Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control normalization in network introspection API #1693

Merged
merged 1 commit into from
Jun 12, 2024
Merged

Control normalization in network introspection API #1693

merged 1 commit into from
Jun 12, 2024

Conversation

ovalenti
Copy link
Contributor

@ovalenti ovalenti commented May 30, 2024
edited
Loading

Description

With normalization always enabled, the introspection API cannot be used to retrieve all IP addresses. So we add a parameter to disable it.

Link to the updated documentation: https://github.com/stackrox/collector/blob/ovalenti/conn_introspection_no_normalize/docs/troubleshooting.md#network-endpoint

Checklist

  • Investigated and inspected CI test results
  • Tested the behavior manually at least once (deployed the image built from CI and query the endpoint with normalize=false
  • Updated documentation accordingly

@ovalenti ovalenti self-assigned this May 30, 2024
@ovalenti ovalenti marked this pull request as ready for review June 4, 2024 08:59
@ovalenti ovalenti requested a review from a team as a code owner June 4, 2024 08:59
JoukoVirtanen
JoukoVirtanen reviewed Jun 8, 2024
View reviewed changes
collector/lib/NetworkStatusInspector.cpp
return true;
}

return *normalize_flag == "true";
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nit] Should be insensitive to capitalization.

@JoukoVirtanen
Copy link
Contributor

JoukoVirtanen commented Jun 8, 2024
edited
Loading

Can you improve the PR description to show how this can be used, and show example output with and without normalization? Also can you explain how you tested it? Did you deploy ACS with this collector version?

@ovalenti
Copy link
Contributor Author

@JoukoVirtanen Thanks for the review :)

Added a link to the updated doc in the PR description. This contains a usage example with corresponding result.

@JoukoVirtanen
Copy link
Contributor

I have tested this. I checked out the master branch of stackrox/stackrox. Ran ./deploy/k8s/deploy-local.sh. Edited the collector ds to change the image to this one and added

        - name: ROX_COLLECTOR_INTROSPECTION_ENABLE
          value: "true"

to the list of environment variables.

Ran

kubectl -n stackrox port-forward ds/collector 8080:8080 &

 curl "http://localhost:8080/state/network/connection?normalize=false" | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Handling connection for 8080
100  7494  100  7494    0     0  38040      0 --:--:-- --:--:-- --:--:-- 38040
{
  "0e34df2d0a19": [
    {
      "active": false,
      "from": "10.60.11.5/32",
      "l4proto": "TCP",
      "port": 8080
    },
    {
      "active": false,
      "from": "10.60.11.5/32",
      "l4proto": "TCP",
      "port": 8080
    }
  ],
  "11b9ddc4cdb1": [
    {
      "active": true,
      "l4proto": "TCP",
      "port": 443,
      "to": "10.118.53.1/32"
    }
  ],
  "16467eed6e8f": [
    {
      "active": false,
      "from": "10.60.11.5/32",
      "l4proto": "TCP",
      "port": 8443
    },

$ curl "http://localhost:8080/state/network/connection?normalize=true" | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Handling connection for 8080
100  4023  100  4023    0     0  21513      0 --:--:-- --:--:-- --:--:-- 21629
{
  "0e34df2d0a19": [
    {
      "active": false,
      "from": "10.60.11.5",
      "l4proto": "TCP",
      "port": 8080
    }
  ],
  "11b9ddc4cdb1": [
    {
      "active": true,
      "l4proto": "TCP",
      "port": 443,
      "to": "10.118.53.1"
    }
  ],
  "16467eed6e8f": [
    {
      "active": true,
      "l4proto": "TCP",
      "port": 443,
      "to": "10.118.53.166"
    },

JoukoVirtanen
JoukoVirtanen approved these changes Jun 11, 2024
View reviewed changes
Copy link
Contributor

@JoukoVirtanen JoukoVirtanen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixing the nit is optional.

@ovalenti ovalenti merged commit 6d37f3f into master Jun 12, 2024
99 of 123 checks passed
@ovalenti ovalenti deleted the ovalenti/conn_introspection_no_normalize branch June 12, 2024 07:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JoukoVirtanen JoukoVirtanen JoukoVirtanen approved these changes

Assignees

@ovalenti ovalenti

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ovalenti @JoukoVirtanen