Feature: Add network policy names in hubble

cilium / hubble

Hubble - Network, Service & Security Observability for Kubernetes using eBPF

Apache License 2.0

3.52k stars 252 forks source link

Feature: Add network policy names in hubble #1100

Open Tim-herbie opened 1 year ago

Tim-herbie commented 1 year ago

Cilium Feature Proposal

Is your feature request related to a problem?

No, but it would simplify troubleshooting network connections within Kubernetes.

Describe the feature you'd like

When I started using Cilium, I have noticed that the name of the CiliumNetworkPolicy as well as the name of the CiliumClusterwideNetworkPolicy will not be shown in the cilium hubble ui as well as in hubble observe. For me, the observability would be increased when I could comprehend why the traffic was accepted or denied.

(Optional) Describe your proposed solution

Add the network policy name to the hubble ui and hubble observe as value.

gandro commented 1 year ago

Thanks for the request. This requires https://github.com/cilium/cilium/issues/26438 to be implemented on the server-side first

Tim-herbie commented 1 year ago

@gandro Thanks for your answer, is there a timeline when this will happen?

kgtw commented 11 months ago

@gandro I'd be willing to open a PR for this if nobody else is actively working on it.

gandro commented 11 months ago

Hi, so in the mean time, we've merged https://github.com/cilium/cilium/pull/27854 - which implements this server-side. You should see the policy name for policy verdict events if you do JSON output, i.e. something like hubble observe -o json -t policy-verdict against Cilium v1.15-pre.

I'm not sure if/how we could add the policy name to the textual output without making the output too noisy. Suggestions welcome.

kgtw commented 10 months ago

I can confirm that the above command does provide the matching policy names for flows. As for the textual output, I agree that adding the policies would be too noisy.

Perhaps initially we could provide "hints" as to the total number of matching policies, leaving the actual textual representation of the policies to be retrieved via the aforementioned json output.

Example output, introducing matching:%d

$ hubble observe -n default -t policy-verdict
Dec 10 10:39:14.344: 10.244.1.59:50648 (host) -> default/frontend-f644d466f-2w4mv:8080 (ID:448) policy-verdict:L3-Only INGRESS ALLOWED (TCP Flags: SYN) matching:1

Would such output be useful for network operators and those investigating flows at a glance? Perhaps @Tim-herbie you might have some opinion if the json output satisfies your original feature request, then we could simply mark this issue as closed/resolved.

gandro commented 10 months ago

Thanks for confirming! Yeah I think adding at least the policy count could be a nice addition

Tim-herbie commented 10 months ago

Thank you so far. @kgtw Informations about how often the policy was used is a nice information.

I understand that the log output is too noisy when the policy name will be displayed. Is it maybe possible to output this by adding a parameter?

And is it now possible to see the policy name also in the UI?