cilium
feat/policy-names: Add network policy names when they are known.
Introduces new Egress allowed by policies and Ingress allowed by policies info blocks within the the respective flows detailed sidebar information.
Policy names are only shown when they have successfully been correlated to a flow by cilium-agent. In a handful of known scenarios where cilium is allowing traffic internally (like allowing localhost access) we try to map the policy to a human friendly name with the value taken from the reserved:io.cilium.policy.derived-from label.
Fixes: https://github.com/cilium/hubble/issues/1100
Example screenshot demonstrating a custom ingress policy, as well as showing the cilium internal policy which is prefixed with <cilium-internal>/.
@kgtw Thank you for your contribution! Will you please provide the custom policies used to test this feature?
Hey @kimstacy, these were the policies that were used to test this change with.
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: custom-ingress
namespace: default
spec:
endpointSelector: {}
ingress:
- fromEntities:
- world
- cluster
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: custom-egress
namespace: default
spec:
endpointSelector: {}
egress:
- toEntities:
- world
- cluster
---
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: cluster-wide-custom-policy
spec:
endpointSelector: {}
egress:
- toEntities:
- all
ingress:
- fromEntities:
- all
Hi @kgtw 👋
There seems to be a minor CI issue. The first relates to CodeQL:
2023/12/13 08:09:18 Error running go tooling: err: exit status 1: stderr: go: errors parsing go.mod:
/home/runner/work/hubble-ui/hubble-ui/backend/go.mod:3: invalid go version '1.21.0': must match format 1.23
/home/runner/work/hubble-ui/hubble-ui/backend/go.mod:5: unknown directive: toolchain
2023/12/13 08:09:18 Extraction failed: exit status 1
Error: We were unable to automatically build your code. Please replace the call to the autobuild action with your custom build steps. Encountered a fatal error while running "/opt/hostedtoolcache/CodeQL/2.15.4/x64/codeql/go/tools/autobuild.sh". Exit code was 1 and last log line was: 2023/12/13 08:09:18 Extraction failed: exit status 1. See the logs for more details.
For the second, per test / backend check's output, would you please try running ./ctl.sh update-proto and resubmitting your changes?
Hi @kimstacy, I'm hoping the latest commit should have resolved the issues with the CI.
I'm not entirely sure why it is happening, but when using ./ctl.sh update-proto with the current go.mod version of 1.21 it was adding the problematic toolchain go1.21.4 line.
Hi @kgtw, thanks for your contribution! There was some strange issue with go version and dependencies indeed, so I updated them and pushed the commit. CI is happy now but there are some merge conflicts. Could you rebase and resolve them? I think we are good to go after that.
Hi, this feature is very useful. I was looking for it
Any update please @kgtw ?
Thanks !
Apologies for the delay, I've just returned from a sabbatical from work and will be looking to update this PR in the coming days.
@geakstr this should be ready for another review now. Sorry for the slow response times.
Something I did notice while re-testing PR is that policy correlation is only happening on the first SYN packet for the connection. I haven't had time to investigate if this is a bug or expected within cilium-agent.
Update 15/04: The above makes sense as policy evaluation is a costly action. I'm wondering if we should make additional UX improvements to help identify the initial packet flow that was associated with the policy in a way which doesn't lead to more confusion.