-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add collection key to differentiate namespaced policies #2337
feat: Add collection key to differentiate namespaced policies #2337
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for tackling this @joshuajorel! I see it's still WIP, but I left a few comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks!
Please find some comments below.
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
@kkourt @lambdanis - what is the usecase for enabling and disabling a |
Hi, The sensor interface (and infrastructure) is indeed deprecated. There is an issue to remove it #1272, but we first need to provide means to disable a tracing policy as we do with sensors. |
acd9375
to
340e184
Compare
Hey @joshuajorel thank you for the updates. Could you rewrite the commits so that changes are clearly grouped and documented? I think one commit introducing |
340e184
to
7d9918e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, thank you @joshuajorel. Let's wait for @kkourt to confirm nothing is missing.
pkg/sensors/handler.go
Outdated
if col, exists := h.collections[op.name]; exists && col.state != LoadErrorState { | ||
return fmt.Errorf("failed to add tracing policy %s, a sensor collection with the name already exists", op.name) | ||
if col, exists := h.collections[op.ck]; exists && col.state != LoadErrorState { | ||
return fmt.Errorf("failed to add tracing policy %s, a sensor collection with the name already exists", op.ck) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
return fmt.Errorf("failed to add tracing policy %s, a sensor collection with the name already exists", op.ck) | |
return fmt.Errorf("failed to add tracing policy %s, a sensor collection with this key already exists", op.ck) |
or something similar (non-blocking)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Change wording to reference key instead of name
Thank you for taking the time to review @lambdanis ! Will wait for @kkourt 's review |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, changes LGTM. I left one comment about removing the unneeded name
field.
One of the things we also need to do is update the CLI: https://github.com/cilium/tetragon/blob/main/cmd/tetra/tracingpolicy/tracingpolicy.go. Could you also do that?
Sure. Let me do the changes and get back to you. Thank you very much! |
Thanks! I would suggest doing the CLI updates in a different patch to ease reviewing. |
TracingPolicy and TracingPolicyNamespaced encounter conflicts whenever a policy is applied with the same name. A policy with the same name, even if it is in a different namespace does not get applied. This commit adds a collectionKey to differentiate policies with the same, but in different namespaces. Fixes: cilium#2299 Signed-off-by: Joshua Jorel Lee <[email protected]>
7d9918e
to
d5641fd
Compare
By adding a collectionKey to differentiate namespaces, the CLI needs to be updated to support this update. This change adds a namespace flag to the CLI for the delete, enable, and disable commands. If the namespace flag is unset, it will reference the global TracingPolicy. Fixes: cilium#2299 Signed-off-by: Joshua Jorel Lee <[email protected]>
0c7d2b1
to
6ec273f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, LGTM!
Everything's ✅ , so merging this. Many thanks @joshuajorel this is an awesome contribution. |
Currently,
TracingPolicy
andTracingPolicyNamespaced
encounter conflicts whenever a policy is applied with the same name. A policy with the same name, even if it is in a different namespace does not get applied. This behavior should be allowed given the k8s context e.g. a policy in one namespace is a different policy from one in a different namespace even with the same name.Fixes: #2299