Policy audit mode represents policy deny verdicts as "action allow match none"

[joestringer]

Cilium latest, v1.8 dev cycle (v1.8.0-rc1):

When enabling --policy-audit-mode, all policy verdict notifications for traffic that would otherwise be denied state action allow match none:

# cilium monitor -t policy-verdict
...
Policy verdict log: flow 0x1fdbbff4 local EP ID 1121, remote ID 16307, dst port 80, proto 6, ingress true, action allow, match L3-L4, 10.29.210.187:42768 -> 10.29.50.40:80 tcp SYN
Policy verdict log: flow 0x3cc7e88f local EP ID 343, remote ID 11862, dst port 80, proto 6, ingress true, action allow, match none, 10.29.171.240:39126 -> 10.29.47.87:80 tcp SYN

I expected it to say action deny match none. When --policy-audit-mode=false (default), the monitor verdicts will say action deny match none.

To be clear, the actual datapath forwarding behaviour is correct (policy-audit-mode allows all traffic through the policy piece), this is more about the cosmetics of the monitor messages.

To reproduce this, I followed the policy guide here to deploy the starwars app + l3/l4 policy, then sent the traffic from xwing/tiefighter pods to observe the output:
https://docs.cilium.io/en/stable/gettingstarted/http/

Initially I was surprised that this is how the policy verdicts represent the action that was chosen, but we can discuss whether it makes sense to retain the message output as-is (ie action allow match none) or to change it to action deny match none.

[joestringer]

I had originally thought that if you look at this message by itself, it is a "policy verdict notification" and had thought of the policy verdict being purely based on netpol / CNP / CCNP. However the action here also takes into account the --policy-audit-mode flag, and so it also declares what the forwarding decision is for this traffic. It could be argued that this actually provides more information.

[joestringer]

Thinking from a higher-level perspective, If there are a series of notifications in cilium monitor and the first one says action deny but the subsequent notification doesn't say xx drop then that would be counterintuitive. So perhaps we should leave it as-is and suffice to state that it's the match none piece that tells you about the policy verdict match against the rules.

@ap4y thoughts?

[ap4y]

I think both deny and allow actions can be confusing.

• if we'll show deny we will expect users to infer that it was allowed due to audit mode from the other log messages and I think it won't be obvious to someone not familiar with this or only checking policy log message

• if we'll show allow we hide the actual policy decision but you can infer that policy was matched from match . I think this is slightly less confusing because all information is contained in a single log but still can see users asking about this.

It's also worth mentioning that one downside of the current logic is that it drops one of the policy related messages https://github.com/cilium/cilium/blob/master/bpf/bpf_lxc.c#L899-L903.

I think potential improvement here is to explicitly state somewhere in the log that deny was changed to allow, maybe action: audit or audit: true field on the policy verdict log?

[joestringer]

I like the proposal to output action: audit in the policy verdict log. We can define what this means in documentation, to state that the actual behaviour will be to allow the traffic but only because audit mode is enabled; and to determine whether the traffic would otherwise be allowed/denied, the user should inspect the match xxx section, which if it says match none would result in drop; otherwise the traffic would be allowed by policy.

[ap4y]

Thought it's worth posting for visibility that I have opened PR with the potential fix.

[tklauser]

Thought it's worth posting for visibility that I have opened PR with the potential fix.

Thanks @ap4y!