Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add traffic drop sub reasons and do validation for those #1046

Closed
aanm opened this issue Aug 22, 2022 · 3 comments · Fixed by #1095
Closed

Add traffic drop sub reasons and do validation for those #1046

aanm opened this issue Aug 22, 2022 · 3 comments · Fixed by #1095
Assignees
@sayboras
Labels
ci/hyperjump kind/feature New feature or request

Comments

@aanm
Copy link
Member

aanm commented Aug 22, 2022

Right now, when doing flow validation, the result only checks if the traffic is dropped:

cilium-cli/connectivity/check/policy.go

Lines 197 to 198 in 1735870

// Request is dropped
Drop bool
. It is not checking why and where exactly the traffic was dropped.

However, traffic can be dropped for multiple reasons such as routing problems, iptables, etc. Thus, we should have sub reasons for why a traffic is dropped so that we can be sure that the end result of a test is actually the one that we should be expecting to see.

Some examples are:

  • Traffic dropped by a deny policy
  • Traffic dropped at ingress of a pod
  • Traffic dropped at egress of a pod
@aanm aanm added kind/feature New feature or request ci/hyperjump labels Aug 22, 2022
@aanm
Copy link
Member Author

aanm commented Aug 22, 2022

@pchaigno do you have other examples?

@pchaigno
Copy link
Member

Apart from checking the drop reason and direction, it could be good to check the remote security identity. For that last one, it's probably enough to check that it is neither unknown nor a reserved identity unless expected. Checking the exact pod identity is probably overengineering/overtesting.

Checking the identity may help us catch cases where we dropped the packets because the identity resolution failed and it should have succeeded but failed to find a corresponding policy rule afterward. Definitely less important than checking the drop reason and direction.

sayboras added a commit to sayboras/cilium-cli that referenced this issue Sep 19, 2022
@sayboras
policy: Add support for drop direction and reason
116f1c2 
This commit is to make sure that we can validate if the traffic is
dropped for below cases:

- Traffic dropped at ingress
- Traffic dropped at egress
- Traffic dropped by default deny policy

Fixes: cilium#1046
Signed-off-by: Tam Mach <[email protected]>
@tklauser tklauser mentioned this issue Sep 19, 2022
Merged
sayboras added a commit to sayboras/cilium-cli that referenced this issue Sep 19, 2022
@sayboras
policy: Add support for drop direction and reason
028beee 
This commit is to make sure that we can validate if the traffic is
dropped for below cases:

- Traffic dropped at ingress
- Traffic dropped at egress
- Traffic dropped by default deny policy

Fixes: cilium#1046
Signed-off-by: Tam Mach <[email protected]>
sayboras added a commit to sayboras/cilium-cli that referenced this issue Sep 20, 2022
@sayboras
policy: Add support for drop direction and reason
7b9bfd0 
This commit is to make sure that we can validate if the traffic is
dropped for below cases:

- Traffic dropped at ingress
- Traffic dropped at egress
- Traffic dropped by default deny policy

Fixes: cilium#1046
Signed-off-by: Tam Mach <[email protected]>
tklauser pushed a commit that referenced this issue Sep 21, 2022
@sayboras @tklauser
policy: Add support for drop direction and reason
62d8464 
This commit is to make sure that we can validate if the traffic is
dropped for below cases:

- Traffic dropped at ingress
- Traffic dropped at egress
- Traffic dropped by default deny policy

Fixes: #1046
Signed-off-by: Tam Mach <[email protected]>
@sayboras sayboras mentioned this issue Sep 21, 2022
Open
@sayboras
Copy link
Member

Apart from checking the drop reason and direction, it could be good to check the remote security identity. For that last one, it's probably enough to check that it is neither unknown nor a reserved identity unless expected.

I missed this point in related PR, raised #1100 for tracking purpose.

f1ko pushed a commit to f1ko/cilium-cli that referenced this issue Oct 13, 2022
@sayboras @f1ko
policy: Add support for drop direction and reason
b474958 
This commit is to make sure that we can validate if the traffic is
dropped for below cases:

- Traffic dropped at ingress
- Traffic dropped at egress
- Traffic dropped by default deny policy

Fixes: cilium#1046
Signed-off-by: Tam Mach <[email protected]>
aditighag pushed a commit to aditighag/cilium-cli that referenced this issue Apr 21, 2023
@sayboras @aditighag
policy: Add support for drop direction and reason
d4c0707 
This commit is to make sure that we can validate if the traffic is
dropped for below cases:

- Traffic dropped at ingress
- Traffic dropped at egress
- Traffic dropped by default deny policy

Fixes: cilium#1046
Signed-off-by: Tam Mach <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sayboras sayboras

Labels
ci/hyperjump kind/feature New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

policy: Add support for drop direction and reason sayboras/cilium-cli
3 participants
@pchaigno @aanm @sayboras