Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add metadata labels for cilium policy selectors to support visibility policy L7 allow-all #31359

Closed
christarazi opened this issue Mar 12, 2024 · 2 comments · Fixed by #32166
Closed

Add metadata labels for cilium policy selectors to support visibility policy L7 allow-all #31359

christarazi opened this issue Mar 12, 2024 · 2 comments · Fixed by #32166
Assignees
@ONE7live
Labels
area/cli Impacts the command line interface of any command in the repository. area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. good-first-issue Good starting point for new developers, which requires minimal understanding of Cilium. help-wanted Please volunteer for this by adding yourself as an assignee! priority/low This is considered nice to have. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Comments

@christarazi
Copy link
Member

During the investigation that led to #31358, I discovered that we are missing one source for metadata labels for the cilium policy selectors command in the case of visibility policies, see

cilium/pkg/policy/visibility.go

Line 136 in 687e4f8

emptyL3Selector := &identitySelector{source: &labelIdentitySelector{selector: api.WildcardEndpointSelector}, key: wildcardSelectorKey}
.

We would need to figure out what we should pass as the metadata here. We don't have labels because the visibility policy is not a K8s resource, however the visibility policy comes from an annotation on a pod. Potentially some way to signal that this selector is coming from an annotation, along with the namespace/name of the pod could suffice.

Mostly a cosmetic issue, but nice to fix.
@christarazi christarazi added help-wanted Please volunteer for this by adding yourself as an assignee! priority/low This is considered nice to have. good-first-issue Good starting point for new developers, which requires minimal understanding of Cilium. area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. area/cli Impacts the command line interface of any command in the repository. labels Mar 12, 2024
@ONE7live
Copy link

/assign

@ONE7live
Copy link

Hi, @christarazi I want to pick up this issue, can you please assign it to me?

@nebril nebril mentioned this issue Apr 24, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ONE7live ONE7live

Labels
area/cli Impacts the command line interface of any command in the repository. area/misc Impacts miscellaneous areas of the code not otherwise owned by another area. good-first-issue Good starting point for new developers, which requires minimal understanding of Cilium. help-wanted Please volunteer for this by adding yourself as an assignee! priority/low This is considered nice to have. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
Good First Issues
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add metadata to annotation-derived l7 policy nebril/cilium
2 participants
@christarazi @ONE7live