github.phpd.cn/cilium/cilium@v1.6.12/Documentation/gettingstarted/identity-relevant-labels.rst

github.phpd.cn/cilium/cilium@v1.6.12/Documentation/gettingstarted/identity-relevant-labels.rst (about)

     1  .. only:: not (epub or latex or html)
     2  
     3      WARNING: You are looking at unreleased Cilium documentation.
     4      Please use the official rendered version released here:
     5      https://docs.cilium.io
     6  
     7  .. _identity-relevant-labels:
     8  
     9  *********************************
    10  Limiting Identity-Relevant Labels
    11  *********************************
    12  
    13  We recommend that operators with larger environments limit the set of
    14  identity-relevant labels to avoid frequent creation of new security identities.
    15  Many Kubernetes labels are not useful for policy enforcement or visibility. A
    16  few good examples of such labels include timestamps or hashes. These labels,
    17  when included in evaluation, cause Cilium to generate a unique identity for each
    18  pod instead of a single identity for all of the pods that comprise a service or
    19  application.
    20  
    21  By default, Cilium evaluates the following labels:
    22  
    23  =================================== ==================================================
    24  Label                               Description
    25  ----------------------------------- --------------------------------------------------
    26  ``k8s:io.kubernetes.pod.namespace`` Include all ``io.kubernetes.pod.namespace`` labels
    27  ``k8s:app.kubernetes.io``           Include all ``app.kubernetes.io`` labels
    28  ``k8s:!io.kubernetes``              Ignore all ``io.kubernetes`` labels
    29  ``k8s:!kubernetes.io``              Ignore all other ``kubernetes.io`` labels
    30  ``k8s:!beta.kubernetes.io``         Ignore all ``beta.kubernetes.io`` labels
    31  ``k8s:!k8s.io``                     Ignore all ``k8s.io`` labels
    32  ``k8s:!pod-template-generation``    Ignore all ``pod-template-generation`` labels
    33  ``k8s:!pod-template-hash``          Ignore all ``pod-template-hash`` labels
    34  ``k8s:!controller-revision-hash``   Ignore all ``controller-revision-hash`` labels
    35  ``k8s:!annotation.*``               Ignore all ``annotation labels``
    36  ``k8s:!etcd_node``                  Ignore all ``etcd_node`` labels
    37  =================================== ==================================================
    38  
    39  
    40  
    41  Configuring Identity-Relevant Labels
    42  ------------------------------------
    43  
    44  To limit the labels used for evaluating Cilium identities, edit the Cilium
    45  ConfigMap object using ``kubectl edit cm -n kube-system cilium-config``
    46  and insert a line to define the labels to include or exclude.
    47  
    48  .. code-block:: yaml
    49  
    50      apiVersion: v1
    51      data:
    52      ...
    53        kube-proxy-replacement: partial
    54        labels:  "k8s:io.kubernetes.pod.namespace k8s:k8s-app k8s:app k8s:name"
    55        masquerade: "true"
    56        monitor-aggregation: medium
    57      ...
    58  
    59  
    60  Upon defining a custom list of labels in the ConfigMap, Cilium will override
    61  the default list of labels with the list provided. After saving the ConfigMap,
    62  restart the Cilium Agents to pickup the new labels setting.
    63  
    64  .. code-block:: bash
    65  
    66      kubectl delete pods -n kube-system -l k8s-app=cilium
    67  
    68  Existing identities will not change as a result of this new configuration. To
    69  apply the new label setting to existing identities, restart the associated pods.
    70  Upon restart, new identities will be created. The old identities will be garbage
    71  collected by the Cilium Operator once they are no longer used by any Cilium
    72  endpoints.
    73  
    74  When specifying multiple labels to evaluate, provide the list of labels as a
    75  space-separated string.
    76  
    77  Including Labels
    78  ----------------
    79  
    80  Labels can be defined as a list of labels to include. Only the labels specified
    81  will be used to evaluate Cilium identities:
    82  
    83  .. code-block:: bash
    84  
    85      labels: "k8s:io.kubernetes.pod.namespace k8s:k8s-app k8s:app k8s:name"
    86  
    87  The above configuration would only include the following labels when evaluating
    88  Cilium identities:
    89  
    90  - io.kubernetes.pod.namespace=*
    91  - k8s-app=*
    92  - app=*
    93  - name=*
    94  
    95  Excluding Labels
    96  ----------------
    97  
    98  Labels can also be specified as a list of exclusions. Exclude a label by placing
    99  an exclamation mark after colon separating the prefix and label. When defined as a
   100  list of exclusions, Cilium will include the set of default labels, but will
   101  exclude any matches in the provided list when evaluating Cilium identities:
   102  
   103  .. code-block:: bash
   104  
   105      labels: "k8s:!controller-uid k8s:!job-name"
   106  
   107  The provided example would cause Cilium to exclude any of the following label
   108  matches:
   109  
   110  - k8s:controller-uid=*
   111  - k8s:job-name=*