Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement inspect and summary commands #12

Merged
merged 2 commits into from
Oct 31, 2024
Merged

Implement inspect and summary commands #12

merged 2 commits into from
Oct 31, 2024

Conversation

yokaze
Copy link
Contributor

@yokaze yokaze commented Oct 22, 2024
edited
Loading

This PR:

  • modifies list command to show Egress/Ingress instead of EGRESS/INGRESS.
    • It is consistent with cilium command.
  • implements list --manifests command that shows all the CNP/CCNP in YAML format applied to the pod.
  • implements inspect command that shows active L3/L4 rules for a pod.
  • implements summary command that shows the rule count of all the pods in a namespace, grouped into ingress-allow, ingress-deny, egress-allow, and egress-deny.
    • This helps us to find possible misconfiguration.
  • CI:
    • moves test pods into test namespace.
    • changes l3-baseline rule from CNP to CCNP to test CCNP.
    • adds CIDR rules.

Example:

$ npv list --manifests -n test self-5b9b6f4f84-fzwnj | yq 'del(.spec)'
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
  annotations: {}
  name: l3-baseline
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  annotations: {}
  name: l3-egress
  namespace: test
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  annotations: {}
  name: l4-egress
  namespace: test

$ npv inspect -n test self-5b9b6f4f84-fzwnj
POLICY DIRECTION IDENTITY NAMESPACE EXAMPLE                                        PROTOCOL PORT BYTES PACKETS
Deny   Egress    1101     test      l3-egress-explicit-deny-all-6f9f4df95-bbsdv    ANY      ANY  0     0
Deny   Egress    29722    test      l4-egress-explicit-deny-tcp-7fb99cc88-x58mr    TCP      8080 0     0
Deny   Egress    32645    test      l4-egress-explicit-deny-any-6b94cf9f77-rhh6l   SCTP     53   0     0
Deny   Egress    32645    test      l4-egress-explicit-deny-any-6b94cf9f77-rhh6l   TCP      53   0     0
Deny   Egress    32645    test      l4-egress-explicit-deny-any-6b94cf9f77-rhh6l   UDP      53   0     0
Deny   Egress    16777218 -         cidr:8.8.4.4/32                                TCP      53   0     0
Deny   Egress    16777218 -         cidr:8.8.4.4/32                                UDP      53   0     0
Deny   Egress    16777218 -         cidr:8.8.4.4/32                                SCTP     53   0     0
Allow  Ingress   1        -         reserved:host                                  ANY      ANY  0     0
Allow  Egress    1342     test      l3-ingress-explicit-allow-all-7b76f9fb7d-xlpjb ANY      ANY  0     0
Allow  Egress    2703     test      l4-ingress-explicit-deny-any-688bbf4987-7xfdr  SCTP     53   0     0
Allow  Egress    2703     test      l4-ingress-explicit-deny-any-688bbf4987-7xfdr  TCP      53   0     0
Allow  Egress    2703     test      l4-ingress-explicit-deny-any-688bbf4987-7xfdr  UDP      53   0     0
Allow  Egress    4950     test      l4-ingress-explicit-deny-udp-5cb894f994-jbqhx  UDP      161  0     0
Allow  Egress    9904     test      l3-ingress-explicit-deny-all-575f9f7795-2qssr  ANY      ANY  0     0
Allow  Egress    17501    test      l4-ingress-explicit-allow-tcp-5b7f6f75d9-wmps7 TCP      8080 0     0
Allow  Egress    52785    test      l3-ingress-implicit-deny-all-6ff569996b-ldhst  ANY      ANY  0     0
Allow  Egress    58313    test      l4-ingress-explicit-allow-any-9b5df64d8-zdr6w  TCP      53   0     0
Allow  Egress    58313    test      l4-ingress-explicit-allow-any-9b5df64d8-zdr6w  UDP      53   0     0
Allow  Egress    58313    test      l4-ingress-explicit-allow-any-9b5df64d8-zdr6w  SCTP     53   0     0
Allow  Egress    16777217 -         cidr:8.8.8.8/32                                TCP      53   0     0
Allow  Egress    16777217 -         cidr:8.8.8.8/32                                UDP      53   0     0
Allow  Egress    16777217 -         cidr:8.8.8.8/32                                SCTP     53   0     0

$ npv summary -n test
NAMESPACE NAME                                           INGRESS-ALLOW INGRESS-DENY EGRESS-ALLOW EGRESS-DENY
test      l3-egress-explicit-deny-all-6f9f4df95-bbsdv    1             0            0            0
test      l3-egress-implicit-deny-all-76f99c9df8-4qvvg   1             0            0            0
test      l3-ingress-explicit-allow-all-7b76f9fb7d-xlpjb 2             0            0            0
test      l3-ingress-explicit-deny-all-575f9f7795-2qssr  1             1            0            0
test      l3-ingress-implicit-deny-all-6ff569996b-ldhst  1             0            0            0
test      l4-egress-explicit-deny-any-6b94cf9f77-rhh6l   1             0            0            0
test      l4-egress-explicit-deny-tcp-7fb99cc88-x58mr    1             0            0            0
test      l4-ingress-explicit-allow-any-9b5df64d8-zdr6w  4             0            0            0
test      l4-ingress-explicit-allow-tcp-5b7f6f75d9-wmps7 2             0            0            0
test      l4-ingress-explicit-deny-any-688bbf4987-7xfdr  1             3            0            0
test      l4-ingress-explicit-deny-udp-5cb894f994-jbqhx  1             1            0            0
test      self-5b9b6f4f84-fzwnj                          1             0            14           8

@yokaze yokaze force-pushed the impl-commands branch 6 times, most recently from 927398a to 33bab2d Compare October 24, 2024 10:26
@yokaze yokaze changed the title wip: Impl commands Implement inspect and summary commands Oct 24, 2024
@yokaze yokaze force-pushed the impl-commands branch 4 times, most recently from cf66f87 to f5e3c1b Compare October 25, 2024 01:33
@yokaze yokaze requested a review from chez-shanpu October 25, 2024 02:14
chez-shanpu
chez-shanpu reviewed Oct 31, 2024
View reviewed changes
Copy link
Contributor

@chez-shanpu chez-shanpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left a few comments.

And also, the e2e is failing in my laptop and it seems cilium-agent-proxy needs CAP_BPF.

cmd/npv/app/inspect.go Outdated Show resolved Hide resolved
cmd/npv/app/inspect.go Show resolved Hide resolved
cmd/npv/app/list.go Show resolved Hide resolved
@yokaze
Reflect comments
ee14ec7 
Signed-off-by: Daichi Sakaue <[email protected]>
@yokaze yokaze requested a review from chez-shanpu October 31, 2024 06:16
chez-shanpu
chez-shanpu approved these changes Oct 31, 2024
View reviewed changes
Copy link
Contributor

@chez-shanpu chez-shanpu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@yokaze yokaze merged commit 01a8105 into main Oct 31, 2024
1 check passed
@yokaze yokaze deleted the impl-commands branch November 20, 2024 04:05
@yokaze yokaze self-assigned this Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chez-shanpu chez-shanpu chez-shanpu approved these changes

Assignees

@yokaze yokaze

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@yokaze @chez-shanpu