cmd/observe: improve policy verdict output in compact mode #745

rolinh · 2022-06-14T14:39:53Z

The default output (compact) makes it hard for a user to tell the
different event types apart. In particular, it is hard for a user to
distinguish a trace event from a policy verdict one.

This commit modifies the output for policy verdict events in two ways.
First, instead of printing the drop reason (which is redundant as also
printed out with the dropped flow) the string 'policy-verdict' along
with the policy match type string for the event (L3-Only, L3-L4,
L4-Only, all, none), is displayed.
Additionally, flows that are forwarded or redirected are printed as
ALLOWED, those that are dropped or error as DENIED and the audit ones as
AUDITED.

Example output from #570:

$ cat sample.json | hubble observe --output compact
Jun 10 12:50:15.555: default/cronjob-1623329400-8mg2z:43006 (ID:124484) -> default/deployment-85c67465d6-tfgcp:8087 (ID:107099) policy-verdict:L3-Only ALLOWED (TCP Flags: SYN)
Jun 10 12:50:15.555: default/cronjob-1623329400-8mg2z:43006 (ID:124484) -> default/deployment-85c67465d6-tfgcp:8087 (ID:107099) to-stack FORWARDED (TCP Flags: SYN)
Jun 10 12:50:15.556: 10.8.14.163:43006 (world) <> default/deployment-85c67465d6-tfgcp:8087 (ID:107099) policy-verdict:none DENIED (TCP Flags: SYN)
Jun 10 12:50:15.556: 10.8.14.163:43006 (world) <> default/deployment-85c67465d6-tfgcp:8087 (ID:107099) Policy denied DROPPED (TCP Flags: SYN)
Jun 10 12:50:16.580: default/cronjob-1623329400-8mg2z:43006 (ID:124484) -> default/deployment-85c67465d6-tfgcp:8087 (ID:107099) policy-verdict:L3-Only ALLOWED (TCP Flags: SYN)
Jun 10 12:50:16.580: default/cronjob-1623329400-8mg2z:43006 (ID:124484) -> default/deployment-85c67465d6-tfgcp:8087 (ID:107099) to-endpoint FORWARDED (TCP Flags: SYN)

Closes: #570

From a user perspective, it is much easier to understand the flow type when policy verdict events verdicts use the term ALLOWED instead of REDIRECTED/FORWARDED and DENIED instead of DROPPED. See also: cilium/hubble#745 Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

michi-covalent · 2022-06-14T16:06:29Z

lgtm! for ALLOWED verdict, it might still be useful to print match type:

policy-verdict ALLOWED:L3-L4

for DENIED verdict i guess it's redundant to print none because we know nothing matched.

edit:

also it might be useful to indicate direction (ingress/egress) 💭

policy-verdict egress ALLOWED:L3-L4
policy-verdict ingress DENIED

gandro · 2022-06-15T09:02:20Z

lgtm! for ALLOWED verdict, it might still be useful to print match type:
policy-verdict ALLOWED:L3-L4

Fully agreed. I think having the match type is very useful in audit mode, to narrow down what part of a policy allowed it.

The default output (compact) makes it hard for a user to tell the different event types apart. In particular, it is hard for a user to distinguish a trace event from a policy verdict one. This commit modifies the output for policy verdict events in two ways. First, instead of printing the drop reason (which is redundant as also printed out with the dropped flow) the string 'policy-verdict' along with the policy match type string for the event (L3-Only, L3-L4, L4-Only, all, none), is displayed. Additionally, flows that are forwarded or redirected are printed as ALLOWED, those that are dropped or error as DENIED and the audit ones as AUDITED. Signed-off-by: Robin Hahling <robin.hahling@gw-computing.net>

rolinh · 2022-06-15T11:26:47Z

@gandro PTAL, I updated the output to also include the policy match type.

gandro

Thanks!

michi-covalent · 2022-06-15T18:34:51Z

time to ship

rolinh added ⌨️ area/cli Impacts the command line interface of any command in the repository. release-note/minor This PR introduces functionality that users may find relevant to operating Hubble. labels Jun 14, 2022

rolinh requested review from pchaigno, a team and joamaki and removed request for a team June 14, 2022 14:39

rolinh mentioned this pull request Jun 14, 2022

hubble: improve policy verdict status (use ALLOWED/DENIED instead of REDIRECTED/FORWARDED/DROPPED) cilium/cilium#20202

Closed

michi-covalent approved these changes Jun 14, 2022

View reviewed changes

michi-covalent added this to the 1.0 milestone Jun 14, 2022

rolinh force-pushed the pr/rolinh/surface-event-type branch from 3b5627f to 53e2996 Compare June 15, 2022 11:24

rolinh requested a review from gandro June 15, 2022 11:26

gandro approved these changes Jun 15, 2022

View reviewed changes

michi-covalent merged commit 4d51e2a into master Jun 15, 2022

michi-covalent deleted the pr/rolinh/surface-event-type branch June 15, 2022 18:34

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

cmd/observe: improve policy verdict output in compact mode #745

cmd/observe: improve policy verdict output in compact mode #745

rolinh commented Jun 14, 2022 •

edited

Loading

michi-covalent commented Jun 14, 2022 •

edited

Loading

gandro commented Jun 15, 2022

rolinh commented Jun 15, 2022 •

edited

Loading

gandro left a comment

michi-covalent commented Jun 15, 2022

cmd/observe: improve policy verdict output in compact mode #745

cmd/observe: improve policy verdict output in compact mode #745

Conversation

rolinh commented Jun 14, 2022 • edited Loading

michi-covalent commented Jun 14, 2022 • edited Loading

gandro commented Jun 15, 2022

rolinh commented Jun 15, 2022 • edited Loading

gandro left a comment

Choose a reason for hiding this comment

michi-covalent commented Jun 15, 2022

rolinh commented Jun 14, 2022 •

edited

Loading

michi-covalent commented Jun 14, 2022 •

edited

Loading

rolinh commented Jun 15, 2022 •

edited

Loading