Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Surface the event type in observe -o compact #570

Closed
pchaigno opened this issue Jun 11, 2021 · 0 comments · Fixed by #745
Closed

Surface the event type in observe -o compact #570

pchaigno opened this issue Jun 11, 2021 · 0 comments · Fixed by #745
Labels
⌨️ area/cli Impacts the command line interface of any command in the repository. 👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble. kind/enhancement This would improve or streamline existing functionality.
Milestone
Hubble CLI 1.0

Comments

@pchaigno
Copy link
Member

In the following hubble observe output, it is difficult to tell the different event types apart. For example, the third and fourth lines both look like packet drops when there's actually only one packet being dropped, the first line being the policy-verdict for that drop.

$ cat drops.json | ./hubble observe -o compact
Jun 10 12:50:15.555: default/cronjob-1623329400-8mg2z:43006 -> default/deployment-85c67465d6-tfgcp:8087 L3-Only FORWARDED (TCP Flags: SYN)
Jun 10 12:50:15.555: default/cronjob-1623329400-8mg2z:43006 -> default/deployment-85c67465d6-tfgcp:8087 to-stack FORWARDED (TCP Flags: SYN)
Jun 10 12:50:15.556: 10.8.14.163:43006 <> default/deployment-85c67465d6-tfgcp:8087 Policy denied DROPPED (TCP Flags: SYN)
Jun 10 12:50:15.556: 10.8.14.163:43006 <> default/deployment-85c67465d6-tfgcp:8087 Policy denied DROPPED (TCP Flags: SYN)
Jun 10 12:50:16.580: default/cronjob-1623329400-8mg2z:43006 -> default/deployment-85c67465d6-tfgcp:8087 L3-Only FORWARDED (TCP Flags: SYN)
Jun 10 12:50:16.580: default/cronjob-1623329400-8mg2z:43006 -> default/deployment-85c67465d6-tfgcp:8087 to-endpoint FORWARDED (TCP Flags: SYN)
click to see full `jsonpb` input. 
{"flow":{"time":"2021-06-10T12:50:15.555441618Z","verdict":"FORWARDED","ethernet":{"source":"22:da:eb:b3:0e:cd","destination":"5a:d1:6b:58:d5:0b"},"IP":{"source":"10.8.14.163","destination":"10.8.15.253","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":43006,"destination_port":8087,"flags":{"SYN":true}}},"source":{"ID":2607,"identity":124484,"namespace":"default","labels":["k8s:app.kubernetes.io/component=job","k8s:app.kubernetes.io/name=cronjob","k8s:controller-uid=ff9eb4f5-b227-4f06-8c9e-6c322240f69d","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default","k8s:job-name=cronjob-1623329400"],"pod_name":"cronjob-1623329400-8mg2z"},"destination":{"identity":107099,"namespace":"default","labels":["k8s:app.kubernetes.io/name=deployment","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default"],"pod_name":"deployment-85c67465d6-tfgcp"},"Type":"L3_L4","node_name":"gke-dev-dev-default-c32c1cdd-wd59","event_type":{"type":5},"traffic_direction":"EGRESS","policy_match_type":1,"is_reply":false,"Summary":"TCP Flags: SYN"},"node_name":"gke-dev-dev-default-c32c1cdd-wd59","time":"2021-06-10T12:50:15.555441618Z"}
{"flow":{"time":"2021-06-10T12:50:15.555447697Z","verdict":"FORWARDED","ethernet":{"source":"22:da:eb:b3:0e:cd","destination":"5a:d1:6b:58:d5:0b"},"IP":{"source":"10.8.14.163","destination":"10.8.15.253","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":43006,"destination_port":8087,"flags":{"SYN":true}}},"source":{"ID":2607,"identity":124484,"namespace":"default","labels":["k8s:app.kubernetes.io/component=job","k8s:app.kubernetes.io/name=cronjob","k8s:controller-uid=ff9eb4f5-b227-4f06-8c9e-6c322240f69d","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default","k8s:job-name=cronjob-1623329400"],"pod_name":"cronjob-1623329400-8mg2z"},"destination":{"identity":107099,"namespace":"default","labels":["k8s:app.kubernetes.io/name=deployment","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default"],"pod_name":"deployment-85c67465d6-tfgcp"},"Type":"L3_L4","node_name":"gke-dev-dev-default-c32c1cdd-wd59","event_type":{"type":4,"sub_type":3},"traffic_direction":"EGRESS","trace_observation_point":"TO_STACK","is_reply":false,"Summary":"TCP Flags: SYN"},"node_name":"gke-dev-dev-default-c32c1cdd-wd59","time":"2021-06-10T12:50:15.555447697Z"}
{"flow":{"time":"2021-06-10T12:50:15.556273526Z","verdict":"DROPPED","drop_reason":133,"ethernet":{"source":"92:4a:b7:4b:23:89","destination":"46:59:1c:16:4c:16"},"IP":{"source":"10.8.14.163","destination":"10.8.15.253","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":43006,"destination_port":8087,"flags":{"SYN":true}}},"source":{"identity":2,"labels":["reserved:world"]},"destination":{"ID":2140,"identity":107099,"namespace":"default","labels":["k8s:app.kubernetes.io/name=deployment","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default"],"pod_name":"deployment-85c67465d6-tfgcp"},"Type":"L3_L4","node_name":"gke-dev-dev-default-d58bf990-0cwt","event_type":{"type":5},"traffic_direction":"INGRESS","drop_reason_desc":"POLICY_DENIED","Summary":"TCP Flags: SYN"},"node_name":"gke-dev-dev-default-d58bf990-0cwt","time":"2021-06-10T12:50:15.556273526Z"}
{"flow":{"time":"2021-06-10T12:50:15.556289810Z","verdict":"DROPPED","drop_reason":133,"ethernet":{"source":"92:4a:b7:4b:23:89","destination":"46:59:1c:16:4c:16"},"IP":{"source":"10.8.14.163","destination":"10.8.15.253","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":43006,"destination_port":8087,"flags":{"SYN":true}}},"source":{"identity":2,"labels":["reserved:world"]},"destination":{"ID":2140,"identity":107099,"namespace":"default","labels":["k8s:app.kubernetes.io/name=deployment","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default"],"pod_name":"deployment-85c67465d6-tfgcp"},"Type":"L3_L4","node_name":"gke-dev-dev-default-d58bf990-0cwt","event_type":{"type":1,"sub_type":133},"traffic_direction":"INGRESS","drop_reason_desc":"POLICY_DENIED","Summary":"TCP Flags: SYN"},"node_name":"gke-dev-dev-default-d58bf990-0cwt","time":"2021-06-10T12:50:15.556289810Z"}
{"flow":{"time":"2021-06-10T12:50:16.580733369Z","verdict":"FORWARDED","ethernet":{"source":"92:4a:b7:4b:23:89","destination":"46:59:1c:16:4c:16"},"IP":{"source":"10.8.14.163","destination":"10.8.15.253","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":43006,"destination_port":8087,"flags":{"SYN":true}}},"source":{"identity":124484,"namespace":"default","labels":["k8s:app.kubernetes.io/component=job","k8s:app.kubernetes.io/name=cronjob","k8s:controller-uid=ff9eb4f5-b227-4f06-8c9e-6c322240f69d","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default","k8s:job-name=cronjob-1623329400"],"pod_name":"cronjob-1623329400-8mg2z"},"destination":{"ID":2140,"identity":107099,"namespace":"default","labels":["k8s:app.kubernetes.io/name=deployment","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default"],"pod_name":"deployment-85c67465d6-tfgcp"},"Type":"L3_L4","node_name":"gke-dev-dev-default-d58bf990-0cwt","event_type":{"type":5},"traffic_direction":"INGRESS","policy_match_type":1,"is_reply":false,"Summary":"TCP Flags: SYN"},"node_name":"gke-dev-dev-default-d58bf990-0cwt","time":"2021-06-10T12:50:16.580733369Z"}
{"flow":{"time":"2021-06-10T12:50:16.580765230Z","verdict":"FORWARDED","ethernet":{"source":"92:4a:b7:4b:23:89","destination":"46:59:1c:16:4c:16"},"IP":{"source":"10.8.14.163","destination":"10.8.15.253","ipVersion":"IPv4"},"l4":{"TCP":{"source_port":43006,"destination_port":8087,"flags":{"SYN":true}}},"source":{"identity":124484,"namespace":"default","labels":["k8s:app.kubernetes.io/component=job","k8s:app.kubernetes.io/name=cronjob","k8s:controller-uid=ff9eb4f5-b227-4f06-8c9e-6c322240f69d","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default","k8s:job-name=cronjob-1623329400"],"pod_name":"cronjob-1623329400-8mg2z"},"destination":{"ID":2140,"identity":107099,"namespace":"default","labels":["k8s:app.kubernetes.io/name=deployment","k8s:io.cilium.k8s.policy.cluster=dev","k8s:io.cilium.k8s.policy.serviceaccount=default","k8s:io.kubernetes.pod.namespace=default"],"pod_name":"deployment-85c67465d6-tfgcp"},"Type":"L3_L4","node_name":"gke-dev-dev-default-d58bf990-0cwt","event_type":{"type":4},"traffic_direction":"INGRESS","trace_observation_point":"TO_ENDPOINT","is_reply":false,"Summary":"TCP Flags: SYN"},"node_name":"gke-dev-dev-default-d58bf990-0cwt","time":"2021-06-10T12:50:16.580765230Z"}

This could maybe be improved by printing the event type as a string in the compact output, as below.

Jun 10 12:50:15.555: default/cronjob-1623329400-8mg2z:43006 -> default/deployment-85c67465d6-tfgcp:8087 policy-verdict ALLOWED (TCP Flags: SYN)
Jun 10 12:50:15.555: default/cronjob-1623329400-8mg2z:43006 -> default/deployment-85c67465d6-tfgcp:8087 to-stack FORWARDED (TCP Flags: SYN)
Jun 10 12:50:15.556: 10.8.14.163:43006 <> default/deployment-85c67465d6-tfgcp:8087 policy-verdict DENIED (TCP Flags: SYN)
Jun 10 12:50:15.556: 10.8.14.163:43006 <> default/deployment-85c67465d6-tfgcp:8087 Policy denied DROPPED (TCP Flags: SYN)
Jun 10 12:50:16.580: default/cronjob-1623329400-8mg2z:43006 -> default/deployment-85c67465d6-tfgcp:8087 policy-verdict ALLOWED (TCP Flags: SYN)
Jun 10 12:50:16.580: default/cronjob-1623329400-8mg2z:43006 -> default/deployment-85c67465d6-tfgcp:8087 to-endpoint FORWARDED (TCP Flags: SYN)

Note another change in the above example is the policy-verdict result which goes from FORWARDED/DROPPED to ALLOWED/DENIED/AUDITED to better reflect the event type.
@pchaigno pchaigno added kind/enhancement This would improve or streamline existing functionality. 👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble. ⌨️ area/cli Impacts the command line interface of any command in the repository. labels Jun 11, 2021
@rolinh rolinh added this to the 1.0 milestone Jun 10, 2022
This was referenced Jun 14, 2022
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
⌨️ area/cli Impacts the command line interface of any command in the repository. 👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble. kind/enhancement This would improve or streamline existing functionality.
Projects
None yet
Milestone
Hubble CLI 1.0
Development

Successfully merging a pull request may close this issue.

cmd/observe: improve policy verdict output in compact mode cilium/hubble
2 participants
@rolinh @pchaigno