Rework label source concept #905
Conversation
Signed-off-by: Thomas Graf <thomas@cilium.io>
It's generally a good idea to keep all valid label source names in a central place to avoid conflicts. This also helps to avoids cyclic imports. Signed-off-by: Thomas Graf <thomas@cilium.io>
- Instead of LabelSourceCilium, use LabelSourceContainer for labels which have been derived from the container runtime and LabelSourceUnspec if no source has been specified - Remove LabelSourceCilium and keep LabelSourceReserved as the identifier for reserved label keys. - Add new *SelectLabel*() functions which are used to create labels used to select other labels. The source defaults to any for these labels. Signed-off-by: Thomas Graf <thomas@cilium.io>
Signed-off-by: Thomas Graf <thomas@cilium.io>
tgraf
added
the
kind/enhancement
tgraf
force-pushed
the
rework-label-source
branch
2 times, most recently
from
212353b
to
bab943f
Compare
| @@ -179,7 +207,7 @@ func (s *LabelsSuite) TestLabelSliceSHA256Sum(c *C) { | |||
| } | |||
| sha256sum, err := LabelSliceSHA256Sum(labels) | |||
| c.Assert(err, IsNil) | |||
| c.Assert(sha256sum, DeepEquals, "180d22655dec0e78f62c3e4ac17f5994baedbdfc5c882cbbd668e2628c44f320") | |||
| c.Assert(sha256sum, DeepEquals, "330d57790ccf8cd0b10000d6297baa5fa27b9d6e1cb228055b45dc6e440ea4da") | |||
There was a problem hiding this comment.
Because of this I'm not sure if we can release this in 0.9. This will create conflicting SecLabelIDs across cluster for different cilium version.
There was a problem hiding this comment.
Why do you think this is a problem? Are you worried about users running 0.8 and 0.9 in parallel?
There was a problem hiding this comment.
Or even stopping cilium and restarting it with a new version.
There was a problem hiding this comment.
It will assign a new security identity to the pod and will evaluate a new policy which will have the same effect. I don't think it breaks anything except that for a group of containers that previously used a single identity, they may use two identities for a while but with the same policy enforcement result.
Either way, let's merge it for 0.10 if you agree with the overall concept and we can think about a 0.9 backport separately.
pkg/labels/labels.go
Outdated
| // LabelSourceCilium is an internal Cilium label | ||
| LabelSourceCilium = "cilium" | ||
| // LabelSourceContainer is a label imported from the container runtime | ||
| LabelSourceContainer = "container" |
There was a problem hiding this comment.
Should we have a label for each container runtime?
Documentation/architecture.rst
Outdated
|
|
||
| When using labels to select resources, both the key and the value must match, | ||
| e.g. when a policy should be applied to all endpoints will label | ||
| ``my.corp.foo`` then the label ``my.corp.foo=value`` will not match the |
There was a problem hiding this comment.
I think it should be "my.corp.foo=bar then the label..."
There was a problem hiding this comment.
Sure, I'm fine with that. Fixed
Documentation/architecture.rst
Outdated
| container runtime is not aware of the orchestration system which may result in | ||
| possibly conflicting key names. | ||
|
|
||
| To resolve this potential conflict, Cilium attached a label source prefix to |
Documentation/architecture.rst
Outdated
| label was derived from Kubernetes, it would not match if the label was derived | ||
| from the container runtime. If the source of a label is to be ignored, the | ||
| label can be prefixed with ``any:`` in which case all labels, regardless of the | ||
| source will match as long as the key and value part match. |
There was a problem hiding this comment.
Where will the user would use any:? Can he start a container with --label any:foo=bar? Can he specify any: in the policy? Can he use the policy trace tool with the source any:?
There are lots of new concepts for a first time reader, I think providing a clear example what he should or should not do helps.
tgraf
force-pushed
the
rework-label-source
branch
from
bab943f
to
54f93a3
Compare
|
@aanm I've improved the documentation about label source and matching on the source. Let me know if parts are still unclear. |
| ``k8s:role=frontend``, ``container:user=joe``, ``k8s:role=backend``. This means | ||
| that when you run a Docker container using ``docker run [...] -l foo=bar``, the | ||
| label ``container:foo=bar`` will appear on the Cilium endpoint representing the | ||
| container. Similiarly, a Kubernetes pod started with the label ``foo: bar`` |
There was a problem hiding this comment.
I listed it as foo: bar because that is how it appears in the yaml.
There was a problem hiding this comment.
ohh... I honestly for a moment thought this meant source: value
Summary:
pkg/k8sandpkg/k8s/typespkg/labelscilium:label source tocontainer:any:unspec:label source for labels with unspecified source