api/hubble: add AUDIT policy verdict #14785
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
|
Runtime tests check for hubble observe output so this requires a newer hubble binary to pass, shall I split this change into two PRs, with one adding enum to flow API and the next one changes hubble output? |
jaffcheng
force-pushed
the
add-audit-verdict-to-hubble-flow-upstream
branch
from
afc07df
to
5f11f1d
Compare
aanm
added
release-note/minor
kkourt
approved these changes
Feb 3, 2021
rolinh
removed
the
dont-merge/needs-release-note-label
gandro
approved these changes
Feb 3, 2021
I missed this comment before. Yes, I think we first need to get the API change, update the CLI in test VM image, and then update the Hubble logic and the tests. |
Add a new policy verdict value `AUDIT` to distinguish whether a packet is allowed due to the audit mode or because it complies with the security policy. Need to bump vendor in hubble repo accordingly. Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com>
jaffcheng
force-pushed
the
add-audit-verdict-to-hubble-flow-upstream
branch
from
5f11f1d
to
e771be3
Compare
|
Removed hubble and test changes from this PR, will send that in a separate PR. |
gandro
approved these changes
Feb 3, 2021
|
test-me-please |
|
So in this case |
Hi, yes, we already have |
|
GKE provisioning failed retest-gke |
|
Unrelated failure in net-next: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.13-net-next/669/ retest-net-next |
|
Marking this ready to merge. The API change itself is very small. |
gandro
added
the
ready-to-merge
rolinh
added a commit
to cilium/hubble
that referenced
this pull request
Feb 10, 2021
Bump Cilium to latest master to include protobuf definitions for AUDIT policy verdict (see[0]). While here, also bump spf13/cobra to v1.1.2 and stretchr/testify to v1.7.0. [0]: cilium/cilium#14785 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
gandro
pushed a commit
to cilium/hubble
that referenced
this pull request
Feb 10, 2021
Bump Cilium to latest master to include protobuf definitions for AUDIT policy verdict (see[0]). While here, also bump spf13/cobra to v1.1.2 and stretchr/testify to v1.7.0. [0]: cilium/cilium#14785 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
gandro
added a commit
to cilium/packer-ci-build
that referenced
this pull request
Feb 10, 2021
This pulls in the lastest master version of the Hubble CLI. This is needed to test the API changes to embedded Hubble in Cilium master, specifcially cilium/cilium#14785 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
added a commit
to cilium/packer-ci-build
that referenced
this pull request
Feb 10, 2021
This pulls in the lastest master version of the Hubble CLI. This is needed to test the API changes to embedded Hubble in Cilium master, specifcially cilium/cilium#14785 The pulled docker image remains at the released 0.7.1 version, as this is what the Cilium master Dockerfile pulls in. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
added a commit
to cilium/packer-ci-build
that referenced
this pull request
Feb 10, 2021
This pulls in the lastest master version of the Hubble CLI. This is needed to test the API changes to embedded Hubble in Cilium master, specifcially cilium/cilium#14785 The pulled docker image remains at the released 0.7.1 version, as this is what the Cilium master Dockerfile pulls in. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
gandro
added a commit
to cilium/packer-ci-build
that referenced
this pull request
Feb 11, 2021
This pulls in the lastest master version of the Hubble CLI. This is needed to test the API changes to embedded Hubble in Cilium master, specifcially cilium/cilium#14785 The pulled docker image remains at the released 0.7.1 version, as this is what the Cilium master Dockerfile pulls in. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add a new policy verdict value
AUDITto distinguish whether a packetis allowed due to the audit mode or because it complies with the security
policy.
Need to bump vendor in hubble repo accordingly.
This is a PR for API change, changes for hubble logic and tests will be in a separate PR once this gets merged and bumped in test VM hubble CLI.