github.com/cilium/cilium@v1.16.2/Documentation/observability/visibility.rst

github.com/cilium/cilium@v1.16.2/Documentation/observability/visibility.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _proxy_visibility:
     8  
     9  ***************************
    10  Layer 7 Protocol Visibility
    11  ***************************
    12  
    13  .. note::
    14  
    15      This feature requires enabling L7 Proxy support.
    16  
    17  While :ref:`monitor` provides introspection into datapath state, by default, it
    18  will only provide visibility into L3/L4 packet events. If you want L7
    19  protocol visibility, you can use L7 Cilium Network Policies (see :ref:`l7_policy`).
    20  
    21  
    22  .. note::
    23  
    24      Historically, it had been possible to enable L7 visibility using Pod
    25      annotations (``policy.cilium.io/proxy-visibility``). This method is
    26      no longer supported and we recommend users to switch to L7 policies instead.
    27  
    28  To enable visibility for L7 traffic, create a ``CiliumNetworkPolicy`` that specifies
    29  L7 rules. Traffic flows matching a L7 rule in a ``CiliumNetworkPolicy`` will become
    30  visible to Cilium and, thus, can be exposed to the end user. It's important to 
    31  remember that L7 network policies not only enables visibility but also restrict 
    32  what traffic is allowed to flow in and out of a Pod.
    33  
    34  
    35  The following example enables visibility for DNS (TCP/UDP/53) and HTTP
    36  (ports TCP/80 and TCP/8080) traffic within the ``default`` namespace by
    37  specifying two L7 rules -- one for DNS and one for HTTP. It also restricts
    38  egress communication and drops anything that is not matched. L7 matching
    39  conditions on the rules have been omitted or wildcarded, which will
    40  permit all requests that match the L4 section of each rule:
    41  
    42  
    43  .. code-block:: yaml
    44  
    45        apiVersion: "cilium.io/v2"
    46        kind: CiliumNetworkPolicy
    47        metadata:
    48          name: "l7-visibility"
    49        spec:
    50          endpointSelector:
    51            matchLabels:
    52              "k8s:io.kubernetes.pod.namespace": default
    53          egress:
    54          - toPorts:
    55            - ports:
    56              - port: "53"
    57                protocol: ANY
    58              rules:
    59                dns:
    60                - matchPattern: "*"
    61          - toEndpoints:
    62            - matchLabels:
    63                "k8s:io.kubernetes.pod.namespace": default
    64            toPorts:
    65            - ports:
    66              - port: "80"
    67                protocol: TCP
    68              - port: "8080"
    69                protocol: TCP
    70              rules:
    71                http: [{}]
    72  
    73  Based on the above policy, Cilium will pick up all TCP/UDP/53, TCP/80 and TCP/8080 
    74  egress traffic from Pods in the ``default`` namespace and redirect it to the 
    75  proxy (see :ref:`proxy_injection`) such that the output of ``cilium monitor`` or 
    76  ``hubble observe`` shows the L7 flow details. 
    77  Below is the example of running ``hubble observe -f -t l7 -o compact`` command:
    78  
    79  ::
    80  
    81      default/testapp-5b9cc645cb-4slbs:45240 (ID:26450) -> kube-system/coredns-787d4945fb-bdmdq:53 (ID:9313) dns-request proxy FORWARDED (DNS Query web.default.svc.cluster.local. A)
    82      default/testapp-5b9cc645cb-4slbs:45240 (ID:26450) <- kube-system/coredns-787d4945fb-bdmdq:53 (ID:9313) dns-response proxy FORWARDED (DNS Answer "10.96.118.37" TTL: 30 (Proxy web.default.svc.cluster.local. A))
    83      default/testapp-5b9cc645cb-4slbs:33044 (ID:26450) -> default/echo-594485b8dc-fp57l:8080 (ID:32531) http-request FORWARDED (HTTP/1.1 GET http://web/)
    84      default/testapp-5b9cc645cb-4slbs:33044 (ID:26450) <- default/echo-594485b8dc-fp57l:8080 (ID:32531) http-response FORWARDED (HTTP/1.1 200 4ms (GET http://web/))
    85  
    86  
    87  
    88  Security Implications
    89  ---------------------
    90  
    91  Monitoring Layer 7 traffic involves security considerations for handling
    92  potentially sensitive information, such as usernames, passwords, query
    93  parameters, API keys, and others.
    94  
    95  .. warning::
    96  
    97     By default, Hubble does not redact potentially sensitive information
    98     present in `Layer 7 Hubble Flows <https://github.com/cilium/cilium/tree/master/api/v1/flow#flow-Layer7>`_.
    99  
   100  To harden security, Cilium provides the ``--hubble-redact-enabled`` option which
   101  enables Hubble to handle sensitive information present in Layer 7 flows.
   102  More specifically, it offers the following features for supported Layer 7 protocols:
   103  
   104  * For HTTP: redacting URL query (GET) parameters (``--hubble-redact-http-urlquery``)
   105  * For HTTP: redacting URL user info (for example, password used in basic auth) (``--hubble-redact-http-userinfo``)
   106  * For Kafka: redacting API key (``--hubble-redact-kafka-apikey``)
   107  * For HTTP headers: redacting all headers except those defined in the ``--hubble-redact-http-headers-allow`` list or redacting only the headers defined in the ``--hubble-redact-http-headers-deny`` list
   108  
   109  For more information on configuring Cilium, see :ref:`Cilium Configuration <configuration>`.
   110  
   111  Limitations
   112  -----------
   113  
   114  * DNS visibility is available on egress only.