New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add policy verdicts GSG #12165
Add policy verdicts GSG #12165
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks for documenting this @joestringer this is super educational!
one thing that's not obvious to me is how one would pick ingress vs egress policy. the example seems slightly arbitrary in a sense that it just happened to get policy-verdict for ingress traffic and proceeds to define an ingress policy. providing a bit more background might help, something like:
- i want to protect the
deathstar
pod by defining an ingress poilcy. - right now i don't know which endpoints access
deathstar
on which ports. - i can run
cilium monitor -t policy-verdict
on the nodedeathstar
is running to discover who's accessingdeathstar
. - then define an ingress policy. it might be even better if there are multiple endpoints accessing
deathstar
so that we can show bothaction allow
andaction drop
.
cc @rolinh this can be a good demo scenario for hubble-relay to gather policy verdict notifications from all the nodes without having to exec into a specific cilium pod :)
|
||
# cilium monitor -t policy-verdict | ||
... | ||
Policy verdict log: flow 0x63113709 local EP ID 1121, remote ID 2986, dst port 80, proto 6, ingress true, action audit, match none, 10.29.210.187:54134 -> 10.29.50.40:80 tcp SYN |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not directly related to the documentation, but kind of curious why policy-verdict shows endpoint id for local and security identity for remote.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great question. @ap4y do you recall why this is?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually this may just be historic in that all of the BPF notification types followed this approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not entirely sure, @lzang probably knows more about the design decision for this one. AFAIK security identity is used during the verdict resolution so it makes sense to expose it in the policy log. Source is set automatically based on the datapath via a common header of the message payload:
Lines 270 to 274 in 0fa8ac7
#define __notify_common_hdr(t, s) \ | |
.type = (t), \ | |
.subtype = (s), \ | |
.source = EVENT_SOURCE, \ | |
.hash = get_hash_recalc(ctx) |
Line 12 in 0fa8ac7
#define EVENT_SOURCE LXC_ID |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe makes sense for us to take another look at the CLI output and see whether there are some basic quality-of-life things like this to also print the source local identity.
|
||
# cilium monitor -t policy-verdict | ||
... | ||
Policy verdict log: flow 0x63113709 local EP ID 1121, remote ID 2986, dst port 80, proto 6, ingress true, action audit, match none, 10.29.210.187:54134 -> 10.29.50.40:80 tcp SYN |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once #12137 is merged, this example output should probably be updated to the new format.
$ kubectl create -f sw_l3_l4_policy.yaml | ||
ciliumnetworkpolicy.cilium.io/rule1 created | ||
$ kubectl -n kube-system exec -ti $(get_cilium_pod) cilium monitor -t policy-verdict | ||
Policy verdict log: flow 0xabf3bda6 local EP ID 343, remote ID 2986, dst port 80, proto 6, ingress true, action allow, match L3-L4, 10.29.210.187:59824 -> 10.29.47.87:80 tcp SYN |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same here, this needs to be updated once #12137 is merged.
The next commit will reuse this, so split it into a common file. Signed-off-by: Joe Stringer <joe@cilium.io>
e3cecfd
to
d618106
Compare
d618106
to
fffaf9d
Compare
@michi-covalent thanks for the detailed review! I revamped/expanded tthe guide and hopefully this addresses your questions&feedback. |
fffaf9d
to
f9639be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
went through the guide, it worked seamlessly 💯
maybe we can reference https://www.starwars.com/video/one-in-a-million-shot at the end of the guide, but it does mean the force was too strong with this one even for cilium to protect death star.
Signed-off-by: Joe Stringer <joe@cilium.io>
f9639be
to
92e3b2c
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm! went through the Disable Policy Audit Mode
section. just a few minor nits
This is based on some v1.8 blog material I was working on, but I figured it might be useful as a beginner introduction to forming policy from monitor output.