Created
February 5, 2019 15:21
-
-
Save skinny/e6e479400528fd24689cae6be79da7ac to your computer and use it in GitHub Desktop.
cilium-debug-log
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Cilium debug information | |
#### Kernel version | |
``` | |
4.15.0 | |
``` | |
#### Cilium status | |
``` | |
KVStore: Ok etcd: 1/1 connected: https://cilium-etcd-client.kube-system.svc:2379 - 3.3.11 | |
ContainerRuntime: Ok docker daemon: OK | |
Kubernetes: Ok 1.13 (v1.13.2) [linux/amd64] | |
Kubernetes APIs: ["CustomResourceDefinition", "cilium/v2::CiliumNetworkPolicy", "core/v1::Endpoint", "core/v1::Namespace", "core/v1::Node", "core/v1::Pods", "core/v1::Service", "networking.k8s.io/v1::NetworkPolicy"] | |
Cilium: Ok OK | |
NodeMonitor: Disabled | |
Cilium health daemon: Ok | |
IPv4 address pool: 9/255 allocated from 10.245.0.0/24 | |
10.245.0.1 | |
10.245.0.25 | |
10.245.0.28 | |
10.245.0.70 | |
10.245.0.176 | |
10.245.0.199 | |
10.245.0.201 | |
10.245.0.216 | |
10.245.0.237 | |
Controller Status: 56/56 healthy | |
Name Last success Last error Count Message | |
cilium-health-ep 13s ago never 0 no error | |
ipcache-bpf-garbage-collection 1m17s ago never 0 no error | |
ipcache-bpf-garbage-collection 1m17s ago never 0 no error | |
k8s-sync-ciliumnetworkpolicies 1m15s ago never 0 no error | |
k8s-sync-endpoints 1m15s ago never 0 no error | |
k8s-sync-networkpolicies 1m15s ago never 0 no error | |
k8s-sync-nodes 1m15s ago never 0 no error | |
k8s-sync-pods 1m13s ago never 0 no error | |
k8s-sync-services 1m15s ago never 0 no error | |
kvstore-etcd-session-renew never never 0 no error | |
kvstore-etcd-session-renew never never 0 no error | |
kvstore-sync-store-cilium/state/nodes/v1 15s ago never 0 no error | |
kvstore-sync-store-cilium/state/nodes/v1/use 17s ago never 0 no error | |
kvstore-sync-store-cilium/state/services/v1/use 17s ago never 0 no error | |
lxcmap-bpf-host-sync 2s ago never 0 no error | |
metricsmap-bpf-prom-sync 2s ago never 0 no error | |
propagating local node change to kv-store 2h21m18s ago never 0 no error | |
remote-etcd-use 2h21m17s ago never 0 no error | |
resolve-identity-0 1m15s ago never 0 no error | |
resolve-identity-3443 4m41s ago never 0 no error | |
resolve-identity-820 4m40s ago never 0 no error | |
sync-IPv4-identity-mapping (0) 1m14s ago never 0 no error | |
sync-IPv4-identity-mapping (1003) 1m14s ago never 0 no error | |
sync-IPv4-identity-mapping (1349) 1m14s ago never 0 no error | |
sync-IPv4-identity-mapping (1951) 1m14s ago never 0 no error | |
sync-IPv4-identity-mapping (3443) 4m40s ago never 0 no error | |
sync-IPv4-identity-mapping (3867) 1m14s ago never 0 no error | |
sync-IPv4-identity-mapping (820) 4m40s ago never 0 no error | |
sync-IPv6-identity-mapping (0) 1m14s ago never 0 no error | |
sync-IPv6-identity-mapping (1003) 1m14s ago never 0 no error | |
sync-IPv6-identity-mapping (1349) 1m14s ago never 0 no error | |
sync-IPv6-identity-mapping (1951) 1m14s ago never 0 no error | |
sync-IPv6-identity-mapping (3443) 4m40s ago never 0 no error | |
sync-IPv6-identity-mapping (3867) 1m14s ago never 0 no error | |
sync-IPv6-identity-mapping (820) 4m40s ago never 0 no error | |
sync-identity-to-k8s-pod (0) 15s ago never 0 no error | |
sync-identity-to-k8s-pod (1003) 2s ago never 0 no error | |
sync-identity-to-k8s-pod (1349) 3s ago never 0 no error | |
sync-identity-to-k8s-pod (1951) 2s ago never 0 no error | |
sync-identity-to-k8s-pod (3443) 38s ago never 0 no error | |
sync-identity-to-k8s-pod (3867) 2s ago never 0 no error | |
sync-identity-to-k8s-pod (820) 38s ago never 0 no error | |
sync-lb-maps-with-k8s-services 2h21m15s ago never 0 no error | |
sync-policymap-1003 19s ago never 0 no error | |
sync-policymap-1349 19s ago never 0 no error | |
sync-policymap-1951 19s ago never 0 no error | |
sync-policymap-3443 19s ago never 0 no error | |
sync-policymap-3867 19s ago never 0 no error | |
sync-policymap-657 19s ago never 0 no error | |
sync-policymap-820 19s ago never 0 no error | |
sync-to-k8s-ciliumendpoint (1003) 4s ago never 0 no error | |
sync-to-k8s-ciliumendpoint (1349) 5s ago never 0 no error | |
sync-to-k8s-ciliumendpoint (1951) 5s ago never 0 no error | |
sync-to-k8s-ciliumendpoint (3443) 0s ago never 0 no error | |
sync-to-k8s-ciliumendpoint (3867) 5s ago never 0 no error | |
sync-to-k8s-ciliumendpoint (820) 0s ago never 0 no error | |
Proxy Status: OK, ip 10.245.0.1, port-range 10000-20000 | |
``` | |
#### Cilium environment keys | |
``` | |
proxy-connect-timeout:1 | |
conntrack-garbage-collector-interval:60 | |
k8s-kubeconfig-path: | |
restore:true | |
ipv6-cluster-alloc-cidr:f00d::/64 | |
debug:false | |
lb: | |
kvstore:etcd | |
prepend-iptables-chains:true | |
tofqdns-dns-reject-response-code:refused | |
ipv6-service-range:auto | |
mtu:0 | |
pprof:false | |
flannel-uninstall-on-exit:false | |
preallocate-bpf-maps:false | |
envoy-log: | |
allow-localhost:auto | |
ipvlan-master-device:undefined | |
enable-tracing:false | |
nat46-range:0:0:0:0:0:FFFF::/96 | |
bpf-root: | |
flannel-master-device: | |
monitor-queue-size:32768 | |
agent-labels: | |
http-idle-timeout:0 | |
enable-ipsec:false | |
log-system-load:false | |
trace-payloadlen:128 | |
http-403-msg: | |
ipv6-range:auto | |
disable-conntrack:false | |
kvstore-opt:map[etcd.config:/var/lib/etcd-config/etcd.config] | |
k8s-require-ipv6-pod-cidr:false | |
max-controller-interval:0 | |
host: | |
auto-ipv6-node-routes:false | |
enable-ipv4:true | |
container-runtime: | |
disable-envoy-version-check:false | |
tofqdns-enable-poller:false | |
cmdref: | |
ipv6-node:auto | |
auto-direct-node-routes:false | |
prefilter-mode:native | |
sidecar-istio-proxy-image:cilium/istio_proxy | |
http-retry-timeout:0 | |
k8s-namespace:kube-system | |
cgroup-root: | |
container-runtime-endpoint:map[] | |
enable-policy:default | |
prometheus-serve-addr-deprecated: | |
tunnel:vxlan | |
ipv4-service-range:auto | |
http-retry-count:3 | |
config: | |
prefilter-device:undefined | |
ipsec-key-file: | |
http-max-grpc-timeout:0 | |
access-log: | |
log-opt:map[] | |
keep-bpf-templates:false | |
labels: | |
bpf-compile-debug:false | |
tofqdns-proxy-port:0 | |
clustermesh-config:/var/lib/cilium/clustermesh/ | |
k8s-require-ipv4-pod-cidr:false | |
enable-ipv6:false | |
label-prefix-file: | |
prometheus-serve-addr: | |
docker:unix:///var/run/docker.sock | |
tofqdns-min-ttl:0 | |
disable-endpoint-crd:false | |
bpf-ct-global-tcp-max:1000000 | |
datapath-mode:veth | |
log-driver: | |
ipv4-range:auto | |
state-dir:/var/run/cilium | |
debug-verbose: | |
fixed-identity-mapping:map[] | |
socket-path:/var/run/cilium/cilium.sock | |
flannel-manage-existing-containers:false | |
monitor-aggregation:none | |
k8s-api-server: | |
keep-config:false | |
cluster-id:1 | |
ipv4-cluster-cidr-mask-size:8 | |
cluster-name:euw | |
sidecar-http-proxy:false | |
lib-dir:/var/lib/cilium | |
ipv4-node:auto | |
single-cluster-route:false | |
bpf-ct-global-any-max:262144 | |
version:false | |
masquerade:true | |
k8s-legacy-host-allows-world: | |
sockops-enable:false | |
tofqdns-enable-poller-events:true | |
install-iptables-rules:true | |
http-request-timeout:3600 | |
disable-k8s-services:false | |
device:undefined | |
disable-ipv4:false | |
``` | |
#### Policy get | |
``` | |
: | |
[] | |
Revision: 17 | |
``` | |
#### k8s-service-cache | |
``` | |
(*k8s.ServiceCache)(0xc00039eba8)({ | |
mutex: (lock.RWMutex) { | |
internalRWMutex: (lock.internalRWMutex) { | |
RWMutex: (sync.RWMutex) { | |
w: (sync.Mutex) { | |
state: (int32) 0, | |
sema: (uint32) 0 | |
}, | |
writerSem: (uint32) 0, | |
readerSem: (uint32) 0, | |
readerCount: (int32) 1, | |
readerWait: (int32) 0 | |
} | |
} | |
}, | |
services: (map[k8s.ServiceID]*k8s.Service) (len=9) { | |
(k8s.ServiceID) kube-system/cilium-etcd-client: (*k8s.Service)(0xc00045aa40)(frontend:10.1.65.219/ports=[client]/selector=map[app:etcd etcd_cluster:cilium-etcd]), | |
(k8s.ServiceID) default/rebel-base: (*k8s.Service)(0xc0012db700)(frontend:10.1.78.103/ports=[]/selector=map[name:rebel-base]), | |
(k8s.ServiceID) kube-system/metrics-server: (*k8s.Service)(0xc00045a540)(frontend:10.1.61.65/ports=[]/selector=map[k8s-app:metrics-server]), | |
(k8s.ServiceID) kube-system/tiller-deploy: (*k8s.Service)(0xc00045a7c0)(frontend:10.1.112.55/ports=[tiller]/selector=map[name:tiller app:helm]), | |
(k8s.ServiceID) default/kubernetes: (*k8s.Service)(0xc00045a940)(frontend:10.1.0.1/ports=[https]/selector=map[]), | |
(k8s.ServiceID) kube-system/kubernetes-dashboard: (*k8s.Service)(0xc00045ab40)(frontend:10.1.49.200/ports=[]/selector=map[k8s-app:kubernetes-dashboard]), | |
(k8s.ServiceID) kube-system/cilium-etcd: (*k8s.Service)(0xc00045aa00)(frontend:<nil>/ports=[client peer]/selector=map[app:etcd etcd_cluster:cilium-etcd]), | |
(k8s.ServiceID) kube-system/cilium-etcd-external: (*k8s.Service)(0xc00045aa80)(frontend:10.1.8.83/ports=[]/selector=map[app:etcd etcd_cluster:cilium-etcd io.cilium/app:etcd-operator]), | |
(k8s.ServiceID) kube-system/kube-dns: (*k8s.Service)(0xc00045ab00)(frontend:10.1.0.10/ports=[dns dns-tcp]/selector=map[k8s-app:kube-dns]) | |
}, | |
endpoints: (map[k8s.ServiceID]*k8s.Endpoints) (len=12) { | |
(k8s.ServiceID) kube-system/cilium-etcd: (*k8s.Endpoints)(0xc001028a30)(10.245.0.28:2379/TCP,10.245.0.28:2380/TCP,10.245.2.111:2379/TCP,10.245.2.111:2380/TCP,10.245.5.41:2379/TCP,10.245.5.41:2380/TCP), | |
(k8s.ServiceID) kube-system/cilium-etcd-client: (*k8s.Endpoints)(0xc001028a40)(10.245.0.28:2379/TCP,10.245.2.111:2379/TCP,10.245.5.41:2379/TCP), | |
(k8s.ServiceID) kube-system/tiller-deploy: (*k8s.Endpoints)(0xc001028a70)(10.245.5.12:44134/TCP), | |
(k8s.ServiceID) kube-system/cilium-etcd-external: (*k8s.Endpoints)(0xc001028a90)(10.245.0.28:2379/TCP,10.245.2.111:2379/TCP,10.245.5.41:2379/TCP), | |
(k8s.ServiceID) kube-system/kube-scheduler: (*k8s.Endpoints)(0xc001028aa0)(), | |
(k8s.ServiceID) kube-system/kube-controller-manager: (*k8s.Endpoints)(0xc001028a10)(), | |
(k8s.ServiceID) kube-system/etcd-operator: (*k8s.Endpoints)(0xc001028a50)(), | |
(k8s.ServiceID) default/kubernetes: (*k8s.Endpoints)(0xc001028a60)(10.1.127.249:443/TCP), | |
(k8s.ServiceID) kube-system/metrics-server: (*k8s.Endpoints)(0xc001028a80)(10.245.5.21:443/TCP), | |
(k8s.ServiceID) kube-system/kube-dns: (*k8s.Endpoints)(0xc001028ab0)(10.245.5.237:53/TCP,10.245.5.237:53/UDP), | |
(k8s.ServiceID) default/rebel-base: (*k8s.Endpoints)(0xc001140250)(10.245.0.176:80/TCP,10.245.2.163:80/TCP), | |
(k8s.ServiceID) kube-system/kubernetes-dashboard: (*k8s.Endpoints)(0xc001028a20)(10.245.5.72:8443/TCP) | |
}, | |
ingresses: (map[k8s.ServiceID]*k8s.Service) { | |
}, | |
externalEndpoints: (map[k8s.ServiceID]k8s.externalEndpoints) { | |
}, | |
Events: (chan k8s.ServiceEvent) (cap=128) 0xc00082c720 | |
}) | |
``` | |
#### Cilium version | |
``` | |
1.4.90 d81f45d 2019-02-05T01:23:20+01:00 go version go1.11.1 linux/amd64 | |
``` | |
#### Service list | |
``` | |
ID Frontend Backend | |
1 10.1.0.10:53 1 => 10.245.5.237:53 | |
2 10.1.49.200:443 1 => 10.245.5.72:8443 | |
3 10.1.61.65:443 1 => 10.245.5.21:443 | |
4 10.1.112.55:44134 1 => 10.245.5.12:44134 | |
5 10.1.78.103:80 1 => 10.245.0.176:80 | |
2 => 10.245.2.163:80 | |
6 10.1.0.1:443 1 => 10.1.127.249:443 | |
7 10.1.65.219:2379 1 => 10.245.0.28:2379 | |
2 => 10.245.2.111:2379 | |
3 => 10.245.5.41:2379 | |
8 10.1.8.83:2379 1 => 10.245.2.111:2379 | |
2 => 10.245.5.41:2379 | |
3 => 10.245.0.28:2379 | |
``` | |
#### Cilium memory map | |
``` | |
00400000-042e1000 r-xp 00000000 08:01 1045030 /usr/bin/cilium-agent | |
044e0000-044e1000 r--p 03ee0000 08:01 1045030 /usr/bin/cilium-agent | |
044e1000-0459e000 rw-p 03ee1000 08:01 1045030 /usr/bin/cilium-agent | |
0459e000-04cfb000 rw-p 00000000 00:00 0 | |
06685000-066a6000 rw-p 00000000 00:00 0 [heap] | |
c000000000-c004000000 rw-p 00000000 00:00 0 | |
7f32177ff000-7f3217800000 ---p 00000000 00:00 0 | |
7f3217800000-7f3218000000 rw-p 00000000 00:00 0 | |
7f3218000000-7f3218021000 rw-p 00000000 00:00 0 | |
7f3218021000-7f321c000000 ---p 00000000 00:00 0 | |
7f321c000000-7f321c021000 rw-p 00000000 00:00 0 | |
7f321c021000-7f3220000000 ---p 00000000 00:00 0 | |
7f3220000000-7f3220021000 rw-p 00000000 00:00 0 | |
7f3220021000-7f3224000000 ---p 00000000 00:00 0 | |
7f3224000000-7f3224021000 rw-p 00000000 00:00 0 | |
7f3224021000-7f3228000000 ---p 00000000 00:00 0 | |
7f3228000000-7f3228021000 rw-p 00000000 00:00 0 | |
7f3228021000-7f322c000000 ---p 00000000 00:00 0 | |
7f322c000000-7f322c021000 rw-p 00000000 00:00 0 | |
7f322c021000-7f3230000000 ---p 00000000 00:00 0 | |
7f3230000000-7f3230021000 rw-p 00000000 00:00 0 | |
7f3230021000-7f3234000000 ---p 00000000 00:00 0 | |
7f3234000000-7f3234021000 rw-p 00000000 00:00 0 | |
7f3234021000-7f3238000000 ---p 00000000 00:00 0 | |
7f32387f9000-7f32387fa000 ---p 00000000 00:00 0 | |
7f32387fa000-7f3238ffa000 rw-p 00000000 00:00 0 | |
7f3238ffa000-7f3238ffb000 ---p 00000000 00:00 0 | |
7f3238ffb000-7f32397fb000 rw-p 00000000 00:00 0 | |
7f32397fb000-7f32397fc000 ---p 00000000 00:00 0 | |
7f32397fc000-7f3239ffc000 rw-p 00000000 00:00 0 | |
7f3239ffc000-7f3239ffd000 ---p 00000000 00:00 0 | |
7f3239ffd000-7f323a7fd000 rw-p 00000000 00:00 0 | |
7f323a7fd000-7f323a7fe000 ---p 00000000 00:00 0 | |
7f323a7fe000-7f323affe000 rw-p 00000000 00:00 0 | |
7f323affe000-7f323afff000 ---p 00000000 00:00 0 | |
7f323afff000-7f323b7ff000 rw-p 00000000 00:00 0 | |
7f323b7ff000-7f323b800000 ---p 00000000 00:00 0 | |
7f323b800000-7f323c000000 rw-p 00000000 00:00 0 | |
7f323c000000-7f323c021000 rw-p 00000000 00:00 0 | |
7f323c021000-7f3240000000 ---p 00000000 00:00 0 | |
7f3240000000-7f3240021000 rw-p 00000000 00:00 0 | |
7f3240021000-7f3244000000 ---p 00000000 00:00 0 | |
7f3244000000-7f3244021000 rw-p 00000000 00:00 0 | |
7f3244021000-7f3248000000 ---p 00000000 00:00 0 | |
7f3248000000-7f3248021000 rw-p 00000000 00:00 0 | |
7f3248021000-7f324c000000 ---p 00000000 00:00 0 | |
7f324c000000-7f324c021000 rw-p 00000000 00:00 0 | |
7f324c021000-7f3250000000 ---p 00000000 00:00 0 | |
7f3250000000-7f3250021000 rw-p 00000000 00:00 0 | |
7f3250021000-7f3254000000 ---p 00000000 00:00 0 | |
7f3254000000-7f3254021000 rw-p 00000000 00:00 0 | |
7f3254021000-7f3258000000 ---p 00000000 00:00 0 | |
7f325800f000-7f3258010000 ---p 00000000 00:00 0 | |
7f3258010000-7f3258810000 rw-p 00000000 00:00 0 | |
7f3258810000-7f3258811000 ---p 00000000 00:00 0 | |
7f3258811000-7f3259011000 rw-p 00000000 00:00 0 | |
7f3259011000-7f325901c000 r-xp 00000000 08:01 785932 /lib/x86_64-linux-gnu/libnss_files-2.27.so | |
7f325901c000-7f325921b000 ---p 0000b000 08:01 785932 /lib/x86_64-linux-gnu/libnss_files-2.27.so | |
7f325921b000-7f325921c000 r--p 0000a000 08:01 785932 /lib/x86_64-linux-gnu/libnss_files-2.27.so | |
7f325921c000-7f325921d000 rw-p 0000b000 08:01 785932 /lib/x86_64-linux-gnu/libnss_files-2.27.so | |
7f325921d000-7f3259223000 rw-p 00000000 00:00 0 | |
7f3259223000-7f325923a000 r-xp 00000000 08:01 785926 /lib/x86_64-linux-gnu/libnsl-2.27.so | |
7f325923a000-7f3259439000 ---p 00017000 08:01 785926 /lib/x86_64-linux-gnu/libnsl-2.27.so | |
7f3259439000-7f325943a000 r--p 00016000 08:01 785926 /lib/x86_64-linux-gnu/libnsl-2.27.so | |
7f325943a000-7f325943b000 rw-p 00017000 08:01 785926 /lib/x86_64-linux-gnu/libnsl-2.27.so | |
7f325943b000-7f325943d000 rw-p 00000000 00:00 0 | |
7f325943d000-7f3259448000 r-xp 00000000 08:01 785936 /lib/x86_64-linux-gnu/libnss_nis-2.27.so | |
7f3259448000-7f3259647000 ---p 0000b000 08:01 785936 /lib/x86_64-linux-gnu/libnss_nis-2.27.so | |
7f3259647000-7f3259648000 r--p 0000a000 08:01 785936 /lib/x86_64-linux-gnu/libnss_nis-2.27.so | |
7f3259648000-7f3259649000 rw-p 0000b000 08:01 785936 /lib/x86_64-linux-gnu/libnss_nis-2.27.so | |
7f3259649000-7f3259651000 r-xp 00000000 08:01 785928 /lib/x86_64-linux-gnu/libnss_compat-2.27.so | |
7f3259651000-7f3259851000 ---p 00008000 08:01 785928 /lib/x86_64-linux-gnu/libnss_compat-2.27.so | |
7f3259851000-7f3259852000 r--p 00008000 08:01 785928 /lib/x86_64-linux-gnu/libnss_compat-2.27.so | |
7f3259852000-7f3259853000 rw-p 00009000 08:01 785928 /lib/x86_64-linux-gnu/libnss_compat-2.27.so | |
7f3259853000-7f3259854000 ---p 00000000 00:00 0 | |
7f3259854000-7f325a054000 rw-p 00000000 00:00 0 | |
7f325a054000-7f325a055000 ---p 00000000 00:00 0 | |
7f325a055000-7f325a9b5000 rw-p 00000000 00:00 0 | |
7f325a9b5000-7f325a9b6000 ---p 00000000 00:00 0 | |
7f325a9b6000-7f325b1b6000 rw-p 00000000 00:00 0 | |
7f325b1b6000-7f325b1b7000 ---p 00000000 00:00 0 | |
7f325b1b7000-7f325b9b7000 rw-p 00000000 00:00 0 | |
7f325b9b7000-7f325b9b8000 ---p 00000000 00:00 0 | |
7f325b9b8000-7f325c1b8000 rw-p 00000000 00:00 0 | |
7f325c1b8000-7f325c1b9000 ---p 00000000 00:00 0 | |
7f325c1b9000-7f325ebc9000 rw-p 00000000 00:00 0 | |
7f325ebc9000-7f325edb0000 r-xp 00000000 08:01 785890 /lib/x86_64-linux-gnu/libc-2.27.so | |
7f325edb0000-7f325efb0000 ---p 001e7000 08:01 785890 /lib/x86_64-linux-gnu/libc-2.27.so | |
7f325efb0000-7f325efb4000 r--p 001e7000 08:01 785890 /lib/x86_64-linux-gnu/libc-2.27.so | |
7f325efb4000-7f325efb6000 rw-p 001eb000 08:01 785890 /lib/x86_64-linux-gnu/libc-2.27.so | |
7f325efb6000-7f325efba000 rw-p 00000000 00:00 0 | |
7f325efba000-7f325efbd000 r-xp 00000000 08:01 785900 /lib/x86_64-linux-gnu/libdl-2.27.so | |
7f325efbd000-7f325f1bc000 ---p 00003000 08:01 785900 /lib/x86_64-linux-gnu/libdl-2.27.so | |
7f325f1bc000-7f325f1bd000 r--p 00002000 08:01 785900 /lib/x86_64-linux-gnu/libdl-2.27.so | |
7f325f1bd000-7f325f1be000 rw-p 00003000 08:01 785900 /lib/x86_64-linux-gnu/libdl-2.27.so | |
7f325f1be000-7f325f1d8000 r-xp 00000000 08:01 785951 /lib/x86_64-linux-gnu/libpthread-2.27.so | |
7f325f1d8000-7f325f3d7000 ---p 0001a000 08:01 785951 /lib/x86_64-linux-gnu/libpthread-2.27.so | |
7f325f3d7000-7f325f3d8000 r--p 00019000 08:01 785951 /lib/x86_64-linux-gnu/libpthread-2.27.so | |
7f325f3d8000-7f325f3d9000 rw-p 0001a000 08:01 785951 /lib/x86_64-linux-gnu/libpthread-2.27.so | |
7f325f3d9000-7f325f3dd000 rw-p 00000000 00:00 0 | |
7f325f3dd000-7f325f404000 r-xp 00000000 08:01 785872 /lib/x86_64-linux-gnu/ld-2.27.so | |
7f325f465000-7f325f600000 rw-p 00000000 00:00 0 | |
7f325f604000-7f325f605000 r--p 00027000 08:01 785872 /lib/x86_64-linux-gnu/ld-2.27.so | |
7f325f605000-7f325f606000 rw-p 00028000 08:01 785872 /lib/x86_64-linux-gnu/ld-2.27.so | |
7f325f606000-7f325f607000 rw-p 00000000 00:00 0 | |
7ffce8709000-7ffce872a000 rw-p 00000000 00:00 0 [stack] | |
7ffce877b000-7ffce877e000 r--p 00000000 00:00 0 [vvar] | |
7ffce877e000-7ffce8780000 r-xp 00000000 00:00 0 [vdso] | |
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] | |
``` | |
#### Endpoint list | |
``` | |
ENDPOINT POLICY (ingress) POLICY (egress) IDENTITY LABELS (source:key[=value]) IPv6 IPv4 STATUS | |
ENFORCEMENT ENFORCEMENT | |
657 Disabled Disabled 4 reserved:health 10.245.0.237 ready | |
820 Disabled Disabled 66381 k8s:io.cilium.k8s.policy.cluster=euw 10.245.0.25 ready | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.kubernetes.pod.namespace=default | |
k8s:name=x-wing | |
1003 Disabled Disabled 68232 k8s:io.cilium.k8s.policy.cluster=euw 10.245.0.70 ready | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.kubernetes.pod.namespace=kube-system | |
k8s:name=blobfuse | |
1349 Disabled Disabled 73167 k8s:app=keyvault-flexvolume 10.245.0.199 ready | |
k8s:io.cilium.k8s.policy.cluster=euw | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.kubernetes.pod.namespace=kube-system | |
1951 Disabled Disabled 101 k8s:app=etcd 10.245.0.28 ready | |
k8s:etcd_cluster=cilium-etcd | |
k8s:io.cilium.k8s.policy.cluster=euw | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.cilium/app=etcd-operator | |
k8s:io.kubernetes.pod.namespace=kube-system | |
3443 Disabled Disabled 116597 k8s:io.cilium.k8s.policy.cluster=euw 10.245.0.176 ready | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.kubernetes.pod.namespace=default | |
k8s:name=rebel-base | |
3867 Disabled Disabled 100 k8s:io.cilium.k8s.policy.cluster=euw 10.245.0.201 ready | |
k8s:io.cilium.k8s.policy.serviceaccount=cilium-etcd-sa | |
k8s:io.cilium/app=etcd-operator | |
k8s:io.kubernetes.pod.namespace=kube-system | |
``` | |
#### BPF Policy Get 657 | |
``` | |
DIRECTION IDENTITY PORT/PROTO PROXY PORT BYTES PACKETS | |
Ingress 1 ANY NONE 0 0 | |
Ingress 2 ANY NONE 0 0 | |
Ingress 3 ANY NONE 0 0 | |
Ingress 4 ANY NONE 0 0 | |
Ingress 5 ANY NONE 0 0 | |
Ingress 100 ANY NONE 0 0 | |
Ingress 101 ANY NONE 0 0 | |
Ingress 102 ANY NONE 0 0 | |
Ingress 103 ANY NONE 0 0 | |
Ingress 104 ANY NONE 0 0 | |
Ingress 105 ANY NONE 0 0 | |
Ingress 106 ANY NONE 0 0 | |
Ingress 66381 ANY NONE 0 0 | |
Ingress 68232 ANY NONE 0 0 | |
Ingress 73167 ANY NONE 0 0 | |
Ingress 81423 ANY NONE 0 0 | |
Ingress 83218 ANY NONE 0 0 | |
Ingress 91065 ANY NONE 0 0 | |
Ingress 116597 ANY NONE 0 0 | |
Ingress 133036 ANY NONE 0 0 | |
Ingress 142781 ANY NONE 0 0 | |
Ingress 169731 ANY NONE 0 0 | |
Ingress 174579 ANY NONE 0 0 | |
Ingress 177140 ANY NONE 0 0 | |
Ingress 178546 ANY NONE 0 0 | |
Ingress 179652 ANY NONE 0 0 | |
Egress 1 ANY NONE 129726 1393 | |
Egress 2 ANY NONE 0 0 | |
Egress 3 ANY NONE 0 0 | |
Egress 4 ANY NONE 0 0 | |
Egress 5 ANY NONE 0 0 | |
Egress 100 ANY NONE 0 0 | |
Egress 101 ANY NONE 0 0 | |
Egress 102 ANY NONE 0 0 | |
Egress 103 ANY NONE 0 0 | |
Egress 104 ANY NONE 0 0 | |
Egress 105 ANY NONE 0 0 | |
Egress 106 ANY NONE 0 0 | |
Egress 66381 ANY NONE 0 0 | |
Egress 68232 ANY NONE 0 0 | |
Egress 73167 ANY NONE 0 0 | |
Egress 81423 ANY NONE 0 0 | |
Egress 83218 ANY NONE 0 0 | |
Egress 91065 ANY NONE 0 0 | |
Egress 116597 ANY NONE 0 0 | |
Egress 133036 ANY NONE 0 0 | |
Egress 142781 ANY NONE 0 0 | |
Egress 169731 ANY NONE 0 0 | |
Egress 174579 ANY NONE 0 0 | |
Egress 177140 ANY NONE 0 0 | |
Egress 178546 ANY NONE 0 0 | |
Egress 179652 ANY NONE 0 0 | |
``` | |
#### BPF CT List 657 | |
``` | |
Error: Unable to open /sys/fs/bpf/tc/globals/cilium_ct4_657: Unable to get object /sys/fs/bpf/tc/globals/cilium_ct4_657: no such file or directory | |
``` | |
#### Endpoint Get 657 | |
``` | |
[ | |
{ | |
"id": 657, | |
"spec": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"status": { | |
"controllers": [ | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "resolve-identity-0", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:48.251Z", | |
"success-count": 29 | |
}, | |
"uuid": "eaedd724-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv4-identity-mapping (0)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.346Z", | |
"success-count": 29 | |
}, | |
"uuid": "eaedd567-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv6-identity-mapping (0)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.020Z", | |
"success-count": 29 | |
}, | |
"uuid": "eaedd5b9-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-identity-to-k8s-pod (0)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:48.281Z", | |
"success-count": 142 | |
}, | |
"uuid": "eaedd517-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-policymap-657", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:44.415Z", | |
"success-count": 146 | |
}, | |
"uuid": "ec0d57f8-2945-11e9-ab5e-000d3a2ae96b" | |
} | |
], | |
"external-identifiers": { | |
"container-name": "cilium-health", | |
"pod-name": "/" | |
}, | |
"health": { | |
"bpf": "OK", | |
"connected": true, | |
"overallHealth": "OK", | |
"policy": "OK" | |
}, | |
"identity": { | |
"id": 4, | |
"labels": [ | |
"reserved:health" | |
], | |
"labelsSHA256": "9f122da90704e5177f344e0582800e43b05842f9f6b1812cf4690aade0915275" | |
}, | |
"labels": { | |
"derived": [], | |
"disabled": [], | |
"realized": { | |
"user": [] | |
}, | |
"security-relevant": [ | |
"reserved:health" | |
] | |
}, | |
"log": [ | |
{ | |
"code": "OK", | |
"message": "Successfully regenerated endpoint program (Reason: one or more identities created or deleted)", | |
"state": "ready", | |
"timestamp": "2019-02-05T14:11:44Z" | |
} | |
], | |
"networking": { | |
"addressing": [ | |
{ | |
"ipv4": "10.245.0.237" | |
} | |
], | |
"host-mac": "6e:59:ec:78:41:e4", | |
"interface-index": 21, | |
"interface-name": "cilium_health", | |
"mac": "f6:7b:05:50:d1:a0" | |
}, | |
"policy": { | |
"proxy-statistics": [], | |
"realized": { | |
"allowed-egress-identities": [ | |
104, | |
169731, | |
100, | |
83218, | |
81423, | |
1, | |
66381, | |
133036, | |
177140, | |
4, | |
2, | |
102, | |
101, | |
91065, | |
179652, | |
178546, | |
116597, | |
103, | |
68232, | |
142781, | |
5, | |
73167, | |
105, | |
174579, | |
3, | |
106 | |
], | |
"allowed-ingress-identities": [ | |
169731, | |
81423, | |
2, | |
68232, | |
1, | |
91065, | |
174579, | |
133036, | |
105, | |
83218, | |
100, | |
101, | |
178546, | |
73167, | |
179652, | |
177140, | |
106, | |
103, | |
142781, | |
66381, | |
4, | |
5, | |
104, | |
116597, | |
102, | |
3 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 4, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
}, | |
"spec": { | |
"allowed-egress-identities": [ | |
102, | |
177140, | |
104, | |
103, | |
101, | |
91065, | |
5, | |
4, | |
100, | |
133036, | |
73167, | |
83218, | |
174579, | |
142781, | |
3, | |
68232, | |
106, | |
178546, | |
1, | |
81423, | |
116597, | |
66381, | |
169731, | |
179652, | |
105, | |
2 | |
], | |
"allowed-ingress-identities": [ | |
104, | |
103, | |
174579, | |
101, | |
116597, | |
133036, | |
3, | |
73167, | |
91065, | |
100, | |
2, | |
1, | |
102, | |
81423, | |
142781, | |
106, | |
169731, | |
83218, | |
177140, | |
178546, | |
68232, | |
179652, | |
5, | |
66381, | |
105, | |
4 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 4, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
} | |
}, | |
"realized": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"state": "ready" | |
} | |
} | |
] | |
``` | |
#### Endpoint Health 657 | |
``` | |
Overall Health: OK | |
BPF Health: OK | |
Policy Health: OK | |
Connected: yes | |
``` | |
#### Endpoint Log 657 | |
``` | |
Timestamp Status State Message | |
2019-02-05T14:11:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T14:11:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T14:11:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T14:11:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:09:45Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:09:45Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:09:45Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:09:45Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:43Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:43Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:43Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:43Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:23Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:23Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:22Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:22Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:22Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:22Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:59:50Z OK ready Successfully regenerated endpoint program (Reason: health daemon bootstrap) | |
2019-02-05T12:59:50Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:59:49Z OK regenerating Regenerating endpoint: health daemon bootstrap | |
2019-02-05T12:59:49Z OK waiting-to-regenerate initial build of health endpoint | |
2019-02-05T12:59:48Z OK ready Set identity for this endpoint | |
2019-02-05T12:59:48Z OK waiting-for-identity Endpoint creation | |
``` | |
#### Identity get 4 | |
``` | |
ID LABELS | |
4 reserved:health | |
``` | |
#### BPF Policy Get 820 | |
``` | |
DIRECTION IDENTITY PORT/PROTO PROXY PORT BYTES PACKETS | |
Ingress 1 ANY NONE 0 0 | |
Ingress 2 ANY NONE 0 0 | |
Ingress 3 ANY NONE 0 0 | |
Ingress 4 ANY NONE 0 0 | |
Ingress 5 ANY NONE 0 0 | |
Ingress 100 ANY NONE 0 0 | |
Ingress 101 ANY NONE 0 0 | |
Ingress 102 ANY NONE 0 0 | |
Ingress 103 ANY NONE 0 0 | |
Ingress 104 ANY NONE 0 0 | |
Ingress 105 ANY NONE 0 0 | |
Ingress 106 ANY NONE 0 0 | |
Ingress 66381 ANY NONE 0 0 | |
Ingress 68232 ANY NONE 0 0 | |
Ingress 73167 ANY NONE 0 0 | |
Ingress 81423 ANY NONE 0 0 | |
Ingress 83218 ANY NONE 0 0 | |
Ingress 91065 ANY NONE 0 0 | |
Ingress 116597 ANY NONE 0 0 | |
Ingress 133036 ANY NONE 0 0 | |
Ingress 142781 ANY NONE 0 0 | |
Ingress 169731 ANY NONE 0 0 | |
Ingress 174579 ANY NONE 0 0 | |
Ingress 177140 ANY NONE 0 0 | |
Ingress 178546 ANY NONE 0 0 | |
Ingress 179652 ANY NONE 0 0 | |
Egress 1 ANY NONE 0 0 | |
Egress 2 ANY NONE 0 0 | |
Egress 3 ANY NONE 0 0 | |
Egress 4 ANY NONE 0 0 | |
Egress 5 ANY NONE 0 0 | |
Egress 100 ANY NONE 0 0 | |
Egress 101 ANY NONE 0 0 | |
Egress 102 ANY NONE 0 0 | |
Egress 103 ANY NONE 0 0 | |
Egress 104 ANY NONE 0 0 | |
Egress 105 ANY NONE 0 0 | |
Egress 106 ANY NONE 0 0 | |
Egress 66381 ANY NONE 0 0 | |
Egress 68232 ANY NONE 0 0 | |
Egress 73167 ANY NONE 0 0 | |
Egress 81423 ANY NONE 0 0 | |
Egress 83218 ANY NONE 0 0 | |
Egress 91065 ANY NONE 0 0 | |
Egress 116597 ANY NONE 0 0 | |
Egress 133036 ANY NONE 0 0 | |
Egress 142781 ANY NONE 0 0 | |
Egress 169731 ANY NONE 0 0 | |
Egress 174579 ANY NONE 0 0 | |
Egress 177140 ANY NONE 0 0 | |
Egress 178546 ANY NONE 0 0 | |
Egress 179652 ANY NONE 0 0 | |
``` | |
#### BPF CT List 820 | |
``` | |
Error: Unable to open /sys/fs/bpf/tc/globals/cilium_ct4_820: Unable to get object /sys/fs/bpf/tc/globals/cilium_ct4_820: no such file or directory | |
``` | |
#### Endpoint Get 820 | |
``` | |
[ | |
{ | |
"id": 820, | |
"spec": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"status": { | |
"controllers": [ | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "resolve-identity-820", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:16:22.986Z", | |
"success-count": 28 | |
}, | |
"uuid": "2364062f-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv4-identity-mapping (820)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:16:23.801Z", | |
"success-count": 28 | |
}, | |
"uuid": "2364026d-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv6-identity-mapping (820)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:16:23.627Z", | |
"success-count": 28 | |
}, | |
"uuid": "2364029c-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-identity-to-k8s-pod (820)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:25.358Z", | |
"success-count": 140 | |
}, | |
"uuid": "236401f2-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-policymap-820", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:44.415Z", | |
"success-count": 144 | |
}, | |
"uuid": "23c29d0e-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "10s" | |
}, | |
"name": "sync-to-k8s-ciliumendpoint (820)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:21:03.304Z", | |
"success-count": 839 | |
}, | |
"uuid": "23568e0e-2946-11e9-ab5e-000d3a2ae96b" | |
} | |
], | |
"external-identifiers": { | |
"container-id": "8ff6320174eb9406eb6e2b272f0f810af1ce4bc3960b37e87ca8d5f9a65059d5", | |
"container-name": "k8s_POD_x-wing-5d7b9b4898-bxtpc_default_223d6ea5-2946-11e9-80a2-000d3a2becd8_0", | |
"pod-name": "default/x-wing-5d7b9b4898-bxtpc" | |
}, | |
"health": { | |
"bpf": "OK", | |
"connected": true, | |
"overallHealth": "OK", | |
"policy": "OK" | |
}, | |
"identity": { | |
"id": 66381, | |
"labels": [ | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:name=x-wing", | |
"k8s:io.kubernetes.pod.namespace=default" | |
], | |
"labelsSHA256": "f31e397d5f6b1bebd49bdaca9ecbd3c72360c66aa954c229a50fa792dfa1a724" | |
}, | |
"labels": { | |
"derived": [ | |
"container:annotation.kubernetes.io/config.seen=2019-02-05T13:01:21.222131507Z", | |
"container:annotation.kubernetes.io/config.source=api", | |
"container:io.kubernetes.container.name=POD", | |
"container:io.kubernetes.docker.type=podsandbox", | |
"container:io.kubernetes.pod.name=x-wing-5d7b9b4898-bxtpc", | |
"container:io.kubernetes.pod.uid=223d6ea5-2946-11e9-80a2-000d3a2becd8", | |
"k8s:pod-template-hash=5d7b9b4898" | |
], | |
"disabled": [], | |
"realized": { | |
"user": [] | |
}, | |
"security-relevant": [ | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.kubernetes.pod.namespace=default", | |
"k8s:name=x-wing" | |
] | |
}, | |
"log": [ | |
{ | |
"code": "OK", | |
"message": "Successfully regenerated endpoint program (Reason: one or more identities created or deleted)", | |
"state": "ready", | |
"timestamp": "2019-02-05T14:11:44Z" | |
} | |
], | |
"networking": { | |
"addressing": [ | |
{ | |
"ipv4": "10.245.0.25" | |
} | |
], | |
"host-mac": "3e:fe:49:4d:87:2f", | |
"interface-index": 25, | |
"interface-name": "lxce6cbeb7e31a3", | |
"mac": "ba:8c:c3:d9:a6:84" | |
}, | |
"policy": { | |
"proxy-statistics": [], | |
"realized": { | |
"allowed-egress-identities": [ | |
177140, | |
106, | |
100, | |
133036, | |
3, | |
73167, | |
103, | |
174579, | |
81423, | |
91065, | |
178546, | |
66381, | |
1, | |
169731, | |
2, | |
4, | |
101, | |
83218, | |
116597, | |
5, | |
104, | |
179652, | |
68232, | |
105, | |
102, | |
142781 | |
], | |
"allowed-ingress-identities": [ | |
105, | |
103, | |
73167, | |
1, | |
91065, | |
102, | |
2, | |
174579, | |
116597, | |
3, | |
179652, | |
101, | |
5, | |
104, | |
169731, | |
81423, | |
106, | |
142781, | |
66381, | |
83218, | |
178546, | |
68232, | |
133036, | |
177140, | |
100, | |
4 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 66381, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
}, | |
"spec": { | |
"allowed-egress-identities": [ | |
174579, | |
133036, | |
142781, | |
4, | |
177140, | |
101, | |
100, | |
179652, | |
3, | |
104, | |
73167, | |
66381, | |
91065, | |
1, | |
81423, | |
116597, | |
105, | |
106, | |
178546, | |
68232, | |
102, | |
2, | |
103, | |
83218, | |
5, | |
169731 | |
], | |
"allowed-ingress-identities": [ | |
91065, | |
116597, | |
106, | |
178546, | |
169731, | |
1, | |
73167, | |
177140, | |
179652, | |
4, | |
66381, | |
68232, | |
100, | |
103, | |
81423, | |
133036, | |
142781, | |
101, | |
105, | |
174579, | |
104, | |
5, | |
83218, | |
3, | |
102, | |
2 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 66381, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
} | |
}, | |
"realized": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"state": "ready" | |
} | |
} | |
] | |
``` | |
#### Endpoint Health 820 | |
``` | |
Overall Health: OK | |
BPF Health: OK | |
Policy Health: OK | |
Connected: yes | |
``` | |
#### Endpoint Log 820 | |
``` | |
Timestamp Status State Message | |
2019-02-05T14:11:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T14:11:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T14:11:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T14:11:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:09:45Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:09:45Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:09:45Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:09:45Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:43Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:43Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:43Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:43Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:23Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:23Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: updated security labels) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:22Z OK regenerating Regenerating endpoint: updated security labels | |
2019-02-05T13:01:22Z OK waiting-to-regenerate Triggering regeneration due to new identity | |
2019-02-05T13:01:22Z OK ready Set identity for this endpoint | |
2019-02-05T13:01:22Z OK waiting-for-identity Endpoint creation | |
``` | |
#### Identity get 66381 | |
``` | |
ID LABELS | |
66381 k8s:io.cilium.k8s.policy.cluster=euw | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.kubernetes.pod.namespace=default | |
k8s:name=x-wing | |
``` | |
#### BPF Policy Get 1003 | |
``` | |
DIRECTION IDENTITY PORT/PROTO PROXY PORT BYTES PACKETS | |
Ingress 1 ANY NONE 0 0 | |
Ingress 2 ANY NONE 0 0 | |
Ingress 3 ANY NONE 0 0 | |
Ingress 4 ANY NONE 0 0 | |
Ingress 5 ANY NONE 0 0 | |
Ingress 100 ANY NONE 0 0 | |
Ingress 101 ANY NONE 0 0 | |
Ingress 102 ANY NONE 0 0 | |
Ingress 103 ANY NONE 0 0 | |
Ingress 104 ANY NONE 0 0 | |
Ingress 105 ANY NONE 0 0 | |
Ingress 106 ANY NONE 0 0 | |
Ingress 66381 ANY NONE 0 0 | |
Ingress 68232 ANY NONE 0 0 | |
Ingress 73167 ANY NONE 0 0 | |
Ingress 81423 ANY NONE 0 0 | |
Ingress 83218 ANY NONE 0 0 | |
Ingress 91065 ANY NONE 0 0 | |
Ingress 116597 ANY NONE 0 0 | |
Ingress 133036 ANY NONE 0 0 | |
Ingress 142781 ANY NONE 0 0 | |
Ingress 169731 ANY NONE 0 0 | |
Ingress 174579 ANY NONE 0 0 | |
Ingress 177140 ANY NONE 0 0 | |
Ingress 178546 ANY NONE 0 0 | |
Ingress 179652 ANY NONE 0 0 | |
Egress 1 ANY NONE 0 0 | |
Egress 2 ANY NONE 0 0 | |
Egress 3 ANY NONE 0 0 | |
Egress 4 ANY NONE 0 0 | |
Egress 5 ANY NONE 0 0 | |
Egress 100 ANY NONE 0 0 | |
Egress 101 ANY NONE 0 0 | |
Egress 102 ANY NONE 0 0 | |
Egress 103 ANY NONE 0 0 | |
Egress 104 ANY NONE 0 0 | |
Egress 105 ANY NONE 0 0 | |
Egress 106 ANY NONE 0 0 | |
Egress 66381 ANY NONE 0 0 | |
Egress 68232 ANY NONE 0 0 | |
Egress 73167 ANY NONE 0 0 | |
Egress 81423 ANY NONE 0 0 | |
Egress 83218 ANY NONE 0 0 | |
Egress 91065 ANY NONE 0 0 | |
Egress 116597 ANY NONE 0 0 | |
Egress 133036 ANY NONE 0 0 | |
Egress 142781 ANY NONE 0 0 | |
Egress 169731 ANY NONE 0 0 | |
Egress 174579 ANY NONE 0 0 | |
Egress 177140 ANY NONE 0 0 | |
Egress 178546 ANY NONE 0 0 | |
Egress 179652 ANY NONE 0 0 | |
``` | |
#### BPF CT List 1003 | |
``` | |
Error: Unable to open /sys/fs/bpf/tc/globals/cilium_ct4_1003: Unable to get object /sys/fs/bpf/tc/globals/cilium_ct4_1003: no such file or directory | |
``` | |
#### Endpoint Get 1003 | |
``` | |
[ | |
{ | |
"id": 1003, | |
"spec": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"status": { | |
"controllers": [ | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv4-identity-mapping (1003)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.376Z", | |
"success-count": 29 | |
}, | |
"uuid": "eafb3972-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv6-identity-mapping (1003)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.423Z", | |
"success-count": 29 | |
}, | |
"uuid": "eafb39a5-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-identity-to-k8s-pod (1003)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:21:01.035Z", | |
"success-count": 142 | |
}, | |
"uuid": "eafb3905-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-policymap-1003", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:44.415Z", | |
"success-count": 146 | |
}, | |
"uuid": "ebe1eb46-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "10s" | |
}, | |
"name": "sync-to-k8s-ciliumendpoint (1003)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:59.117Z", | |
"success-count": 848 | |
}, | |
"uuid": "eae88b82-2945-11e9-ab5e-000d3a2ae96b" | |
} | |
], | |
"external-identifiers": { | |
"container-id": "f97f2c920a978666833be599ae27bc928fa231f64e1e7ff711289fe4e83795cf", | |
"container-name": "k8s_POD_blobfuse-flexvol-installer-zdchl_kube-system_75f295c8-2940-11e9-80a2-000d3a2becd8_1", | |
"pod-name": "kube-system/blobfuse-flexvol-installer-zdchl" | |
}, | |
"health": { | |
"bpf": "OK", | |
"connected": true, | |
"overallHealth": "OK", | |
"policy": "OK" | |
}, | |
"identity": { | |
"id": 68232, | |
"labels": [ | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.kubernetes.pod.namespace=kube-system", | |
"k8s:name=blobfuse", | |
"k8s:io.cilium.k8s.policy.cluster=euw" | |
], | |
"labelsSHA256": "c694cbae72d74dbe3ffdfffb705a10f17b64ad6360df503b0b70459ede57acbe" | |
}, | |
"labels": { | |
"derived": [ | |
"container:annotation.kubernetes.io/config.seen=2019-02-05T12:20:44.642144601Z", | |
"container:annotation.kubernetes.io/config.source=api", | |
"container:io.kubernetes.container.name=POD", | |
"container:io.kubernetes.docker.type=podsandbox", | |
"container:io.kubernetes.pod.name=blobfuse-flexvol-installer-zdchl", | |
"container:io.kubernetes.pod.uid=75f295c8-2940-11e9-80a2-000d3a2becd8", | |
"k8s:controller-revision-hash=54b77869c", | |
"k8s:kubernetes.io/cluster-service=true", | |
"k8s:pod-template-generation=1" | |
], | |
"disabled": [], | |
"realized": { | |
"user": [] | |
}, | |
"security-relevant": [ | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.kubernetes.pod.namespace=kube-system", | |
"k8s:name=blobfuse" | |
] | |
}, | |
"log": [ | |
{ | |
"code": "OK", | |
"message": "Successfully regenerated endpoint program (Reason: one or more identities created or deleted)", | |
"state": "ready", | |
"timestamp": "2019-02-05T14:11:44Z" | |
} | |
], | |
"networking": { | |
"addressing": [ | |
{ | |
"ipv4": "10.245.0.70" | |
} | |
], | |
"host-mac": "66:ed:6b:27:60:82", | |
"interface-index": 11, | |
"interface-name": "lxcf0a3a72b953c", | |
"mac": "46:0e:b1:43:38:93" | |
}, | |
"policy": { | |
"proxy-statistics": [], | |
"realized": { | |
"allowed-egress-identities": [ | |
178546, | |
105, | |
106, | |
116597, | |
1, | |
4, | |
103, | |
2, | |
104, | |
133036, | |
169731, | |
5, | |
3, | |
179652, | |
100, | |
102, | |
66381, | |
83218, | |
101, | |
177140, | |
81423, | |
174579, | |
68232, | |
142781, | |
91065, | |
73167 | |
], | |
"allowed-ingress-identities": [ | |
91065, | |
105, | |
104, | |
133036, | |
3, | |
106, | |
101, | |
179652, | |
116597, | |
174579, | |
178546, | |
100, | |
103, | |
142781, | |
66381, | |
2, | |
68232, | |
83218, | |
1, | |
73167, | |
102, | |
177140, | |
81423, | |
5, | |
4, | |
169731 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 68232, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
}, | |
"spec": { | |
"allowed-egress-identities": [ | |
169731, | |
2, | |
68232, | |
174579, | |
73167, | |
116597, | |
177140, | |
142781, | |
81423, | |
106, | |
66381, | |
100, | |
91065, | |
104, | |
4, | |
102, | |
179652, | |
105, | |
101, | |
103, | |
178546, | |
5, | |
1, | |
133036, | |
3, | |
83218 | |
], | |
"allowed-ingress-identities": [ | |
1, | |
103, | |
142781, | |
68232, | |
174579, | |
133036, | |
178546, | |
106, | |
169731, | |
5, | |
4, | |
116597, | |
73167, | |
102, | |
104, | |
3, | |
101, | |
100, | |
91065, | |
105, | |
83218, | |
2, | |
66381, | |
179652, | |
81423, | |
177140 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 68232, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
} | |
}, | |
"realized": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"state": "ready" | |
} | |
} | |
] | |
``` | |
#### Endpoint Health 1003 | |
``` | |
Overall Health: OK | |
BPF Health: OK | |
Policy Health: OK | |
Connected: yes | |
``` | |
#### Endpoint Log 1003 | |
``` | |
Timestamp Status State Message | |
2019-02-05T14:11:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T14:11:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T14:11:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T14:11:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:09:45Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:09:45Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:09:45Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:09:45Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:43Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:43Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:43Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:43Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:23Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:23Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:22Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:22Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:22Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:22Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:59:49Z OK ready Successfully regenerated endpoint program (Reason: syncing state to host) | |
2019-02-05T12:59:49Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:59:49Z OK regenerating Regenerating endpoint: syncing state to host | |
2019-02-05T12:59:48Z OK waiting-to-regenerate Triggering synchronous endpoint regeneration while syncing state to host | |
2019-02-05T12:59:48Z OK restoring Synchronizing endpoint labels with KVStore | |
2019-02-05T12:59:45Z OK restoring Restoring endpoint from previous cilium instance | |
2019-02-05T12:59:45Z OK restoring Endpoint restoring | |
2019-02-05T12:59:26Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T12:59:26Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:57:19Z OK ready Successfully regenerated endpoint program (Reason: syncing state to host) | |
2019-02-05T12:57:19Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:57:19Z OK regenerating Regenerating endpoint: syncing state to host | |
2019-02-05T12:57:18Z OK waiting-to-regenerate Triggering synchronous endpoint regeneration while syncing state to host | |
2019-02-05T12:57:18Z OK restoring Synchronizing endpoint labels with KVStore | |
2019-02-05T12:57:15Z OK restoring Restoring endpoint from previous cilium instance | |
2019-02-05T12:57:15Z OK restoring Endpoint restoring | |
2019-02-05T12:23:27Z OK regenerating Regenerating endpoint: | |
2019-02-05T12:23:27Z OK waiting-to-regenerate Triggering endpoint regeneration due to | |
2019-02-05T12:23:26Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T12:23:26Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:23:26Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T12:23:26Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:23:25Z OK ready Successfully regenerated endpoint program (Reason: updated security labels) | |
2019-02-05T12:23:25Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:23:25Z OK regenerating Regenerating endpoint: updated security labels | |
2019-02-05T12:23:25Z OK waiting-to-regenerate Triggering regeneration due to new identity | |
2019-02-05T12:23:25Z OK ready Set identity for this endpoint | |
2019-02-05T12:23:25Z Warning waiting-for-identity Skipped invalid state transition to waiting-to-regenerate due to: Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:22:22Z OK waiting-for-identity Endpoint creation | |
``` | |
#### Identity get 68232 | |
``` | |
ID LABELS | |
68232 k8s:io.cilium.k8s.policy.cluster=euw | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.kubernetes.pod.namespace=kube-system | |
k8s:name=blobfuse | |
``` | |
#### BPF Policy Get 1349 | |
``` | |
DIRECTION IDENTITY PORT/PROTO PROXY PORT BYTES PACKETS | |
Ingress 1 ANY NONE 0 0 | |
Ingress 2 ANY NONE 0 0 | |
Ingress 3 ANY NONE 0 0 | |
Ingress 4 ANY NONE 0 0 | |
Ingress 5 ANY NONE 0 0 | |
Ingress 100 ANY NONE 0 0 | |
Ingress 101 ANY NONE 0 0 | |
Ingress 102 ANY NONE 0 0 | |
Ingress 103 ANY NONE 0 0 | |
Ingress 104 ANY NONE 0 0 | |
Ingress 105 ANY NONE 0 0 | |
Ingress 106 ANY NONE 0 0 | |
Ingress 66381 ANY NONE 0 0 | |
Ingress 68232 ANY NONE 0 0 | |
Ingress 73167 ANY NONE 0 0 | |
Ingress 81423 ANY NONE 0 0 | |
Ingress 83218 ANY NONE 0 0 | |
Ingress 91065 ANY NONE 0 0 | |
Ingress 116597 ANY NONE 0 0 | |
Ingress 133036 ANY NONE 0 0 | |
Ingress 142781 ANY NONE 0 0 | |
Ingress 169731 ANY NONE 0 0 | |
Ingress 174579 ANY NONE 0 0 | |
Ingress 177140 ANY NONE 0 0 | |
Ingress 178546 ANY NONE 0 0 | |
Ingress 179652 ANY NONE 0 0 | |
Egress 1 ANY NONE 0 0 | |
Egress 2 ANY NONE 0 0 | |
Egress 3 ANY NONE 0 0 | |
Egress 4 ANY NONE 0 0 | |
Egress 5 ANY NONE 0 0 | |
Egress 100 ANY NONE 0 0 | |
Egress 101 ANY NONE 0 0 | |
Egress 102 ANY NONE 0 0 | |
Egress 103 ANY NONE 0 0 | |
Egress 104 ANY NONE 0 0 | |
Egress 105 ANY NONE 0 0 | |
Egress 106 ANY NONE 0 0 | |
Egress 66381 ANY NONE 0 0 | |
Egress 68232 ANY NONE 0 0 | |
Egress 73167 ANY NONE 0 0 | |
Egress 81423 ANY NONE 0 0 | |
Egress 83218 ANY NONE 0 0 | |
Egress 91065 ANY NONE 0 0 | |
Egress 116597 ANY NONE 0 0 | |
Egress 133036 ANY NONE 0 0 | |
Egress 142781 ANY NONE 0 0 | |
Egress 169731 ANY NONE 0 0 | |
Egress 174579 ANY NONE 0 0 | |
Egress 177140 ANY NONE 0 0 | |
Egress 178546 ANY NONE 0 0 | |
Egress 179652 ANY NONE 0 0 | |
``` | |
#### BPF CT List 1349 | |
``` | |
Error: Unable to open /sys/fs/bpf/tc/globals/cilium_ct4_1349: Unable to get object /sys/fs/bpf/tc/globals/cilium_ct4_1349: no such file or directory | |
``` | |
#### Endpoint Get 1349 | |
``` | |
[ | |
{ | |
"id": 1349, | |
"spec": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"status": { | |
"controllers": [ | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv4-identity-mapping (1349)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.284Z", | |
"success-count": 29 | |
}, | |
"uuid": "eafa767c-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv6-identity-mapping (1349)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.423Z", | |
"success-count": 29 | |
}, | |
"uuid": "eafa76fc-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-identity-to-k8s-pod (1349)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:21:00.952Z", | |
"success-count": 142 | |
}, | |
"uuid": "eafa6f0d-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-policymap-1349", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:44.415Z", | |
"success-count": 146 | |
}, | |
"uuid": "ebbbdbf9-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "10s" | |
}, | |
"name": "sync-to-k8s-ciliumendpoint (1349)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:58.940Z", | |
"success-count": 848 | |
}, | |
"uuid": "eae88a70-2945-11e9-ab5e-000d3a2ae96b" | |
} | |
], | |
"external-identifiers": { | |
"container-id": "45c3eb596440f0bd98c168c9ccd6c6135541db0980b5a57c8d90979fd4c6d68b", | |
"container-name": "k8s_POD_keyvault-flexvolume-qccfp_kube-system_7607558a-2940-11e9-80a2-000d3a2becd8_1", | |
"pod-name": "kube-system/keyvault-flexvolume-qccfp" | |
}, | |
"health": { | |
"bpf": "OK", | |
"connected": true, | |
"overallHealth": "OK", | |
"policy": "OK" | |
}, | |
"identity": { | |
"id": 73167, | |
"labels": [ | |
"k8s:app=keyvault-flexvolume", | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.kubernetes.pod.namespace=kube-system" | |
], | |
"labelsSHA256": "662bfe11b9f87579ef55c74399ef6f58e52be3c74df2cbe674a87be88585fac7" | |
}, | |
"labels": { | |
"derived": [ | |
"container:annotation.kubernetes.io/config.seen=2019-02-05T12:20:44.748681678Z", | |
"container:annotation.kubernetes.io/config.source=api", | |
"container:io.kubernetes.container.name=POD", | |
"container:io.kubernetes.docker.type=podsandbox", | |
"container:io.kubernetes.pod.name=keyvault-flexvolume-qccfp", | |
"container:io.kubernetes.pod.uid=7607558a-2940-11e9-80a2-000d3a2becd8", | |
"k8s:addonmanager.kubernetes.io/mode=EnsureExists", | |
"k8s:controller-revision-hash=6bf47dcb8b", | |
"k8s:kubernetes.io/cluster-service=true", | |
"k8s:pod-template-generation=1" | |
], | |
"disabled": [], | |
"realized": { | |
"user": [] | |
}, | |
"security-relevant": [ | |
"k8s:app=keyvault-flexvolume", | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.kubernetes.pod.namespace=kube-system" | |
] | |
}, | |
"log": [ | |
{ | |
"code": "OK", | |
"message": "Successfully regenerated endpoint program (Reason: one or more identities created or deleted)", | |
"state": "ready", | |
"timestamp": "2019-02-05T14:11:44Z" | |
} | |
], | |
"networking": { | |
"addressing": [ | |
{ | |
"ipv4": "10.245.0.199" | |
} | |
], | |
"host-mac": "0a:93:8a:6d:61:30", | |
"interface-index": 13, | |
"interface-name": "lxced35943cf61c", | |
"mac": "da:46:b1:23:42:65" | |
}, | |
"policy": { | |
"proxy-statistics": [], | |
"realized": { | |
"allowed-egress-identities": [ | |
103, | |
4, | |
177140, | |
179652, | |
116597, | |
83218, | |
1, | |
66381, | |
68232, | |
101, | |
133036, | |
73167, | |
91065, | |
102, | |
2, | |
106, | |
105, | |
104, | |
174579, | |
169731, | |
3, | |
5, | |
142781, | |
100, | |
81423, | |
178546 | |
], | |
"allowed-ingress-identities": [ | |
179652, | |
81423, | |
68232, | |
1, | |
103, | |
2, | |
177140, | |
142781, | |
106, | |
101, | |
4, | |
169731, | |
83218, | |
116597, | |
66381, | |
5, | |
91065, | |
105, | |
100, | |
3, | |
178546, | |
104, | |
174579, | |
102, | |
133036, | |
73167 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 73167, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
}, | |
"spec": { | |
"allowed-egress-identities": [ | |
81423, | |
5, | |
83218, | |
106, | |
100, | |
1, | |
68232, | |
73167, | |
104, | |
105, | |
103, | |
133036, | |
91065, | |
102, | |
4, | |
178546, | |
169731, | |
2, | |
66381, | |
142781, | |
116597, | |
179652, | |
177140, | |
101, | |
3, | |
174579 | |
], | |
"allowed-ingress-identities": [ | |
81423, | |
91065, | |
83218, | |
133036, | |
104, | |
3, | |
68232, | |
1, | |
142781, | |
177140, | |
179652, | |
116597, | |
169731, | |
5, | |
105, | |
2, | |
101, | |
73167, | |
174579, | |
100, | |
4, | |
103, | |
178546, | |
106, | |
66381, | |
102 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 73167, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
} | |
}, | |
"realized": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"state": "ready" | |
} | |
} | |
] | |
``` | |
#### Endpoint Health 1349 | |
``` | |
Overall Health: OK | |
BPF Health: OK | |
Policy Health: OK | |
Connected: yes | |
``` | |
#### Endpoint Log 1349 | |
``` | |
Timestamp Status State Message | |
2019-02-05T14:11:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T14:11:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T14:11:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T14:11:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:09:45Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:09:45Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:09:45Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:09:45Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:43Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:43Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:43Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:43Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:23Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:23Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:22Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:22Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:22Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:22Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:59:49Z OK ready Successfully regenerated endpoint program (Reason: syncing state to host) | |
2019-02-05T12:59:49Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:59:48Z OK regenerating Regenerating endpoint: syncing state to host | |
2019-02-05T12:59:48Z OK waiting-to-regenerate Triggering synchronous endpoint regeneration while syncing state to host | |
2019-02-05T12:59:48Z OK restoring Synchronizing endpoint labels with KVStore | |
2019-02-05T12:59:45Z OK restoring Restoring endpoint from previous cilium instance | |
2019-02-05T12:59:45Z OK restoring Endpoint restoring | |
2019-02-05T12:59:26Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T12:59:26Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:57:19Z OK ready Successfully regenerated endpoint program (Reason: syncing state to host) | |
2019-02-05T12:57:19Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:57:19Z OK regenerating Regenerating endpoint: syncing state to host | |
2019-02-05T12:57:18Z OK waiting-to-regenerate Triggering synchronous endpoint regeneration while syncing state to host | |
2019-02-05T12:57:18Z OK restoring Synchronizing endpoint labels with KVStore | |
2019-02-05T12:57:15Z OK restoring Restoring endpoint from previous cilium instance | |
2019-02-05T12:57:15Z OK restoring Endpoint restoring | |
2019-02-05T12:23:27Z OK regenerating Regenerating endpoint: | |
2019-02-05T12:23:27Z OK waiting-to-regenerate Triggering endpoint regeneration due to | |
2019-02-05T12:23:26Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T12:23:26Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:23:26Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T12:23:26Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:23:26Z OK ready Successfully regenerated endpoint program (Reason: updated security labels) | |
2019-02-05T12:23:26Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:23:25Z OK regenerating Regenerating endpoint: updated security labels | |
2019-02-05T12:23:25Z OK waiting-to-regenerate Triggering regeneration due to new identity | |
2019-02-05T12:23:25Z OK ready Set identity for this endpoint | |
2019-02-05T12:23:25Z Warning waiting-for-identity Skipped invalid state transition to waiting-to-regenerate due to: Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:22:23Z OK waiting-for-identity Endpoint creation | |
``` | |
#### Identity get 73167 | |
``` | |
ID LABELS | |
73167 k8s:app=keyvault-flexvolume | |
k8s:io.cilium.k8s.policy.cluster=euw | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.kubernetes.pod.namespace=kube-system | |
``` | |
#### BPF Policy Get 1951 | |
``` | |
DIRECTION IDENTITY PORT/PROTO PROXY PORT BYTES PACKETS | |
Ingress 1 ANY NONE 0 0 | |
Ingress 2 ANY NONE 0 0 | |
Ingress 3 ANY NONE 0 0 | |
Ingress 4 ANY NONE 0 0 | |
Ingress 5 ANY NONE 0 0 | |
Ingress 100 ANY NONE 0 0 | |
Ingress 101 ANY NONE 0 0 | |
Ingress 102 ANY NONE 0 0 | |
Ingress 103 ANY NONE 0 0 | |
Ingress 104 ANY NONE 0 0 | |
Ingress 105 ANY NONE 0 0 | |
Ingress 106 ANY NONE 0 0 | |
Ingress 66381 ANY NONE 0 0 | |
Ingress 68232 ANY NONE 0 0 | |
Ingress 73167 ANY NONE 0 0 | |
Ingress 81423 ANY NONE 0 0 | |
Ingress 83218 ANY NONE 0 0 | |
Ingress 91065 ANY NONE 0 0 | |
Ingress 116597 ANY NONE 0 0 | |
Ingress 133036 ANY NONE 0 0 | |
Ingress 142781 ANY NONE 0 0 | |
Ingress 169731 ANY NONE 0 0 | |
Ingress 174579 ANY NONE 0 0 | |
Ingress 177140 ANY NONE 0 0 | |
Ingress 178546 ANY NONE 0 0 | |
Ingress 179652 ANY NONE 0 0 | |
Egress 1 ANY NONE 26747255 129292 | |
Egress 2 ANY NONE 4664958 22901 | |
Egress 3 ANY NONE 0 0 | |
Egress 4 ANY NONE 0 0 | |
Egress 5 ANY NONE 0 0 | |
Egress 100 ANY NONE 0 0 | |
Egress 101 ANY NONE 53375913 348953 | |
Egress 102 ANY NONE 0 0 | |
Egress 103 ANY NONE 0 0 | |
Egress 104 ANY NONE 3853352 30988 | |
Egress 105 ANY NONE 1837300 8847 | |
Egress 106 ANY NONE 0 0 | |
Egress 66381 ANY NONE 0 0 | |
Egress 68232 ANY NONE 0 0 | |
Egress 73167 ANY NONE 0 0 | |
Egress 81423 ANY NONE 0 0 | |
Egress 83218 ANY NONE 0 0 | |
Egress 91065 ANY NONE 0 0 | |
Egress 116597 ANY NONE 0 0 | |
Egress 133036 ANY NONE 0 0 | |
Egress 142781 ANY NONE 0 0 | |
Egress 169731 ANY NONE 0 0 | |
Egress 174579 ANY NONE 0 0 | |
Egress 177140 ANY NONE 0 0 | |
Egress 178546 ANY NONE 0 0 | |
Egress 179652 ANY NONE 0 0 | |
``` | |
#### BPF CT List 1951 | |
``` | |
Error: Unable to open /sys/fs/bpf/tc/globals/cilium_ct4_1951: Unable to get object /sys/fs/bpf/tc/globals/cilium_ct4_1951: no such file or directory | |
``` | |
#### Endpoint Get 1951 | |
``` | |
[ | |
{ | |
"id": 1951, | |
"spec": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"status": { | |
"controllers": [ | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv4-identity-mapping (1951)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.142Z", | |
"success-count": 29 | |
}, | |
"uuid": "eae8f364-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv6-identity-mapping (1951)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.209Z", | |
"success-count": 29 | |
}, | |
"uuid": "eae8f39d-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-identity-to-k8s-pod (1951)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:21:01.209Z", | |
"success-count": 142 | |
}, | |
"uuid": "eae8f30c-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-policymap-1951", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:44.415Z", | |
"success-count": 146 | |
}, | |
"uuid": "eb6d8f12-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "10s" | |
}, | |
"name": "sync-to-k8s-ciliumendpoint (1951)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:58.858Z", | |
"success-count": 848 | |
}, | |
"uuid": "eae88931-2945-11e9-ab5e-000d3a2ae96b" | |
} | |
], | |
"external-identifiers": { | |
"container-id": "026ad6bfe927ebb1220c316562271807bab7578ed31b9fc8b23ba03060fc16a8", | |
"container-name": "k8s_POD_cilium-etcd-hgkbl76gdg_kube-system_d8646c48-2940-11e9-a892-000d3a2be15f_0", | |
"pod-name": "kube-system/cilium-etcd-hgkbl76gdg" | |
}, | |
"health": { | |
"bpf": "OK", | |
"connected": true, | |
"overallHealth": "OK", | |
"policy": "OK" | |
}, | |
"identity": { | |
"id": 101, | |
"labels": [ | |
"k8s:etcd_cluster=cilium-etcd", | |
"k8s:io.cilium/app=etcd-operator", | |
"k8s:io.kubernetes.pod.namespace=kube-system", | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:app=etcd" | |
], | |
"labelsSHA256": "6bd3121edc49895b3f6014f627bf7a4403ec4d8aa732908d9c5cfaabacede5a4" | |
}, | |
"labels": { | |
"derived": [ | |
"container:annotation.etcd.version=3.3.11", | |
"container:annotation.kubernetes.io/config.seen=2019-02-05T12:23:29.780531412Z", | |
"container:annotation.kubernetes.io/config.source=api", | |
"container:io.kubernetes.container.name=POD", | |
"container:io.kubernetes.docker.type=podsandbox", | |
"container:io.kubernetes.pod.name=cilium-etcd-hgkbl76gdg", | |
"container:io.kubernetes.pod.uid=d8646c48-2940-11e9-a892-000d3a2be15f", | |
"k8s:etcd_node=cilium-etcd-hgkbl76gdg" | |
], | |
"disabled": [], | |
"realized": { | |
"user": [] | |
}, | |
"security-relevant": [ | |
"k8s:app=etcd", | |
"k8s:etcd_cluster=cilium-etcd", | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.cilium/app=etcd-operator", | |
"k8s:io.kubernetes.pod.namespace=kube-system" | |
] | |
}, | |
"log": [ | |
{ | |
"code": "OK", | |
"message": "Successfully regenerated endpoint program (Reason: one or more identities created or deleted)", | |
"state": "ready", | |
"timestamp": "2019-02-05T14:11:44Z" | |
} | |
], | |
"networking": { | |
"addressing": [ | |
{ | |
"ipv4": "10.245.0.28" | |
} | |
], | |
"host-mac": "a2:d5:ad:4f:18:04", | |
"interface-index": 17, | |
"interface-name": "lxc98c68c7d7f08", | |
"mac": "76:a8:5d:3d:31:7c" | |
}, | |
"policy": { | |
"proxy-statistics": [], | |
"realized": { | |
"allowed-egress-identities": [ | |
66381, | |
83218, | |
174579, | |
102, | |
5, | |
103, | |
105, | |
1, | |
100, | |
142781, | |
101, | |
81423, | |
2, | |
106, | |
3, | |
73167, | |
91065, | |
4, | |
179652, | |
177140, | |
169731, | |
133036, | |
178546, | |
116597, | |
104, | |
68232 | |
], | |
"allowed-ingress-identities": [ | |
91065, | |
101, | |
81423, | |
103, | |
106, | |
105, | |
66381, | |
104, | |
2, | |
83218, | |
3, | |
133036, | |
100, | |
169731, | |
177140, | |
4, | |
5, | |
178546, | |
73167, | |
116597, | |
1, | |
174579, | |
102, | |
68232, | |
142781, | |
179652 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 101, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
}, | |
"spec": { | |
"allowed-egress-identities": [ | |
142781, | |
105, | |
5, | |
133036, | |
102, | |
178546, | |
116597, | |
169731, | |
103, | |
81423, | |
66381, | |
91065, | |
101, | |
179652, | |
4, | |
83218, | |
174579, | |
3, | |
104, | |
177140, | |
100, | |
68232, | |
2, | |
106, | |
1, | |
73167 | |
], | |
"allowed-ingress-identities": [ | |
3, | |
105, | |
116597, | |
106, | |
174579, | |
1, | |
104, | |
100, | |
4, | |
73167, | |
91065, | |
2, | |
177140, | |
102, | |
178546, | |
5, | |
101, | |
81423, | |
83218, | |
179652, | |
103, | |
66381, | |
68232, | |
169731, | |
142781, | |
133036 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 101, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
} | |
}, | |
"realized": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"state": "ready" | |
} | |
} | |
] | |
``` | |
#### Endpoint Health 1951 | |
``` | |
Overall Health: OK | |
BPF Health: OK | |
Policy Health: OK | |
Connected: yes | |
``` | |
#### Endpoint Log 1951 | |
``` | |
Timestamp Status State Message | |
2019-02-05T14:11:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T14:11:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T14:11:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T14:11:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:09:45Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:09:45Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:09:45Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:09:45Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:43Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:43Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:43Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:43Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:23Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:23Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:22Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:22Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:22Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:22Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:59:49Z OK ready Successfully regenerated endpoint program (Reason: syncing state to host) | |
2019-02-05T12:59:49Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:59:48Z OK regenerating Regenerating endpoint: syncing state to host | |
2019-02-05T12:59:48Z OK waiting-to-regenerate Triggering synchronous endpoint regeneration while syncing state to host | |
2019-02-05T12:59:48Z OK restoring Synchronizing endpoint labels with KVStore | |
2019-02-05T12:59:45Z OK restoring Restoring endpoint from previous cilium instance | |
2019-02-05T12:59:45Z OK restoring Endpoint restoring | |
2019-02-05T12:59:26Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T12:59:26Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:57:19Z OK ready Successfully regenerated endpoint program (Reason: syncing state to host) | |
2019-02-05T12:57:19Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:57:18Z OK regenerating Regenerating endpoint: syncing state to host | |
2019-02-05T12:57:18Z OK waiting-to-regenerate Triggering synchronous endpoint regeneration while syncing state to host | |
2019-02-05T12:57:18Z OK restoring Synchronizing endpoint labels with KVStore | |
2019-02-05T12:57:15Z OK restoring Restoring endpoint from previous cilium instance | |
2019-02-05T12:57:15Z OK restoring Endpoint restoring | |
2019-02-05T12:23:31Z OK regenerating Regenerating endpoint: updated security labels | |
2019-02-05T12:23:31Z OK waiting-to-regenerate Triggering regeneration due to new identity | |
2019-02-05T12:23:31Z OK ready Set identity for this endpoint | |
2019-02-05T12:23:31Z OK waiting-for-identity Endpoint creation | |
``` | |
#### Identity get 101 | |
``` | |
ID LABELS | |
101 k8s:app=etcd | |
k8s:etcd_cluster=cilium-etcd | |
k8s:io.cilium.k8s.policy.cluster=euw | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.cilium/app=etcd-operator | |
k8s:io.kubernetes.pod.namespace=kube-system | |
``` | |
#### BPF Policy Get 3443 | |
``` | |
DIRECTION IDENTITY PORT/PROTO PROXY PORT BYTES PACKETS | |
Ingress 1 ANY NONE 0 0 | |
Ingress 2 ANY NONE 0 0 | |
Ingress 3 ANY NONE 0 0 | |
Ingress 4 ANY NONE 0 0 | |
Ingress 5 ANY NONE 0 0 | |
Ingress 100 ANY NONE 0 0 | |
Ingress 101 ANY NONE 0 0 | |
Ingress 102 ANY NONE 0 0 | |
Ingress 103 ANY NONE 0 0 | |
Ingress 104 ANY NONE 0 0 | |
Ingress 105 ANY NONE 0 0 | |
Ingress 106 ANY NONE 0 0 | |
Ingress 66381 ANY NONE 0 0 | |
Ingress 68232 ANY NONE 0 0 | |
Ingress 73167 ANY NONE 0 0 | |
Ingress 81423 ANY NONE 0 0 | |
Ingress 83218 ANY NONE 0 0 | |
Ingress 91065 ANY NONE 0 0 | |
Ingress 116597 ANY NONE 0 0 | |
Ingress 133036 ANY NONE 0 0 | |
Ingress 142781 ANY NONE 0 0 | |
Ingress 169731 ANY NONE 0 0 | |
Ingress 174579 ANY NONE 0 0 | |
Ingress 177140 ANY NONE 0 0 | |
Ingress 178546 ANY NONE 0 0 | |
Ingress 179652 ANY NONE 0 0 | |
Egress 1 ANY NONE 6201456 54262 | |
Egress 2 ANY NONE 105702 1736 | |
Egress 3 ANY NONE 0 0 | |
Egress 4 ANY NONE 0 0 | |
Egress 5 ANY NONE 0 0 | |
Egress 100 ANY NONE 0 0 | |
Egress 101 ANY NONE 0 0 | |
Egress 102 ANY NONE 0 0 | |
Egress 103 ANY NONE 0 0 | |
Egress 104 ANY NONE 0 0 | |
Egress 105 ANY NONE 0 0 | |
Egress 106 ANY NONE 0 0 | |
Egress 66381 ANY NONE 0 0 | |
Egress 68232 ANY NONE 0 0 | |
Egress 73167 ANY NONE 0 0 | |
Egress 81423 ANY NONE 0 0 | |
Egress 83218 ANY NONE 0 0 | |
Egress 91065 ANY NONE 0 0 | |
Egress 116597 ANY NONE 0 0 | |
Egress 133036 ANY NONE 0 0 | |
Egress 142781 ANY NONE 0 0 | |
Egress 169731 ANY NONE 0 0 | |
Egress 174579 ANY NONE 0 0 | |
Egress 177140 ANY NONE 0 0 | |
Egress 178546 ANY NONE 0 0 | |
Egress 179652 ANY NONE 0 0 | |
``` | |
#### BPF CT List 3443 | |
``` | |
Error: Unable to open /sys/fs/bpf/tc/globals/cilium_ct4_3443: Unable to get object /sys/fs/bpf/tc/globals/cilium_ct4_3443: no such file or directory | |
``` | |
#### Endpoint Get 3443 | |
``` | |
[ | |
{ | |
"id": 3443, | |
"spec": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"status": { | |
"controllers": [ | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "resolve-identity-3443", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:16:22.706Z", | |
"success-count": 28 | |
}, | |
"uuid": "233abf6f-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv4-identity-mapping (3443)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:16:23.392Z", | |
"success-count": 28 | |
}, | |
"uuid": "233ab4bc-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv6-identity-mapping (3443)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:16:23.251Z", | |
"success-count": 28 | |
}, | |
"uuid": "233ab502-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-identity-to-k8s-pod (3443)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:25.110Z", | |
"success-count": 140 | |
}, | |
"uuid": "233ab246-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-policymap-3443", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:44.416Z", | |
"success-count": 144 | |
}, | |
"uuid": "239f0ddf-2946-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "10s" | |
}, | |
"name": "sync-to-k8s-ciliumendpoint (3443)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:21:03.078Z", | |
"success-count": 839 | |
}, | |
"uuid": "232ca8ad-2946-11e9-ab5e-000d3a2ae96b" | |
} | |
], | |
"external-identifiers": { | |
"container-id": "e269b806a868e80851cc8ff108228a30cb60f48f8d379552834cc5e02f457384", | |
"container-name": "k8s_POD_rebel-base-5757f6c4fb-bscxs_default_22389faa-2946-11e9-80a2-000d3a2becd8_0", | |
"pod-name": "default/rebel-base-5757f6c4fb-bscxs" | |
}, | |
"health": { | |
"bpf": "OK", | |
"connected": true, | |
"overallHealth": "OK", | |
"policy": "OK" | |
}, | |
"identity": { | |
"id": 116597, | |
"labels": [ | |
"k8s:io.kubernetes.pod.namespace=default", | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:name=rebel-base" | |
], | |
"labelsSHA256": "3e6990a8c76df94b4f59a0796f3385135249438719bc84b87fedcab07b923c94" | |
}, | |
"labels": { | |
"derived": [ | |
"container:annotation.kubernetes.io/config.seen=2019-02-05T13:01:21.146437857Z", | |
"container:annotation.kubernetes.io/config.source=api", | |
"container:io.kubernetes.container.name=POD", | |
"container:io.kubernetes.docker.type=podsandbox", | |
"container:io.kubernetes.pod.name=rebel-base-5757f6c4fb-bscxs", | |
"container:io.kubernetes.pod.uid=22389faa-2946-11e9-80a2-000d3a2becd8", | |
"k8s:pod-template-hash=5757f6c4fb" | |
], | |
"disabled": [], | |
"realized": { | |
"user": [] | |
}, | |
"security-relevant": [ | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:io.cilium.k8s.policy.serviceaccount=default", | |
"k8s:io.kubernetes.pod.namespace=default", | |
"k8s:name=rebel-base" | |
] | |
}, | |
"log": [ | |
{ | |
"code": "OK", | |
"message": "Successfully regenerated endpoint program (Reason: one or more identities created or deleted)", | |
"state": "ready", | |
"timestamp": "2019-02-05T14:11:44Z" | |
} | |
], | |
"networking": { | |
"addressing": [ | |
{ | |
"ipv4": "10.245.0.176" | |
} | |
], | |
"host-mac": "62:08:cf:83:71:a5", | |
"interface-index": 23, | |
"interface-name": "lxc47e5860fd68e", | |
"mac": "56:8d:2e:0b:4b:8e" | |
}, | |
"policy": { | |
"proxy-statistics": [], | |
"realized": { | |
"allowed-egress-identities": [ | |
81423, | |
5, | |
83218, | |
2, | |
106, | |
177140, | |
1, | |
116597, | |
91065, | |
101, | |
174579, | |
104, | |
73167, | |
100, | |
103, | |
102, | |
133036, | |
179652, | |
3, | |
4, | |
66381, | |
105, | |
68232, | |
142781, | |
178546, | |
169731 | |
], | |
"allowed-ingress-identities": [ | |
68232, | |
103, | |
83218, | |
91065, | |
178546, | |
81423, | |
174579, | |
116597, | |
102, | |
104, | |
133036, | |
100, | |
5, | |
177140, | |
169731, | |
106, | |
101, | |
105, | |
2, | |
4, | |
179652, | |
73167, | |
66381, | |
3, | |
142781, | |
1 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 116597, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
}, | |
"spec": { | |
"allowed-egress-identities": [ | |
1, | |
142781, | |
102, | |
83218, | |
101, | |
81423, | |
177140, | |
100, | |
179652, | |
104, | |
169731, | |
174579, | |
3, | |
178546, | |
105, | |
68232, | |
106, | |
4, | |
66381, | |
73167, | |
133036, | |
2, | |
116597, | |
103, | |
91065, | |
5 | |
], | |
"allowed-ingress-identities": [ | |
103, | |
106, | |
81423, | |
100, | |
66381, | |
178546, | |
179652, | |
174579, | |
73167, | |
91065, | |
68232, | |
104, | |
5, | |
142781, | |
4, | |
83218, | |
133036, | |
101, | |
1, | |
3, | |
105, | |
102, | |
177140, | |
116597, | |
169731, | |
2 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 116597, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
} | |
}, | |
"realized": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"state": "ready" | |
} | |
} | |
] | |
``` | |
#### Endpoint Health 3443 | |
``` | |
Overall Health: OK | |
BPF Health: OK | |
Policy Health: OK | |
Connected: yes | |
``` | |
#### Endpoint Log 3443 | |
``` | |
Timestamp Status State Message | |
2019-02-05T14:11:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T14:11:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T14:11:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T14:11:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:09:45Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:09:45Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:09:45Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:09:45Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:43Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:43Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:43Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:43Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:23Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:23Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: updated security labels) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:22Z OK regenerating Regenerating endpoint: updated security labels | |
2019-02-05T13:01:22Z OK waiting-to-regenerate Triggering regeneration due to new identity | |
2019-02-05T13:01:22Z OK ready Set identity for this endpoint | |
2019-02-05T13:01:22Z Warning waiting-for-identity Skipped invalid state transition to waiting-to-regenerate due to: Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:22Z OK waiting-for-identity Endpoint creation | |
``` | |
#### Identity get 116597 | |
``` | |
ID LABELS | |
116597 k8s:io.cilium.k8s.policy.cluster=euw | |
k8s:io.cilium.k8s.policy.serviceaccount=default | |
k8s:io.kubernetes.pod.namespace=default | |
k8s:name=rebel-base | |
``` | |
#### BPF Policy Get 3867 | |
``` | |
DIRECTION IDENTITY PORT/PROTO PROXY PORT BYTES PACKETS | |
Ingress 1 ANY NONE 0 0 | |
Ingress 2 ANY NONE 0 0 | |
Ingress 3 ANY NONE 0 0 | |
Ingress 4 ANY NONE 0 0 | |
Ingress 5 ANY NONE 0 0 | |
Ingress 100 ANY NONE 0 0 | |
Ingress 101 ANY NONE 0 0 | |
Ingress 102 ANY NONE 0 0 | |
Ingress 103 ANY NONE 0 0 | |
Ingress 104 ANY NONE 0 0 | |
Ingress 105 ANY NONE 0 0 | |
Ingress 106 ANY NONE 0 0 | |
Ingress 66381 ANY NONE 0 0 | |
Ingress 68232 ANY NONE 0 0 | |
Ingress 73167 ANY NONE 0 0 | |
Ingress 81423 ANY NONE 0 0 | |
Ingress 83218 ANY NONE 0 0 | |
Ingress 91065 ANY NONE 0 0 | |
Ingress 116597 ANY NONE 0 0 | |
Ingress 133036 ANY NONE 0 0 | |
Ingress 142781 ANY NONE 0 0 | |
Ingress 169731 ANY NONE 0 0 | |
Ingress 174579 ANY NONE 0 0 | |
Ingress 177140 ANY NONE 0 0 | |
Ingress 178546 ANY NONE 0 0 | |
Ingress 179652 ANY NONE 0 0 | |
Egress 1 ANY NONE 0 0 | |
Egress 2 ANY NONE 5396545 35265 | |
Egress 3 ANY NONE 0 0 | |
Egress 4 ANY NONE 0 0 | |
Egress 5 ANY NONE 0 0 | |
Egress 100 ANY NONE 0 0 | |
Egress 101 ANY NONE 0 0 | |
Egress 102 ANY NONE 0 0 | |
Egress 103 ANY NONE 0 0 | |
Egress 104 ANY NONE 0 0 | |
Egress 105 ANY NONE 0 0 | |
Egress 106 ANY NONE 0 0 | |
Egress 66381 ANY NONE 0 0 | |
Egress 68232 ANY NONE 0 0 | |
Egress 73167 ANY NONE 0 0 | |
Egress 81423 ANY NONE 0 0 | |
Egress 83218 ANY NONE 0 0 | |
Egress 91065 ANY NONE 0 0 | |
Egress 116597 ANY NONE 0 0 | |
Egress 133036 ANY NONE 0 0 | |
Egress 142781 ANY NONE 0 0 | |
Egress 169731 ANY NONE 0 0 | |
Egress 174579 ANY NONE 0 0 | |
Egress 177140 ANY NONE 0 0 | |
Egress 178546 ANY NONE 0 0 | |
Egress 179652 ANY NONE 0 0 | |
``` | |
#### BPF CT List 3867 | |
``` | |
Error: Unable to open /sys/fs/bpf/tc/globals/cilium_ct4_3867: Unable to get object /sys/fs/bpf/tc/globals/cilium_ct4_3867: no such file or directory | |
``` | |
#### Endpoint Get 3867 | |
``` | |
[ | |
{ | |
"id": 3867, | |
"spec": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"status": { | |
"controllers": [ | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv4-identity-mapping (3867)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.284Z", | |
"success-count": 29 | |
}, | |
"uuid": "eaec5d66-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "5m0s" | |
}, | |
"name": "sync-IPv6-identity-mapping (3867)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:19:49.485Z", | |
"success-count": 29 | |
}, | |
"uuid": "eaec5dc3-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-identity-to-k8s-pod (3867)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:21:01.074Z", | |
"success-count": 142 | |
}, | |
"uuid": "eaec5ce0-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "1m0s" | |
}, | |
"name": "sync-policymap-3867", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:44.415Z", | |
"success-count": 146 | |
}, | |
"uuid": "eb5f8013-2945-11e9-ab5e-000d3a2ae96b" | |
}, | |
{ | |
"configuration": { | |
"error-retry": true, | |
"interval": "10s" | |
}, | |
"name": "sync-to-k8s-ciliumendpoint (3867)", | |
"status": { | |
"last-failure-timestamp": "0001-01-01T00:00:00.000Z", | |
"last-success-timestamp": "2019-02-05T15:20:58.961Z", | |
"success-count": 848 | |
}, | |
"uuid": "eae8872f-2945-11e9-ab5e-000d3a2ae96b" | |
} | |
], | |
"external-identifiers": { | |
"container-id": "4febe0e4ed5bdb7f6763e1d4c01b97130ac1c12cafa224c7b00c5a9ca5a536a2", | |
"container-name": "k8s_POD_etcd-operator-5cf67779fd-t47mq_kube-system_9ae33acf-2940-11e9-80a2-000d3a2becd8_1", | |
"pod-name": "kube-system/etcd-operator-5cf67779fd-t47mq" | |
}, | |
"health": { | |
"bpf": "OK", | |
"connected": true, | |
"overallHealth": "OK", | |
"policy": "OK" | |
}, | |
"identity": { | |
"id": 100, | |
"labels": [ | |
"k8s:io.cilium/app=etcd-operator", | |
"k8s:io.kubernetes.pod.namespace=kube-system", | |
"k8s:io.cilium.k8s.policy.serviceaccount=cilium-etcd-sa", | |
"k8s:io.cilium.k8s.policy.cluster=euw" | |
], | |
"labelsSHA256": "520993c6678d600e2beed1397dcc3adea1034c036553cfe53c8ef91b89e7593f" | |
}, | |
"labels": { | |
"derived": [ | |
"container:annotation.kubernetes.io/config.seen=2019-02-05T12:21:46.546538445Z", | |
"container:annotation.kubernetes.io/config.source=api", | |
"container:io.kubernetes.container.name=POD", | |
"container:io.kubernetes.docker.type=podsandbox", | |
"container:io.kubernetes.pod.name=etcd-operator-5cf67779fd-t47mq", | |
"container:io.kubernetes.pod.uid=9ae33acf-2940-11e9-80a2-000d3a2becd8", | |
"k8s:pod-template-hash=5cf67779fd" | |
], | |
"disabled": [], | |
"realized": { | |
"user": [] | |
}, | |
"security-relevant": [ | |
"k8s:io.cilium.k8s.policy.cluster=euw", | |
"k8s:io.cilium.k8s.policy.serviceaccount=cilium-etcd-sa", | |
"k8s:io.cilium/app=etcd-operator", | |
"k8s:io.kubernetes.pod.namespace=kube-system" | |
] | |
}, | |
"log": [ | |
{ | |
"code": "OK", | |
"message": "Successfully regenerated endpoint program (Reason: one or more identities created or deleted)", | |
"state": "ready", | |
"timestamp": "2019-02-05T14:11:44Z" | |
} | |
], | |
"networking": { | |
"addressing": [ | |
{ | |
"ipv4": "10.245.0.201" | |
} | |
], | |
"host-mac": "5e:3f:6b:a5:a8:a7", | |
"interface-index": 15, | |
"interface-name": "lxcff24dcbf378a", | |
"mac": "5a:5c:eb:73:b9:05" | |
}, | |
"policy": { | |
"proxy-statistics": [], | |
"realized": { | |
"allowed-egress-identities": [ | |
83218, | |
174579, | |
2, | |
81423, | |
101, | |
4, | |
66381, | |
73167, | |
177140, | |
178546, | |
133036, | |
142781, | |
104, | |
105, | |
1, | |
116597, | |
169731, | |
179652, | |
100, | |
103, | |
106, | |
68232, | |
91065, | |
5, | |
3, | |
102 | |
], | |
"allowed-ingress-identities": [ | |
179652, | |
142781, | |
68232, | |
1, | |
133036, | |
101, | |
103, | |
73167, | |
178546, | |
83218, | |
81423, | |
174579, | |
169731, | |
177140, | |
66381, | |
116597, | |
100, | |
5, | |
4, | |
2, | |
102, | |
105, | |
3, | |
91065, | |
104, | |
106 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 100, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
}, | |
"spec": { | |
"allowed-egress-identities": [ | |
100, | |
68232, | |
178546, | |
3, | |
103, | |
66381, | |
106, | |
169731, | |
81423, | |
105, | |
104, | |
174579, | |
101, | |
102, | |
2, | |
116597, | |
5, | |
133036, | |
4, | |
91065, | |
177140, | |
1, | |
83218, | |
73167, | |
142781, | |
179652 | |
], | |
"allowed-ingress-identities": [ | |
2, | |
102, | |
177140, | |
66381, | |
3, | |
83218, | |
142781, | |
105, | |
103, | |
106, | |
133036, | |
116597, | |
174579, | |
1, | |
91065, | |
101, | |
73167, | |
179652, | |
104, | |
178546, | |
81423, | |
4, | |
100, | |
68232, | |
169731, | |
5 | |
], | |
"build": 17, | |
"cidr-policy": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"id": 100, | |
"l4": { | |
"egress": [], | |
"ingress": [] | |
}, | |
"policy-enabled": "none", | |
"policy-revision": 17 | |
} | |
}, | |
"realized": { | |
"label-configuration": { | |
"user": [] | |
}, | |
"options": { | |
"Conntrack": "Enabled", | |
"ConntrackAccounting": "Enabled", | |
"ConntrackLocal": "Disabled", | |
"Debug": "Disabled", | |
"DebugLB": "Disabled", | |
"DropNotification": "Enabled", | |
"MonitorAggregationLevel": "None", | |
"NAT46": "Disabled", | |
"TraceNotification": "Enabled" | |
} | |
}, | |
"state": "ready" | |
} | |
} | |
] | |
``` | |
#### Endpoint Health 3867 | |
``` | |
Overall Health: OK | |
BPF Health: OK | |
Policy Health: OK | |
Connected: yes | |
``` | |
#### Endpoint Log 3867 | |
``` | |
Timestamp Status State Message | |
2019-02-05T14:11:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T14:11:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T14:11:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T14:11:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:09:45Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:09:45Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:09:45Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:09:45Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:44Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:44Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:44Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:44Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:43Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:43Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:43Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:43Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:23Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:23Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:23Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:23Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T13:01:22Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T13:01:22Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T13:01:22Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T13:01:22Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:59:48Z OK ready Successfully regenerated endpoint program (Reason: syncing state to host) | |
2019-02-05T12:59:48Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:59:48Z OK regenerating Regenerating endpoint: syncing state to host | |
2019-02-05T12:59:48Z OK waiting-to-regenerate Triggering synchronous endpoint regeneration while syncing state to host | |
2019-02-05T12:59:48Z OK restoring Synchronizing endpoint labels with KVStore | |
2019-02-05T12:59:45Z OK restoring Restoring endpoint from previous cilium instance | |
2019-02-05T12:59:45Z OK restoring Endpoint restoring | |
2019-02-05T12:59:26Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T12:59:26Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:57:19Z OK ready Successfully regenerated endpoint program (Reason: syncing state to host) | |
2019-02-05T12:57:19Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:57:18Z OK regenerating Regenerating endpoint: syncing state to host | |
2019-02-05T12:57:18Z OK waiting-to-regenerate Triggering synchronous endpoint regeneration while syncing state to host | |
2019-02-05T12:57:18Z OK restoring Synchronizing endpoint labels with KVStore | |
2019-02-05T12:57:15Z OK restoring Restoring endpoint from previous cilium instance | |
2019-02-05T12:57:15Z OK restoring Endpoint restoring | |
2019-02-05T12:23:27Z OK regenerating Regenerating endpoint: | |
2019-02-05T12:23:27Z OK waiting-to-regenerate Triggering endpoint regeneration due to | |
2019-02-05T12:23:26Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T12:23:26Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:23:26Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T12:23:26Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:23:25Z OK ready Successfully regenerated endpoint program (Reason: one or more identities created or deleted) | |
2019-02-05T12:23:25Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:23:25Z OK regenerating Regenerating endpoint: one or more identities created or deleted | |
2019-02-05T12:23:25Z OK waiting-to-regenerate Triggering endpoint regeneration due to one or more identities created or deleted | |
2019-02-05T12:22:26Z OK ready Successfully regenerated endpoint program (Reason: updated security labels) | |
2019-02-05T12:22:26Z OK ready Completed endpoint regeneration with no pending regeneration requests | |
2019-02-05T12:22:26Z OK regenerating Regenerating endpoint: updated security labels | |
2019-02-05T12:22:26Z OK waiting-to-regenerate Triggering regeneration due to new identity | |
2019-02-05T12:22:26Z OK ready Set identity for this endpoint | |
2019-02-05T12:22:25Z OK waiting-for-identity Endpoint creation | |
``` | |
#### Identity get 100 | |
``` | |
ID LABELS | |
100 k8s:io.cilium.k8s.policy.cluster=euw | |
k8s:io.cilium.k8s.policy.serviceaccount=cilium-etcd-sa | |
k8s:io.cilium/app=etcd-operator | |
k8s:io.kubernetes.pod.namespace=kube-system | |
``` | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment