-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat/policy-names: Add network policy names when they are known. #727
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Kris Gambirazzi <[email protected]>
Signed-off-by: Kris Gambirazzi <[email protected]>
@kgtw Thank you for your contribution! Will you please provide the custom policies used to test this feature? |
Hey @kimstacy, these were the policies that were used to test this change with.
|
Thank you! LGTM. |
Hi @kgtw 👋 There seems to be a minor CI issue. The first relates to CodeQL:
For the second, per test / backend check's output, would you please try running |
fd2c4ce
to
8e4f5bb
Compare
…e known and correlated to flows. Fixes: cilium/hubble#1100 Signed-off-by: Kris Gambirazzi <[email protected]>
8e4f5bb
to
bd38b66
Compare
Hi @kimstacy, I'm hoping the latest commit should have resolved the issues with the CI. I'm not entirely sure why it is happening, but when using |
a7ed8ff
to
01ea202
Compare
Signed-off-by: Dmitry Kharitonov <[email protected]>
01ea202
to
dd617e1
Compare
Hi @kgtw, thanks for your contribution! There was some strange issue with go version and dependencies indeed, so I updated them and pushed the commit. CI is happy now but there are some merge conflicts. Could you rebase and resolve them? I think we are good to go after that. |
Hi, this feature is very useful. I was looking for it Any update please @kgtw ? Thanks ! |
Apologies for the delay, I've just returned from a sabbatical from work and will be looking to update this PR in the coming days. |
Signed-off-by: Kris Gambirazzi <[email protected]>
Signed-off-by: Kris Gambirazzi <[email protected]>
@geakstr this should be ready for another review now. Sorry for the slow response times. Something I did notice while re-testing PR is that policy correlation is only happening on the first SYN packet for the connection. I haven't had time to investigate if this is a bug or expected within cilium-agent. Update 15/04: The above makes sense as policy evaluation is a costly action. I'm wondering if we should make additional UX improvements to help identify the initial packet flow that was associated with the policy in a way which doesn't lead to more confusion. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! This looks good. I've left suggestion to improve the code, e.g. div
instead span
, but I'll approuve this PR as this isn't substantial changes IMHO. Up to you if you want to adopt them.
Something I did notice while re-testing PR is that policy correlation is only happening on the first SYN packet for the connection
Yes, we do populate the policy field only on verdict events. @gandro implemented originally this feature, he can shed some lights about the reason behind it.
I don't think it would be sane that UI try fix this somehow, so maybe we can either open a feature on the Cilium repo, or document this somehow? WDYT @geakstr @kgtw ?
@@ -242,3 +242,29 @@ export const PodEntry = memo<PodItemProps>(function FlowsTableSidebarPodEntry(pr | |||
</span> | |||
); | |||
}); | |||
|
|||
export interface PolicyEntryProps { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export interface PolicyEntryProps { | |
export interface PoliciesListProps { |
allowedBy: string[]; | ||
} | ||
|
||
export const PolicyEntry = memo<PolicyEntryProps>( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export const PolicyEntry = memo<PolicyEntryProps>( | |
export const PoliciesList = memo<PoliciesListProps>( |
name: string; | ||
} | ||
|
||
export const PolicyEntryItem = memo<PolicyEntryItemProps>( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export const PolicyEntryItem = memo<PolicyEntryItemProps>( | |
export const PoliciesListItem = memo<PoliciesListItemProps>( |
}, | ||
); | ||
|
||
export interface PolicyEntryItemProps { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
export interface PolicyEntryItemProps { | |
export interface PoliciesListItemProps { |
|
||
export const PolicyEntryItem = memo<PolicyEntryItemProps>( | ||
function FlowsTableSidebarPolicyEntry(props) { | ||
return <span className={css.policy}>{props.name}</span>; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return <span className={css.policy}>{props.name}</span>; | |
return <div>{props.name}</div>; |
.policies { | ||
.policy { | ||
display: block; | ||
} | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
.policies { | |
.policy { | |
display: block; | |
} | |
} |
Let's use a div, so no need of this.
export const PolicyEntry = memo<PolicyEntryProps>( | ||
function FlowsTableSidebarLabelsEntry(props) { | ||
return ( | ||
<div className={css.policies}> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
<div className={css.policies}> | |
<div> |
Introduces new
Egress allowed by policies
andIngress allowed by policies
info blocks within the the respective flows detailed sidebar information.Policy names are only shown when they have successfully been correlated to a flow by cilium-agent. In a handful of known scenarios where cilium is allowing traffic internally (like allowing localhost access) we try to map the policy to a human friendly name with the value taken from the
reserved:io.cilium.policy.derived-from
label.Fixes: cilium/hubble#1100
Example screenshot demonstrating a custom ingress policy, as well as showing the cilium internal policy which is prefixed with
<cilium-internal>/
.