Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Request: Output security identities by default #687

Closed
joestringer opened this issue Mar 2, 2022 · 2 comments
Closed

Request: Output security identities by default #687

joestringer opened this issue Mar 2, 2022 · 2 comments
Labels
⌨️ area/cli Impacts the command line interface of any command in the repository. 👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble. 🌟 kind/feature This introduces new functionality.

Comments

@joestringer
Copy link
Member

Security identities are very helpful in pinpointing whether it's likely that an issue is related to a pod identity, or world identity issues, or even masquerading issues. It would be helpful to print these by default (even if it's just the number) so that when users report issues, we can at least tell a bit more about the likely direction of the flow, whether it's between two pods or a pod and outside, or whether Cilium has assessed the identity of something as belonging "to the world" which has different policy debug paths from pod<->pod identity investigations.
@gandro gandro added 👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble. ⌨️ area/cli Impacts the command line interface of any command in the repository. 🌟 kind/feature This introduces new functionality. labels Mar 14, 2022
@michi-covalent
Copy link
Collaborator

adding more suggestions here (from @pchaigno)

  • The FORWARDED/DROPPED at the end is confusing for policy verdicts. Should likely be ALLOWED/DENIED. Maybe FORWARDED could also just be omitted for brevity.
  • The context (endpoint ID) in which each event was emitted is not shown in the compact output. That's also often useful to see transitions on pod-to-pod traffic.

we could either:

  • update the default compact output format, or
  • come up with another output format that's geared towards users who are familiar with cilium internals

@michi-covalent
Copy link
Collaborator

ok i'm closing this, it's fixed in #732.

i'll open a separate issue to track how to improve policy verdict events in the compact output.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
⌨️ area/cli Impacts the command line interface of any command in the repository. 👍 good-first-issue Good starting point for new developers, which requires minimal understanding of Hubble. 🌟 kind/feature This introduces new functionality.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@gandro @joestringer @michi-covalent