Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: How to use example r2d2 policy in Environment #421

Open
tianhaoyao opened this issue Oct 27, 2023 · 0 comments
Open

Question: How to use example r2d2 policy in Environment #421

tianhaoyao opened this issue Oct 27, 2023 · 0 comments

Comments

@tianhaoyao
Copy link

Hi everyone!

I am trying to get the r2d2 Cilium envoy proxy go extension to work in my environment, mainly following this tutorial. Ultimately, my goal is to write a custom go extension for my own protocol and have that deployed in my environment, but I want to start by getting the example to work first.

I have a setup in my KinD cluster where my requests to service A forwards it to service B. I'm hoping to apply the r2d2 policy to capture/manipulate traffic between A->B.
Currently I have built the r2d2 image (hooking r2d2 here), and referenced that image by building Cilium from this directory with the following command:

cilium install \
--chart-directory ./install/kubernetes/cilium/ \
--set ingressController.enabled=false \
--set ingressController.loadbalancerMode=dedicated \
--set-string extraConfig.enable-envoy-config=true \
--namespace kube-system \
--set envoy.enabled=true \
--set envoy.image.repository=<r2d2-image> \
--set envoy.image.tag=<r2d2-image-tag>
--set envoy.image.pullPolicy=IfNotPresent \
--set envoy.image.digest=<r2d2-digest> \
--set envoy.image.useDigest=false

I apply a CiliumNetworkPolicy like so:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: r2d2test
  namespace: kube-system
spec:
  description: r2d2test
  endpointSelector:
    matchLabels:
      app: service-b
  ingress:
    - fromEndpoints:
        - {}
      toPorts:
        - ports:
            - port: "8888"
              protocol: ANY
          rules:
            l7proto: r2d2
  egress:
    - toEndpoints:
        - {}
      toPorts:
        - ports:
          - port: "8888"
            protocol: ANY
          rules:
            l7proto: r2d2

With this, I expect to see logs related to the extension or anything that would take effect in the Cilium Proxy pod when I make a request to service A. At least see the Envoy Access Logs. However, nothing is showing up, but the request does flow through.

A few questions:

  1. Is the CiliumNetworkPolicy configured correctly? When I attach l7proto: r2d2 in the rules for both egress and ingress for service B, it should mean that service B incoming and outgoing traffic should go through the go extension which is running r2d2 policy right?
  2. Where can I find logs? How can I write logs related to the request that is captured by the go extension and access them? I was convinced just by writing access logs with p.connection.Log(...) I should expect to see logs being printed out by the cilium-envoy pod.
  3. If necessary, could I use this go extension to manipulate a l7 protocol, for example, add a custom header to http? if so, how are the key points, onData? perhaps using Inject()?

Details about my setup:

cilium-cli: v0.15.10 compiled
go1.21.2
linux/amd64
cilium image: 1.15.0-dev
kind v0.20.0
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tianhaoyao