New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Rework label source concept #905
Conversation
Signed-off-by: Thomas Graf <thomas@cilium.io>
It's generally a good idea to keep all valid label source names in a central place to avoid conflicts. This also helps to avoids cyclic imports. Signed-off-by: Thomas Graf <thomas@cilium.io>
- Instead of LabelSourceCilium, use LabelSourceContainer for labels which have been derived from the container runtime and LabelSourceUnspec if no source has been specified - Remove LabelSourceCilium and keep LabelSourceReserved as the identifier for reserved label keys. - Add new *SelectLabel*() functions which are used to create labels used to select other labels. The source defaults to any for these labels. Signed-off-by: Thomas Graf <thomas@cilium.io>
Signed-off-by: Thomas Graf <thomas@cilium.io>
212353b
to
bab943f
Compare
@@ -179,7 +207,7 @@ func (s *LabelsSuite) TestLabelSliceSHA256Sum(c *C) { | |||
} | |||
sha256sum, err := LabelSliceSHA256Sum(labels) | |||
c.Assert(err, IsNil) | |||
c.Assert(sha256sum, DeepEquals, "180d22655dec0e78f62c3e4ac17f5994baedbdfc5c882cbbd668e2628c44f320") | |||
c.Assert(sha256sum, DeepEquals, "330d57790ccf8cd0b10000d6297baa5fa27b9d6e1cb228055b45dc6e440ea4da") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because of this I'm not sure if we can release this in 0.9. This will create conflicting SecLabelIDs across cluster for different cilium version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just noticed the milestone is 0.10
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you think this is a problem? Are you worried about users running 0.8 and 0.9 in parallel?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, upgrading one node at a time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or even stopping cilium and restarting it with a new version.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will assign a new security identity to the pod and will evaluate a new policy which will have the same effect. I don't think it breaks anything except that for a group of containers that previously used a single identity, they may use two identities for a while but with the same policy enforcement result.
Either way, let's merge it for 0.10 if you agree with the overall concept and we can think about a 0.9 backport separately.
pkg/labels/labels.go
Outdated
// LabelSourceCilium is an internal Cilium label | ||
LabelSourceCilium = "cilium" | ||
// LabelSourceContainer is a label imported from the container runtime | ||
LabelSourceContainer = "container" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we have a label for each container runtime?
Documentation/architecture.rst
Outdated
|
||
When using labels to select resources, both the key and the value must match, | ||
e.g. when a policy should be applied to all endpoints will label | ||
``my.corp.foo`` then the label ``my.corp.foo=value`` will not match the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it should be "my.corp.foo=bar
then the label..."
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I'm fine with that. Fixed
Documentation/architecture.rst
Outdated
container runtime is not aware of the orchestration system which may result in | ||
possibly conflicting key names. | ||
|
||
To resolve this potential conflict, Cilium attached a label source prefix to |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/attached/attaches
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed
Documentation/architecture.rst
Outdated
label was derived from Kubernetes, it would not match if the label was derived | ||
from the container runtime. If the source of a label is to be ignored, the | ||
label can be prefixed with ``any:`` in which case all labels, regardless of the | ||
source will match as long as the key and value part match. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Where will the user would use any:
? Can he start a container with --label any:foo=bar
? Can he specify any:
in the policy? Can he use the policy trace
tool with the source any:
?
There are lots of new concepts for a first time reader, I think providing a clear example what he should or should not do helps.
bab943f
to
54f93a3
Compare
@aanm I've improved the documentation about label source and matching on the source. Let me know if parts are still unclear. |
``k8s:role=frontend``, ``container:user=joe``, ``k8s:role=backend``. This means | ||
that when you run a Docker container using ``docker run [...] -l foo=bar``, the | ||
label ``container:foo=bar`` will appear on the Cilium endpoint representing the | ||
container. Similiarly, a Kubernetes pod started with the label ``foo: bar`` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
foo: bar
-> foo=bar
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I listed it as foo: bar
because that is how it appears in the yaml.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ohh... I honestly for a moment thought this meant source: value
Summary:
pkg/k8s
andpkg/k8s/types
pkg/labels
cilium:
label source tocontainer:
any:
unspec:
label source for labels with unspecified source