- Start cilium and cilium network
- Create 2 containers
2.1. docker run -dt --net=cilium-net --name server -l app=backend httpd
2.2. docker run -dt --net=cilium-net --name client -l app=frontend tgraf/netperf
- delete policy
cilium policy delete --all
- import policy [0]
- clean ct
sudo cilium bpf ct flush global
- open cilium monitor
- try to ping to
server container docker exec -i client bash -c "ping -c4 10.1.161.37"
- pings don't work
output of cilium monitor is:
<- endpoint 44479, identity 642: 10.1.193.166 -> 10.1.161.37 EchoRequest
xx drop (Policy denied (L3)), to endpoint 15532, identity 642->643: 10.1.193.166 -> 10.1.161.37 EchoRequest
[0]
[
{
"endpointSelector": {
"matchLabels": {
"any:app": "backend"
}
},
"ingress": [
{
"fromEndpoints": [
{
"matchLabels": {
"any:app": "frontend"
}
}
],
"toPorts": [
{
"ports": [
{
"port": "80",
"protocol": "TCP"
}
]
}
]
}
],
"labels": [
{
"key": "name",
"value": "allow-frontend-ingress-l3-l4",
"source": "unspec"
}
]
}
]
bpf policy list of the server container
$ sudo sudo cilium bpf policy list 15532 -n
IDENTITY PORT/PROTO ACTION BYTES PACKETS
1 ANY allowed 0 0
642 80/TCP allowed 0 0
2.1.
docker run -dt --net=cilium-net --name server -l app=backend httpd2.2.
docker run -dt --net=cilium-net --name client -l app=frontend tgraf/netperfcilium policy delete --allsudo cilium bpf ct flush globalservercontainerdocker exec -i client bash -c "ping -c4 10.1.161.37"output of cilium monitor is:
[0]
bpf policy list of the
servercontainer