Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature: Add network policy names in hubble #1100

Open
Tim-herbie opened this issue Jun 21, 2023 · 7 comments · May be fixed by cilium/hubble-ui#727
Open

Feature: Add network policy names in hubble #1100

Tim-herbie opened this issue Jun 21, 2023 · 7 comments · May be fixed by cilium/hubble-ui#727
Labels
area/cilium Requires upstream work in Cilium ⌨️ area/cli Impacts the command line interface of any command in the repository. 🌟 kind/feature This introduces new functionality.

Comments

@Tim-herbie
Copy link

Cilium Feature Proposal

Is your feature request related to a problem?

No, but it would simplify troubleshooting network connections within Kubernetes.

Describe the feature you'd like

When I started using Cilium, I have noticed that the name of the CiliumNetworkPolicy as well as the name of the CiliumClusterwideNetworkPolicy will not be shown in the cilium hubble ui as well as in hubble observe. For me, the observability would be increased when I could comprehend why the traffic was accepted or denied.

(Optional) Describe your proposed solution

Add the network policy name to the hubble ui and hubble observe as value.
@Tim-herbie Tim-herbie mentioned this issue Jun 21, 2023
Closed
@kaworu kaworu added ⌨️ area/cli Impacts the command line interface of any command in the repository. 🌟 kind/feature This introduces new functionality. area/cilium Requires upstream work in Cilium labels Jun 21, 2023
@gandro
Copy link
Member

gandro commented Jul 6, 2023

Thanks for the request. This requires cilium/cilium#26438 to be implemented on the server-side first

@Tim-herbie
Copy link
Author

@gandro Thanks for your answer, is there a timeline when this will happen?

@chancez chancez mentioned this issue Aug 31, 2023
Merged
@kgtw
Copy link

kgtw commented Nov 26, 2023

@gandro I'd be willing to open a PR for this if nobody else is actively working on it.

kgtw added a commit to kgtw/hubble-ui that referenced this issue Nov 26, 2023
@kgtw
feat/policy-names: Add network policy names in hubble UI when they ar…
fd2c4ce 
…e known and correlated to flows.

Fixes: cilium/hubble#1100
Signed-off-by: Kris Gambirazzi <[email protected]>
@kgtw kgtw linked a pull request Nov 26, 2023 that will close this issue
Open
@gandro
Copy link
Member

gandro commented Nov 27, 2023
edited
Loading

Hi, so in the mean time, we've merged cilium/cilium#27854 - which implements this server-side. You should see the policy name for policy verdict events if you do JSON output, i.e. something like hubble observe -o json -t policy-verdict against Cilium v1.15-pre.

I'm not sure if/how we could add the policy name to the textual output without making the output too noisy. Suggestions welcome.

@kgtw
Copy link

kgtw commented Dec 10, 2023

I can confirm that the above command does provide the matching policy names for flows. As for the textual output, I agree that adding the policies would be too noisy.

Perhaps initially we could provide "hints" as to the total number of matching policies, leaving the actual textual representation of the policies to be retrieved via the aforementioned json output.

Example output, introducing matching:%d

$ hubble observe -n default -t policy-verdict
Dec 10 10:39:14.344: 10.244.1.59:50648 (host) -> default/frontend-f644d466f-2w4mv:8080 (ID:448) policy-verdict:L3-Only INGRESS ALLOWED (TCP Flags: SYN) matching:1

Would such output be useful for network operators and those investigating flows at a glance? Perhaps @Tim-herbie you might have some opinion if the json output satisfies your original feature request, then we could simply mark this issue as closed/resolved.

@gandro
Copy link
Member

gandro commented Dec 11, 2023

Thanks for confirming! Yeah I think adding at least the policy count could be a nice addition

@Tim-herbie
Copy link
Author

Thank you so far.
@kgtw Informations about how often the policy was used is a nice information.

I understand that the log output is too noisy when the policy name will be displayed. Is it maybe possible to output this by adding a parameter?

And is it now possible to see the policy name also in the UI?

kgtw added a commit to kgtw/hubble-ui that referenced this issue Dec 18, 2023
@kgtw
feat/policy-names: Add network policy names in hubble UI when they ar…
8e4f5bb 
…e known and correlated to flows.

Fixes: cilium/hubble#1100
Signed-off-by: Kris Gambirazzi <[email protected]>
kgtw added a commit to kgtw/hubble-ui that referenced this issue Dec 18, 2023
@kgtw
feat/policy-names: Add network policy names in hubble UI when they ar…
bd38b66 
…e known and correlated to flows.

Fixes: cilium/hubble#1100
Signed-off-by: Kris Gambirazzi <[email protected]>
@danieljkemp danieljkemp mentioned this issue Feb 5, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/cilium Requires upstream work in Cilium ⌨️ area/cli Impacts the command line interface of any command in the repository. 🌟 kind/feature This introduces new functionality.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat/policy-names: Add network policy names when they are known. kgtw/hubble-ui
4 participants
@gandro @kaworu @kgtw @Tim-herbie