-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
api/hubble: add AUDIT policy verdict #14785
api/hubble: add AUDIT policy verdict #14785
Conversation
Runtime tests check for hubble observe output so this requires a newer hubble binary to pass, shall I split this change into two PRs, with one adding enum to flow API and the next one changes hubble output? |
afc07df
to
5f11f1d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but let's wait to hear from people more familiar with hubble than me :)
Thanks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks straight forward, thanks!
I missed this comment before. Yes, I think we first need to get the API change, update the CLI in test VM image, and then update the Hubble logic and the tests. |
Add a new policy verdict value `AUDIT` to distinguish whether a packet is allowed due to the audit mode or because it complies with the security policy. Need to bump vendor in hubble repo accordingly. Signed-off-by: Jaff Cheng <jaff.cheng.sh@gmail.com>
5f11f1d
to
e771be3
Compare
Removed hubble and test changes from this PR, will send that in a separate PR. |
test-me-please |
So in this case |
Hi, yes, we already have |
GKE provisioning failed retest-gke |
Unrelated failure in net-next: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.13-net-next/669/ retest-net-next |
Marking this ready to merge. The API change itself is very small. |
Bump Cilium to latest master to include protobuf definitions for AUDIT policy verdict (see[0]). While here, also bump spf13/cobra to v1.1.2 and stretchr/testify to v1.7.0. [0]: cilium/cilium#14785 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
Bump Cilium to latest master to include protobuf definitions for AUDIT policy verdict (see[0]). While here, also bump spf13/cobra to v1.1.2 and stretchr/testify to v1.7.0. [0]: cilium/cilium#14785 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>
This pulls in the lastest master version of the Hubble CLI. This is needed to test the API changes to embedded Hubble in Cilium master, specifcially cilium/cilium#14785 Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This pulls in the lastest master version of the Hubble CLI. This is needed to test the API changes to embedded Hubble in Cilium master, specifcially cilium/cilium#14785 The pulled docker image remains at the released 0.7.1 version, as this is what the Cilium master Dockerfile pulls in. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This pulls in the lastest master version of the Hubble CLI. This is needed to test the API changes to embedded Hubble in Cilium master, specifcially cilium/cilium#14785 The pulled docker image remains at the released 0.7.1 version, as this is what the Cilium master Dockerfile pulls in. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
This pulls in the lastest master version of the Hubble CLI. This is needed to test the API changes to embedded Hubble in Cilium master, specifcially cilium/cilium#14785 The pulled docker image remains at the released 0.7.1 version, as this is what the Cilium master Dockerfile pulls in. Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
Add a new policy verdict value
AUDIT
to distinguish whether a packetis allowed due to the audit mode or because it complies with the security
policy.
Need to bump vendor in hubble repo accordingly.
This is a PR for API change, changes for hubble logic and tests will be in a separate PR once this gets merged and bumped in test VM hubble CLI.