proxy icon indicating copy to clipboard operation
proxy copied to clipboard
verified publisher icon cilium

Question: How to use example r2d2 policy in Environment

Open tianhaoyao opened this issue 2 years ago • 0 comments

Hi everyone!

I am trying to get the r2d2 Cilium envoy proxy go extension to work in my environment, mainly following this tutorial. Ultimately, my goal is to write a custom go extension for my own protocol and have that deployed in my environment, but I want to start by getting the example to work first.

I have a setup in my KinD cluster where my requests to service A forwards it to service B. I'm hoping to apply the r2d2 policy to capture/manipulate traffic between A->B. Currently I have built the r2d2 image (hooking r2d2 here), and referenced that image by building Cilium from this directory with the following command:

cilium install \
--chart-directory ./install/kubernetes/cilium/ \
--set ingressController.enabled=false \
--set ingressController.loadbalancerMode=dedicated \
--set-string extraConfig.enable-envoy-config=true \
--namespace kube-system \
--set envoy.enabled=true \
--set envoy.image.repository=<r2d2-image> \
--set envoy.image.tag=<r2d2-image-tag>
--set envoy.image.pullPolicy=IfNotPresent \
--set envoy.image.digest=<r2d2-digest> \
--set envoy.image.useDigest=false

I apply a CiliumNetworkPolicy like so:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: r2d2test
  namespace: kube-system
spec:
  description: r2d2test
  endpointSelector:
    matchLabels:
      app: service-b
  ingress:
    - fromEndpoints:
        - {}
      toPorts:
        - ports:
            - port: "8888"
              protocol: ANY
          rules:
            l7proto: r2d2
  egress:
    - toEndpoints:
        - {}
      toPorts:
        - ports:
          - port: "8888"
            protocol: ANY
          rules:
            l7proto: r2d2

With this, I expect to see logs related to the extension or anything that would take effect in the Cilium Proxy pod when I make a request to service A. At least see the Envoy Access Logs. However, nothing is showing up, but the request does flow through.

A few questions:

  1. Is the CiliumNetworkPolicy configured correctly? When I attach l7proto: r2d2 in the rules for both egress and ingress for service B, it should mean that service B incoming and outgoing traffic should go through the go extension which is running r2d2 policy right?
  2. Where can I find logs? How can I write logs related to the request that is captured by the go extension and access them? I was convinced just by writing access logs with p.connection.Log(...) I should expect to see logs being printed out by the cilium-envoy pod.
  3. If necessary, could I use this go extension to manipulate a l7 protocol, for example, add a custom header to http? if so, how are the key points, onData? perhaps using Inject()?

Details about my setup:

cilium-cli: v0.15.10 compiled
go1.21.2
linux/amd64
cilium image: 1.15.0-dev
kind v0.20.0

tianhaoyao avatar Oct 27 '23 19:10 tianhaoyao