admin: include cilium networkpolicies in envoy config dump #184

mhofstetter · 2023-04-20T06:46:26Z

Currently, only builtin Envoy resources are part of the Envoy config dump on the admin API (/admin/config_dump).

This commit adds Ciliums NetworkPolicies to the config dump, by registering a callback to the configtracker of the adminserver.

This way, the network policies which are actually taken into account by the Envoy Cilium filters are also part of Ciliums sysdump.

Example output (Network Policy output manually flattened to reduce vertical usage)

{
    "configs": [
     {
      "@type": "type.googleapis.com/envoy.admin.v3.BootstrapConfigDump",
      ...
     },
     {
      "@type": "type.googleapis.com/envoy.admin.v3.ClustersConfigDump",
      "static_clusters": [
       ...
      ]
     },
     {
      "@type": "type.googleapis.com/envoy.admin.v3.ListenersConfigDump",
      "version_info": "3",
      "dynamic_listeners": [
       ...
      ]
     },
     {
      "@type": "type.googleapis.com/cilium.NetworkPoliciesConfigDump",
      "networkpolicies": [
       {
        "endpoint_ips": ["10.244.1.10"],
        "endpoint_id": "3559",
        "ingress_per_port_policies": [{"port": 80, "rules": [{"http_rules": {"http_rules": [{"headers": [{"name": ":path","string_match": {"safe_regex": {"regex": "/"}}}]}]}}]}],
        "egress_per_port_policies": [{"port": 53}, {"port": 80, "rules": [
            {"remote_policies": ["24471"], "http_rules": {"http_rules": [{"headers": [{"name": ":path","string_match": {"safe_regex": {"regex": "/"}}}]}]}},
            {"remote_policies": ["61667"], "http_rules": {"http_rules": [{"headers": [{"name": ":path","string_match": {"safe_regex": {"regex": "/"}}}]}]}}
          ]}],
        "conntrack_map_name": "global"
       },
       {
        "endpoint_ips": ["10.244.1.132"],
        "endpoint_id": "3962",
        "ingress_per_port_policies": [{}],
        "egress_per_port_policies": [{}],
        "conntrack_map_name": "global"
       },
       ...
      ]
     },
        ...
   }

Currently, only builtin Envoy resources are part of the Envoy config dump on the admin API (/admin/config_dump). This commit adds Ciliums NetworkPolicies to the config dump, by registering a callback to the configtracker of the adminserver. This way, the network policies which are actually taken into account by the Envoy Cilium filters are also part of Ciliums sysdump. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

mhofstetter · 2023-04-20T07:09:02Z

/test-cilium-integration ciliumCli=d3fe1c3d38bc83c1c3dc350f09d95fa2811fdd2a

-> Cilium Integration Tests are failing due to cilium/cilium-cli#1520 (edit: fixed ✔️ )

-> But it looks like the issue_comment triggered action gets skipped 🤔

jrajahalme

This is awesome! Wanted for this for the longest time, but never got to dig out how to do this, thank you :-)

This commit updates the Cilium Proxy docker image to the latest version with underlying Envoy 1.25 (`797bea843de17da8f8a096747c4691405b540aa8`). It comes with the following changes / new features: * Support Ingress ID also for east/west Ingress cilium/proxy#167 * admin: include cilium networkpolicies in envoy config dump cilium/proxy#184 * patches: Update for upstreamed versions cilium/proxy#183 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

This commit updates the latest Cilium Proxy API matching. It includes the following changes / new features: * Support Ingress ID also for east/west Ingress cilium/proxy#167 * admin: include cilium networkpolicies in envoy config dump cilium/proxy#184 * patches: Update for upstreamed versions cilium/proxy#183 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

This commit updates the Cilium Proxy docker image to the latest version with underlying Envoy 1.25 (`797bea843de17da8f8a096747c4691405b540aa8`). It comes with the following changes / new features: * Support Ingress ID also for east/west Ingress cilium/proxy#167 * admin: include cilium networkpolicies in envoy config dump cilium/proxy#184 * patches: Update for upstreamed versions cilium/proxy#183 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

This commit updates the latest Cilium Proxy API matching. It includes the following changes / new features: * Support Ingress ID also for east/west Ingress cilium/proxy#167 * admin: include cilium networkpolicies in envoy config dump cilium/proxy#184 * patches: Update for upstreamed versions cilium/proxy#183 Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>

mhofstetter marked this pull request as ready for review April 20, 2023 07:04

mhofstetter requested review from jrajahalme and sayboras April 20, 2023 07:10

jrajahalme approved these changes Apr 20, 2023

View reviewed changes

jrajahalme merged commit 797bea8 into cilium:main Apr 20, 2023
3 checks passed

sayboras added the needs-backport/1.23 Needs backport for v1.23 branch label Apr 21, 2023

mhofstetter deleted the pr/mhofstetter/confgdump-cilium-resources branch April 21, 2023 05:54

mhofstetter mentioned this pull request Apr 21, 2023

envoy: Include Cilium NetworkPolicies in Envoy Config Dump cilium/cilium#25028

Merged

sayboras added backport-pending/1.23 and removed backport-pending/1.23 labels Apr 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

admin: include cilium networkpolicies in envoy config dump #184

admin: include cilium networkpolicies in envoy config dump #184

mhofstetter commented Apr 20, 2023

mhofstetter commented Apr 20, 2023 •

edited

jrajahalme left a comment

admin: include cilium networkpolicies in envoy config dump #184

admin: include cilium networkpolicies in envoy config dump #184

Conversation

mhofstetter commented Apr 20, 2023

mhofstetter commented Apr 20, 2023 • edited

jrajahalme left a comment

Choose a reason for hiding this comment

mhofstetter commented Apr 20, 2023 •

edited