feat: Add collection key to differentiate namespaced policies #2337
Conversation
There was a problem hiding this comment.
Thank you for tackling this @joshuajorel! I see it's still WIP, but I left a few comments.
lambdanis
added
the
release-note/bug
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
|
@kkourt @lambdanis - what is the usecase for enabling and disabling a |
Hi, The sensor interface (and infrastructure) is indeed deprecated. There is an issue to remove it #1272, but we first need to provide means to disable a tracing policy as we do with sensors. |
joshuajorel
force-pushed
the
pr/joshuajorel/add-k8s-namespace-segregation-for-policies
branch
from
acd9375
to
340e184
Compare
joshuajorel
changed the title
|
Hey @joshuajorel thank you for the updates. Could you rewrite the commits so that changes are clearly grouped and documented? I think one commit introducing |
joshuajorel
force-pushed
the
pr/joshuajorel/add-k8s-namespace-segregation-for-policies
branch
from
340e184
to
7d9918e
Compare
There was a problem hiding this comment.
Looks good to me, thank you @joshuajorel. Let's wait for @kkourt to confirm nothing is missing.
pkg/sensors/handler.go
Outdated
| if col, exists := h.collections[op.name]; exists && col.state != LoadErrorState { | ||
| return fmt.Errorf("failed to add tracing policy %s, a sensor collection with the name already exists", op.name) | ||
| if col, exists := h.collections[op.ck]; exists && col.state != LoadErrorState { | ||
| return fmt.Errorf("failed to add tracing policy %s, a sensor collection with the name already exists", op.ck) |
There was a problem hiding this comment.
| return fmt.Errorf("failed to add tracing policy %s, a sensor collection with the name already exists", op.ck) | |
| return fmt.Errorf("failed to add tracing policy %s, a sensor collection with this key already exists", op.ck) |
or something similar (non-blocking)
There was a problem hiding this comment.
Change wording to reference key instead of name
Thank you for taking the time to review @lambdanis ! Will wait for @kkourt 's review |
There was a problem hiding this comment.
Thanks, changes LGTM. I left one comment about removing the unneeded name field.
One of the things we also need to do is update the CLI: https://github.com/cilium/tetragon/blob/main/cmd/tetra/tracingpolicy/tracingpolicy.go. Could you also do that?
Sure. Let me do the changes and get back to you. Thank you very much! |
Thanks! I would suggest doing the CLI updates in a different patch to ease reviewing. |
TracingPolicy and TracingPolicyNamespaced encounter conflicts whenever a policy is applied with the same name. A policy with the same name, even if it is in a different namespace does not get applied. This commit adds a collectionKey to differentiate policies with the same, but in different namespaces. Fixes: cilium#2299 Signed-off-by: Joshua Jorel Lee <joshua.jorel.lee@gmail.com>
joshuajorel
force-pushed
the
pr/joshuajorel/add-k8s-namespace-segregation-for-policies
branch
from
7d9918e
to
d5641fd
Compare
By adding a collectionKey to differentiate namespaces, the CLI needs to be updated to support this update. This change adds a namespace flag to the CLI for the delete, enable, and disable commands. If the namespace flag is unset, it will reference the global TracingPolicy. Fixes: cilium#2299 Signed-off-by: Joshua Jorel Lee <joshua.jorel.lee@gmail.com>
joshuajorel
force-pushed
the
pr/joshuajorel/add-k8s-namespace-segregation-for-policies
branch
from
0c7d2b1
to
6ec273f
Compare
|
Everything's ✅ , so merging this. Many thanks @joshuajorel this is an awesome contribution. |
Currently,
TracingPolicyandTracingPolicyNamespacedencounter conflicts whenever a policy is applied with the same name. A policy with the same name, even if it is in a different namespace does not get applied. This behavior should be allowed given the k8s context e.g. a policy in one namespace is a different policy from one in a different namespace even with the same name.Fixes: #2299