search

kumahq / kuma

🐻 The multi-zone service mesh for containers, Kubernetes and VMs. Built with Envoy. CNCF Sandbox Project.
https://kuma.io/install
Apache License 2.0
3.61k stars 332 forks source link

Indicate if request was blocked by TrafficPermission in AccessLogs #5142

Open slonka opened 1 year ago

slonka commented 1 year ago

Description

It would be useful to have policy id in logs/response headers/something else(?) to be able to quickly identify which policy caused "RBAC: access denied".

This can be achieved using dynamic_metadata - shadow_effective_policy_id and be retrieved, and forwarded to log/header by LUA filter.

doctorwu commented 1 year ago

Is there a way to log this for all policies, i.e. not just limit this to RBAC and TrafficPermissions?

slonka commented 1 year ago

Unfortunately there is not :( I think only RBAC has this hint.

doctorwu commented 1 year ago

Bummer.

slonka commented 1 year ago

There is some info in the "Affected DPPs" tab in GUI:

image

so you can roughly match up policies to proxies

jakubdyszkiewicz commented 1 year ago

Triage: The first step would be to mark in logs that the request was rejected because of traffic permission The second step would be to say which traffic permission rejected the request. This one might be hard to implement because of new policy merging.

github-actions[bot] commented 1 year ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] commented 1 year ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] commented 1 year ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] commented 10 months ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] commented 7 months ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

github-actions[bot] commented 4 months ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.

debianmaster commented 3 months ago

Hi, is there a way to get this in latest version of kuma?

slonka commented 3 months ago

Hi, is there a way to get this in latest version of kuma?

This is not yet implemented, these are just ideas on how to implement this.

github-actions[bot] commented 6 days ago

This issue was inactive for 90 days. It will be reviewed in the next triage meeting and might be closed. If you think this issue is still relevant, please comment on it or attend the next triage meeting.