cmd/observe: improve policy verdict output in compact mode

The default output (compact) makes it hard for a user to tell the
different event types apart. In particular, it is hard for a user to
distinguish a trace event from a policy verdict one.

This commit modifies the output for policy verdict events in two ways.
First, instead of printing the drop reason (which is redundant as also
printed out with the dropped flow) or the policy match type string for
the event (L3-Only, L3-L4, L4-Only, all, none), the string
'policy-verdict' is displayed. Additionally, flows that are forwarded or
redirected are printed as ALLOWED, those that are dropped or error as
DENIED and the audit ones as AUDITED.

Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

pkg/printer/printer.go

@@ -225,14 +225,7 @@ func GetFlowType(f *pb.Flow) string {
 	case api.MessageTypeDrop:
 		return api.DropReason(uint8(f.GetEventType().GetSubType()))
 	case api.MessageTypePolicyVerdict:
-		switch f.GetVerdict() {
-		case pb.Verdict_FORWARDED, pb.Verdict_AUDIT, pb.Verdict_REDIRECTED:
-			return api.PolicyMatchType(f.GetPolicyMatchType()).String()
-		case pb.Verdict_DROPPED:
-			return api.DropReason(uint8(f.GetDropReason()))
-		case pb.Verdict_ERROR:
-			// ERROR should only happen for L7 events.
-		}
+		return api.MessageTypeNamePolicyVerdict
 	case api.MessageTypeCapture:
 		return f.GetDebugCapturePoint().String()
 	}
@@ -242,15 +235,25 @@ func GetFlowType(f *pb.Flow) string {
 
 func (p Printer) getVerdict(f *pb.Flow) string {
 	verdict := f.GetVerdict()
+	msg := verdict.String()
 	switch verdict {
 	case pb.Verdict_FORWARDED, pb.Verdict_REDIRECTED:
-		return p.color.verdictForwarded(verdict.String())
+		if f.GetEventType().GetType() == api.MessageTypePolicyVerdict {
+			msg = "ALLOWED"
+		}
+		return p.color.verdictForwarded(msg)
 	case pb.Verdict_DROPPED, pb.Verdict_ERROR:
-		return p.color.verdictDropped(verdict.String())
+		if f.GetEventType().GetType() == api.MessageTypePolicyVerdict {
+			msg = "DENIED"
+		}
+		return p.color.verdictDropped(msg)
 	case pb.Verdict_AUDIT:
-		return p.color.verdictAudit(verdict.String())
+		if f.GetEventType().GetType() == api.MessageTypePolicyVerdict {
+			msg = "AUDITED"
+		}
+		return p.color.verdictAudit(msg)
 	default:
-		return verdict.String()
+		return msg
 	}
 }
 

pkg/printer/printer_test.go

@@ -69,6 +69,11 @@ func TestPrinter_WriteProtoFlow(t *testing.T) {
 	reply.IsReply = &wrapperspb.BoolValue{Value: true}
 	unknown := proto.Clone(&f).(*pb.Flow)
 	unknown.IsReply = nil
+	policyDenied := proto.Clone(&f).(*pb.Flow)
+	policyDenied.EventType = &pb.CiliumEventType{
+		Type: monitorAPI.MessageTypePolicyVerdict,
+	}
+	policyDenied.IsReply = nil
 	type args struct {
 		f *pb.Flow
 	}
@@ -153,6 +158,22 @@ Jan  1 00:20:34.567   k8s1   1.1.1.1:31793   2.2.2.2:8080   Policy denied   DROP
 				"2.2.2.2:8080 (ID:12345) <- 1.1.1.1:31793 (health) " +
 				"Policy denied DROPPED (TCP Flags: SYN)\n",
 		},
+		{
+			name: "compact-policy-verdict-denied",
+			options: []Option{
+				Compact(),
+				WithColor("never"),
+				WithNodeName(),
+				Writer(&buf),
+			},
+			args: args{
+				f: policyDenied,
+			},
+			wantErr: false,
+			expected: "Jan  1 00:20:34.567 [k8s1]: " +
+				"1.1.1.1:31793 (health) <> 2.2.2.2:8080 (ID:12345) " +
+				"policy-verdict DENIED (TCP Flags: SYN)\n",
+		},
 		{
 			name: "compact-direction-unknown",
 			options: []Option{
@@ -631,7 +652,7 @@ func Test_getFlowType(t *testing.T) {
 					PolicyMatchType: monitorAPI.PolicyMatchL3L4,
 				},
 			},
-			want: "L3-L4",
+			want: "policy-verdict",
 		},
 		{
 			name: "L4",
@@ -644,7 +665,7 @@ func Test_getFlowType(t *testing.T) {
 					DropReason: 153,
 				},
 			},
-			want: "Error while correcting L3 checksum",
+			want: "policy-verdict",
 		},
 		{
 			name: "Debug Capture",