New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
hubble: parser: Set Encrypted bit correctly #14677
Conversation
The Encrypted flag has not been decoded correctly and inherited to the Hubble flow. Do so and add unit test. Signed-off-by: Thomas Graf <thomas@cilium.io>
4eaa562
to
7cea301
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The fix itself looks good to me. I have one inline question if maybe more work is needed to fully fix this.
if ip != nil { | ||
ip.Source = srcIP.String() | ||
ip.Encrypted = (tn.Reason & monitor.TraceReasonEncryptMask) != 0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Something to keep in mind here is that not all trace points set tn.Reason
. So we need to be careful not confuse users with false negatives (we had a similar issue with the "is_reply" field).
A quick grep in the bpf sources seems to indicate that only the from-network
and from-overlay
trace points set TRACE_REASON_ENCRYPTED
. I have not tested it, but does this mean that to-network
will always report Encrypted
as false?
Is this a problem? If so, we should either try to address that in the datapath or have a "Encrypted: unknown" state in Hubble.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good point. It's something we need to fix one layer below though. We need to be consistent. It must be possible to trust the flag.
retest-4.9 |
retest-runtime |
retest-net-next |
retest-4.9 |
The Encrypted flag has not been decoded correctly and inherited to the
Hubble flow. Do so and add unit test.