feat/policy-names: Add network policy names when they are known. #727
Conversation
Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
|
@kgtw Thank you for your contribution! Will you please provide the custom policies used to test this feature? |
|
Hey @kimstacy, these were the policies that were used to test this change with. |
|
Thank you! LGTM. |
|
Hi @kgtw 👋 There seems to be a minor CI issue. The first relates to CodeQL: For the second, per test / backend check's output, would you please try running |
kgtw
force-pushed
the
feat/policy-names
branch
from
fd2c4ce
to
8e4f5bb
Compare
…e known and correlated to flows. Fixes: cilium/hubble#1100 Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
kgtw
force-pushed
the
feat/policy-names
branch
from
8e4f5bb
to
bd38b66
Compare
|
Hi @kimstacy, I'm hoping the latest commit should have resolved the issues with the CI. I'm not entirely sure why it is happening, but when using |
geakstr
force-pushed
the
feat/policy-names
branch
from
a7ed8ff
to
01ea202
Compare
Signed-off-by: Dmitry Kharitonov <dmitry@isovalent.com>
geakstr
force-pushed
the
feat/policy-names
branch
from
01ea202
to
dd617e1
Compare
|
Hi @kgtw, thanks for your contribution! There was some strange issue with go version and dependencies indeed, so I updated them and pushed the commit. CI is happy now but there are some merge conflicts. Could you rebase and resolve them? I think we are good to go after that. |
|
Hi, this feature is very useful. I was looking for it Any update please @kgtw ? Thanks ! |
|
Apologies for the delay, I've just returned from a sabbatical from work and will be looking to update this PR in the coming days. |
Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
Signed-off-by: Kris Gambirazzi <kris.gambirazzi@transferwise.com>
|
@geakstr this should be ready for another review now. Sorry for the slow response times. Something I did notice while re-testing PR is that policy correlation is only happening on the first SYN packet for the connection. I haven't had time to investigate if this is a bug or expected within cilium-agent. Update 15/04: The above makes sense as policy evaluation is a costly action. I'm wondering if we should make additional UX improvements to help identify the initial packet flow that was associated with the policy in a way which doesn't lead to more confusion. |
There was a problem hiding this comment.
Thanks! This looks good. I've left suggestion to improve the code, e.g. div instead span, but I'll approuve this PR as this isn't substantial changes IMHO. Up to you if you want to adopt them.
Something I did notice while re-testing PR is that policy correlation is only happening on the first SYN packet for the connection
Yes, we do populate the policy field only on verdict events. @gandro implemented originally this feature, he can shed some lights about the reason behind it.
I don't think it would be sane that UI try fix this somehow, so maybe we can either open a feature on the Cilium repo, or document this somehow? WDYT @geakstr @kgtw ?
| @@ -242,3 +242,29 @@ export const PodEntry = memo<PodItemProps>(function FlowsTableSidebarPodEntry(pr | |||
| </span> | |||
| ); | |||
| }); | |||
|
|
|||
| export interface PolicyEntryProps { | |||
There was a problem hiding this comment.
| export interface PolicyEntryProps { | |
| export interface PoliciesListProps { |
| allowedBy: string[]; | ||
| } | ||
|
|
||
| export const PolicyEntry = memo<PolicyEntryProps>( |
There was a problem hiding this comment.
| export const PolicyEntry = memo<PolicyEntryProps>( | |
| export const PoliciesList = memo<PoliciesListProps>( |
| name: string; | ||
| } | ||
|
|
||
| export const PolicyEntryItem = memo<PolicyEntryItemProps>( |
There was a problem hiding this comment.
| export const PolicyEntryItem = memo<PolicyEntryItemProps>( | |
| export const PoliciesListItem = memo<PoliciesListItemProps>( |
| }, | ||
| ); | ||
|
|
||
| export interface PolicyEntryItemProps { |
There was a problem hiding this comment.
| export interface PolicyEntryItemProps { | |
| export interface PoliciesListItemProps { |
|
|
||
| export const PolicyEntryItem = memo<PolicyEntryItemProps>( | ||
| function FlowsTableSidebarPolicyEntry(props) { | ||
| return <span className={css.policy}>{props.name}</span>; |
There was a problem hiding this comment.
| return <span className={css.policy}>{props.name}</span>; | |
| return <div>{props.name}</div>; |
| .policies { | ||
| .policy { | ||
| display: block; | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
| .policies { | |
| .policy { | |
| display: block; | |
| } | |
| } |
Let's use a div, so no need of this.
| export const PolicyEntry = memo<PolicyEntryProps>( | ||
| function FlowsTableSidebarLabelsEntry(props) { | ||
| return ( | ||
| <div className={css.policies}> |
There was a problem hiding this comment.
| <div className={css.policies}> | |
| <div> |
Introduces new
Egress allowed by policiesandIngress allowed by policiesinfo blocks within the the respective flows detailed sidebar information.Policy names are only shown when they have successfully been correlated to a flow by cilium-agent. In a handful of known scenarios where cilium is allowing traffic internally (like allowing localhost access) we try to map the policy to a human friendly name with the value taken from the
reserved:io.cilium.policy.derived-fromlabel.Fixes: cilium/hubble#1100
Example screenshot demonstrating a custom ingress policy, as well as showing the cilium internal policy which is prefixed with
<cilium-internal>/.