-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix workload and identity filters #1109
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Before this patch, --{from,to}-workload would not work as expected. The workload filter was added to only one side of the left/right filter, and thus would not be taken into account: % hubble observe --from-pod cilium --to-workload app --print-raw-filters allowlist: - '{"source_pod":["cilium"]}' - '{"source_pod":["cilium"],"destination_workload":[{"name":"app"}]}' The workload filter is added only to the allowlist's right/destination filter, and since the allowlist's left/source filter is a superset of the right filter, the resulting allowlist is equivalent to: % hubble observe --from-pod cilium --print-raw-filters allowlist: - '{"source_pod":["cilium"]}' Another example where the combined flag uses both left and right filters: % hubble observe --pod cilium --to-workload app --print-raw-filters allowlist: - '{"source_pod":["cilium"]}' - '{"destination_pod":["cilium"],"destination_workload":[{"name":"app"}]}' The right filter will never match (assuming cilium is not part of the app workload) and the left filter is again equivalent to the one we get without `--to-workload app`. The --from-workload filter had the same bug, but was added the only the left filter instead of the right filter. This patch ensure that --{from,to}-workload filters are added on both sides, and adds a regression test case. After this patch we get: % hubble observe --from-pod cilium --to-workload app --print-raw-filters allowlist: - '{"source_pod":["cilium"],"destination_workload":[{"name":"app"}]}' % hubble observe --pod cilium --to-workload app --print-raw-filters allowlist: - '{"source_pod":["cilium"],"destination_workload":[{"name":"app"}]}' - '{"destination_pod":["cilium"],"destination_workload":[{"name":"app"}]}' Signed-off-by: Alexandre Perrin <alex@isovalent.com>
Before this patch, --{from,to}-identity would not work as expected. The identity filter was added to only one side of the left/right filter, and thus would not be taken into account: % hubble observe --from-pod cilium --to-identity world --print-raw-filters allowlist: - '{"source_pod":["cilium"]}' - '{"source_pod":["cilium"],"destination_identity":[2]}' The identity filter is added only to the allowlist's right/destination filter, and since the allowlist's left/source filter is a superset of the right filter, the resulting allowlist is equivalent to: % hubble observe --from-pod cilium --print-raw-filters allowlist: - '{"source_pod":["cilium"]}' Another example where the combined flag uses both left and right filters: % hubble observe --pod cilium --to-identity world --print-raw-filters allowlist: - '{"source_pod":["cilium"]}' - '{"destination_pod":["cilium"],"destination_identity":[2]}' The right filter will never match and the left filter is again equivalent to the one we get without `--to-identity world`. The --from-identity filter had the same bug, but was added the only the left filter instead of the right filter. This patch ensure that --{from,to}-identity filters are added on both sides, and adds a regression test case. After this patch we get: % hubble observe --from-pod cilium --to-identity world --print-raw-filters allowlist: - '{"source_pod":["cilium"],"destination_identity":[2]}' % hubble observe --pod cilium --to-identity world --print-raw-filters allowlist: - '{"source_pod":["cilium"],"destination_identity":[2]}' - '{"destination_pod":["cilium"],"destination_identity":[2]}' Signed-off-by: Alexandre Perrin <alex@isovalent.com>
kaworu
added
🐛 kind/bug
This is a bug in the Hubble logic.
⌨️ area/cli
Impacts the command line interface of any command in the repository.
priority/release-blocker
This issue will prevent the release of the next version of Cilium.
release-note/bug
This PR fixes an issue in a previous release of Hubble.
needs-backport/0.11
This PR needs backporting to the v0.11 branch
labels
Jul 6, 2023
gandro
approved these changes
Jul 6, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Labels
⌨️ area/cli
Impacts the command line interface of any command in the repository.
🐛 kind/bug
This is a bug in the Hubble logic.
needs-backport/0.11
This PR needs backporting to the v0.11 branch
priority/release-blocker
This issue will prevent the release of the next version of Cilium.
release-note/bug
This PR fixes an issue in a previous release of Hubble.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See commits