L7 policies discovery: problem with enabling L7 visibility

[nyrahul]

To discover L7 policies one needs to enable L7 visibility.

L7 visibility can be enabled by setting annotations that are used by the Cilium engine. The annotations are in the following form:

kubectl annotate pod foo -n bar io.cilium.proxy-visibility="<Egress/53/UDP/DNS>,<Ingress/80/TCP/HTTP>,<Egress/40040/TCP/KAFKA>"

To enable visibility following information is needed:

• direction of flow
• port number
• transport protocol
• application protocol

Thus we require a script that can enumerate the pods and apply the annotations. However, identifying the direction and the port of the connections is difficult for HTTP/KAFKA. For DNS we can assume Egress/53/UDP/DNS safely.

[nyrahul]

assumptions we can work with:

• we only enable visibility for services

At what point do we enable visibility? The user needs to specify what app it is. We might need a configuration page for auto-policy discovery. Also have configuration for default security posture.

Action-Item: Wireframe for auto-policy discovery configuration considering above points and other configuration options.