

coveralls commented Apr 16, 2020 •

edited

aanm left a comment

aanm commented Apr 16, 2020

ap4y commented Apr 16, 2020

joestringer left a comment

aanm left a comment

ap4y commented Apr 21, 2020

aanm commented Apr 21, 2020

joestringer commented Apr 22, 2020

ap4y commented Apr 22, 2020

aanm commented Apr 22, 2020

Handle audit mode in cilium endpoint list and kubectl get cep #11011

Handle audit mode in cilium endpoint list and kubectl get cep #11011

Conversation

ap4y commented Apr 16, 2020 • edited

maintainer-s-little-helper bot commented Apr 16, 2020

coveralls commented Apr 16, 2020 • edited

aanm left a comment

Choose a reason for hiding this comment

aanm commented Apr 16, 2020

ap4y commented Apr 16, 2020

joestringer left a comment

Choose a reason for hiding this comment

aanm left a comment

Choose a reason for hiding this comment

ap4y commented Apr 21, 2020

aanm commented Apr 21, 2020

joestringer commented Apr 22, 2020

ap4y commented Apr 22, 2020

aanm commented Apr 22, 2020

ap4y commented Apr 16, 2020 •

edited

coveralls commented Apr 16, 2020 •

edited