Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider all labels by default when deriving security identity #849

Merged
merged 3 commits into from
May 30, 2017
Merged

Consider all labels by default when deriving security identity #849

merged 3 commits into from
May 30, 2017

Conversation

tgraf
Copy link
Member

@tgraf tgraf commented May 29, 2017

No description provided.

@tgraf tgraf requested a review from aanm May 29, 2017 20:55
@tgraf tgraf added the kind/enhancement This would improve or streamline existing functionality. label May 29, 2017
@tgraf tgraf added this to the 0.9 milestone May 29, 2017
@tgraf tgraf changed the title Take all labels Consider all labels by default when deriving security identity May 29, 2017
aanm
aanm requested changes May 29, 2017
View reviewed changes
daemon/docker_watcher.go
if podName := k8sDockerLbls.GetPodName(allLabels); podName != "" {
k8sNormalLabels, err := d.fetchK8sLabels(allLabels)
if err != nil {
log.Warningf("Error while getting kubernetes labels: %s", err)
} else if k8sNormalLabels != nil {
k8sLbls = labels.Map2Labels(k8sNormalLabels, k8s.LabelSource)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We still need to store the io.kubernetes.pod.namespace here.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed

pkg/labels/filter.go Outdated
Prefix: k8s.PodNamespaceLabel,
Source: k8s.LabelSource,
Ignore: true,
Prefix: "io.kubernetes",
},
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also ignore k8s.io/kubernetes/pkg/apis/extensions/DefaultDeploymentUniqueLabelKey or "pod-template-hash"

tgraf added 3 commits May 30, 2017 00:28
@tgraf
labels: Simplify parsing of valid label prefixes
068411d 
- Move into pkg/labels/
- No need to take lock

Signed-off-by: Thomas Graf <thomas@cilium.io>
@tgraf
labels: Support ignoring label prefix
9b394c3 
Signed-off-by: Thomas Graf <thomas@cilium.io>
@tgraf
labels: Consider all labels except "io.kubernetes" by default
a15ada7 
Instead of whitelisting individual label prefixes by default,
consider all labels except "io.kubernetes*" to avoid including
pod-name hash, timestamps, grace periods, etc.

Signed-off-by: Thomas Graf <thomas@cilium.io>
@tgraf tgraf force-pushed the take-all-labels branch 2 times, most recently from 8d3995d to a15ada7 Compare May 30, 2017 01:47
@tgraf tgraf requested a review from aanm May 30, 2017 02:00
@aanm
Copy link
Member

aanm commented May 30, 2017

For future reference:

$ cilium endpoint list
ENDPOINT   POLICY        IDENTITY   LABELS (source:key[=value])                   IPv6                     IPv4            STATUS   
           ENFORCEMENT                                                                                                              
173        Enabled       258        k8s:io.kubernetes.pod.namespace=default       fd02::c0a8:210b:0:ad     10.11.42.252    ready    
                                    k8s:k8s-app.guestbook=redis                                                                     
                                    k8s:role=slave                                                                                  
13949      Enabled       259        k8s:io.kubernetes.pod.namespace=default       fd02::c0a8:210b:0:367d   10.11.193.100   ready    
                                    k8s:k8s-app.guestbook=web                                                                       
38939      Enabled       257        k8s:io.kubernetes.pod.namespace=default       fd02::c0a8:210b:0:981b   10.11.148.173   ready    
                                    k8s:k8s-app.guestbook=redis                                                                     
                                    k8s:role=master                                                                                 
56326      Disabled      256        k8s:io.kubernetes.pod.namespace=kube-system   fd02::c0a8:210b:0:dc06   10.11.250.189   ready    
                                    k8s:k8s-app=kube-dns

@tgraf tgraf merged commit 15b6d3a into master May 30, 2017
@tgraf tgraf deleted the take-all-labels branch May 30, 2017 11:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aanm aanm aanm approved these changes

Assignees
No one assigned
Labels
kind/enhancement This would improve or streamline existing functionality.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@tgraf @aanm