Draft
Conversation
jrajahalme
force-pushed
the
perf-eval
branch
4 times, most recently
from
04afc8b to
e8aa157
Compare
Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Both debug logging and access logging are more intelligible when the original source identity is used, also in the case of the north/south L7 LB, where an "Ingress IP" is used as the source address in the upstream connections. In that case SO_MARK encodes the identity of the Ingress IP so that the source identity seen in the destination is the same when the destination is in the same node (source identity derived from SO_MARK) and when the destination is in a different node (source identity mapped from the source (Ingress) IP). Note that the (original) source identity is used for policy determination only for ingress policy, for which the original source identity was already used. Given this, the only visible change is the source identity as seen on debug/trace logs and (hubble) access logs. Access logs already show the original source address, so this change aligns the recorded source identity with it, so that instead of: Jun 18 12:37:20.940: default/ubuntu-deployment-6f7cc4b9fb-9gmnp:39430 (ingress) -> default/nginx-deployment-worker-7d99874b8b-dw4bt:80 (ID:53552) http-request FORWARDED (HTTP/1.1 GET http://10.96.154.80/) Hubble will show this: Jun 18 15:39:29.763: default/ubuntu-deployment-6f7cc4b9fb-9gmnp:57354 (ID:43964) -> default/nginx-deployment-worker-7d99874b8b-dw4bt:80 (ID:53552) http-request FORWARDED (HTTP/1.1 GET http://10.96.154.80/) where '43964' is the source security identity of 'default/ubuntu-deployment-6f7cc4b9fb-9gmnp' Similarly for north/south the original source identity is recorded in the hubble flow: Jun 18 15:41:15.186: 172.18.0.1:41684 (ID:16777217) -> default/nginx-deployment-worker-7d99874b8b-dw4bt:80 (ID:53552) http-request FORWARDED (HTTP/1.1 GET http://172.18.255.193/) where 16777217 is the node-local source identity if the CIDR 172.18.0.1.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.