hubble: Update uint size in flow proto

Sizes of some fields in flow.proto is unnecessary large (uint64), whereas for such fields (e.g. endpoint ID or identity) a smaller type is more appropriate. This PR is a clean-up to update the scalar value types of these fields. Includes some changes to related Hubble packages (parsers and filters) and minor test adjustments. Fixes: cilium/hubble#158 Signed-off-by: Matej Gera <matejgera@gmail.com>
cilium · Apr 27, 2020 · 18e5c63 · 18e5c63
1 parent 0e772e7
commit 18e5c63
Show file tree

Hide file tree

Showing 8 changed files with 168 additions and 168 deletions.
diff --git a/api/v1/flow/flow.pb.go b/api/v1/flow/flow.pb.go
diff --git a/api/v1/flow/flow.proto b/api/v1/flow/flow.proto
@@ -117,8 +117,8 @@ message Layer7 {
 }
 
 message Endpoint {
-    uint64 ID = 1;
-    uint64 identity = 2;
+    uint32 ID = 1;
+    uint32 identity = 2;
     string namespace = 3;
     // labels in `foo=bar` format.
     repeated string labels = 4;
@@ -267,9 +267,9 @@ message FlowFilter {
     // dns_query filters L7 DNS flows by query patterns (RE2 regex), e.g. 'kube.*local'.
     repeated string dns_query = 18;
     // source_identity filters by the security identity of the source endpoint.
-    repeated uint64 source_identity = 19;
+    repeated uint32 source_identity = 19;
     // destination_identity filters by the security identity of the destination endpoint.
-    repeated uint64 destination_identity = 20;
+    repeated uint32 destination_identity = 20;
 }
 
 // EventType are constants are based on the ones from <linux/perf_event.h>.

diff --git a/pkg/hubble/filters/filters_test.go b/pkg/hubble/filters/filters_test.go
@@ -96,23 +96,23 @@ func (t *testFilterFalse) OnBuildFilter(_ context.Context, ff *pb.FlowFilter) ([
 
 func TestOnBuildFilter(t *testing.T) {
 	fl, err := BuildFilterList(context.Background(),
-		[]*pb.FlowFilter{{SourceIdentity: []uint64{1, 2, 3}}}, // true
+		[]*pb.FlowFilter{{SourceIdentity: []uint32{1, 2, 3}}}, // true
 		[]OnBuildFilter{&testFilterTrue{}})                    // true
 	assert.NoError(t, err)
 	assert.Equal(t, true, fl.MatchAll(&v1.Event{Event: &pb.Flow{
 		Source: &pb.Endpoint{Identity: 3},
 	}}))
 
 	fl, err = BuildFilterList(context.Background(),
-		[]*pb.FlowFilter{{SourceIdentity: []uint64{1, 2, 3}}}, // true
+		[]*pb.FlowFilter{{SourceIdentity: []uint32{1, 2, 3}}}, // true
 		[]OnBuildFilter{&testFilterFalse{}})                   // false
 	assert.NoError(t, err)
 	assert.Equal(t, false, fl.MatchAll(&v1.Event{Event: &pb.Flow{
 		Source: &pb.Endpoint{Identity: 3},
 	}}))
 
 	fl, err = BuildFilterList(context.Background(),
-		[]*pb.FlowFilter{{SourceIdentity: []uint64{1, 2, 3}}}, // true
+		[]*pb.FlowFilter{{SourceIdentity: []uint32{1, 2, 3}}}, // true
 		[]OnBuildFilter{
 			&testFilterFalse{}, // false
 			&testFilterTrue{}}) // true

diff --git a/pkg/hubble/filters/identitty.go b/pkg/hubble/filters/identitty.go
@@ -29,7 +29,7 @@ func destinationEndpoint(ev *v1.Event) *pb.Endpoint {
 	return ev.GetFlow().GetDestination()
 }
 
-func filterByIdentity(identities []uint64, getEndpoint func(*v1.Event) *pb.Endpoint) FilterFunc {
+func filterByIdentity(identities []uint32, getEndpoint func(*v1.Event) *pb.Endpoint) FilterFunc {
 	return func(ev *v1.Event) bool {
 		if endpoint := getEndpoint(ev); endpoint != nil {
 			for _, i := range identities {

diff --git a/pkg/hubble/filters/identitty_test.go b/pkg/hubble/filters/identitty_test.go
@@ -40,7 +40,7 @@ func TestIdentityFilter(t *testing.T) {
 			name: "source-nil",
 			args: args{
 				f: []*pb.FlowFilter{{
-					SourceIdentity: []uint64{1},
+					SourceIdentity: []uint32{1},
 				}},
 				ev: nil,
 			},
@@ -50,7 +50,7 @@ func TestIdentityFilter(t *testing.T) {
 			name: "destination-nil",
 			args: args{
 				f: []*pb.FlowFilter{{
-					DestinationIdentity: []uint64{1},
+					DestinationIdentity: []uint32{1},
 				}},
 				ev: nil,
 			},
@@ -60,7 +60,7 @@ func TestIdentityFilter(t *testing.T) {
 			name: "source-positive",
 			args: args{
 				f: []*pb.FlowFilter{{
-					SourceIdentity: []uint64{1, 2, 3},
+					SourceIdentity: []uint32{1, 2, 3},
 				}},
 				ev: &v1.Event{Event: &pb.Flow{
 					Source: &pb.Endpoint{Identity: 3},
@@ -72,7 +72,7 @@ func TestIdentityFilter(t *testing.T) {
 			name: "source-negative",
 			args: args{
 				f: []*pb.FlowFilter{{
-					SourceIdentity: []uint64{1, 2, 3},
+					SourceIdentity: []uint32{1, 2, 3},
 				}},
 				ev: &v1.Event{Event: &pb.Flow{
 					Source: &pb.Endpoint{Identity: 4},
@@ -84,7 +84,7 @@ func TestIdentityFilter(t *testing.T) {
 			name: "destination-negative",
 			args: args{
 				f: []*pb.FlowFilter{{
-					DestinationIdentity: []uint64{1, 2, 3},
+					DestinationIdentity: []uint32{1, 2, 3},
 				}},
 				ev: &v1.Event{Event: &pb.Flow{
 					Destination: &pb.Endpoint{Identity: 5},

diff --git a/pkg/hubble/parser/seven/parser.go b/pkg/hubble/parser/seven/parser.go
@@ -280,8 +280,8 @@ func decodeEndpoint(endpoint accesslog.EndpointInfo, namespace, podName string)
 	labels := endpoint.Labels
 	sort.Strings(labels)
 	return &pb.Endpoint{
-		ID:        endpoint.ID,
-		Identity:  endpoint.Identity,
+		ID:        uint32(endpoint.ID),
+		Identity:  uint32(endpoint.Identity),
 		Namespace: namespace,
 		Labels:    labels,
 		PodName:   podName,

diff --git a/pkg/hubble/parser/threefour/parser.go b/pkg/hubble/parser/threefour/parser.go
@@ -182,9 +182,9 @@ func (p *Parser) Decode(payload *pb.Payload, decoded *pb.Flow) error {
 	return nil
 }
 
-func (p *Parser) resolveNames(epID uint64, ip net.IP) (names []string) {
+func (p *Parser) resolveNames(epID uint32, ip net.IP) (names []string) {
 	if p.dnsGetter != nil {
-		return p.dnsGetter.GetNamesOf(epID, ip)
+		return p.dnsGetter.GetNamesOf(uint64(epID), ip)
 	}
 
 	return nil
@@ -228,21 +228,21 @@ func filterCidrLabels(labels []string) []string {
 	return filteredLabels
 }
 
-func sortAndFilterLabels(labels []string, securityIdentity uint64) []string {
-	if securityIdentity&uint64(identity.LocalIdentityFlag) != 0 {
+func sortAndFilterLabels(labels []string, securityIdentity uint32) []string {
+	if securityIdentity&uint32(identity.LocalIdentityFlag) != 0 {
 		labels = filterCidrLabels(labels)
 	}
 	sort.Strings(labels)
 	return labels
 }
 
-func (p *Parser) resolveEndpoint(ip net.IP, securityIdentity uint64) *pb.Endpoint {
+func (p *Parser) resolveEndpoint(ip net.IP, securityIdentity uint32) *pb.Endpoint {
 	// for local endpoints, use the available endpoint information
 	if p.endpointGetter != nil {
 		if ep, ok := p.endpointGetter.GetEndpointInfo(ip); ok {
 			return &pb.Endpoint{
-				ID:        ep.GetID(),
-				Identity:  uint64(ep.GetIdentity()),
+				ID:        uint32(ep.GetID()),
+				Identity:  uint32(ep.GetIdentity()),
 				Namespace: ep.GetK8sNamespace(),
 				Labels:    sortAndFilterLabels(ep.GetLabels(), securityIdentity),
 				PodName:   ep.GetK8sPodName(),
@@ -254,13 +254,13 @@ func (p *Parser) resolveEndpoint(ip net.IP, securityIdentity uint64) *pb.Endpoin
 	var namespace, podName string
 	if p.ipGetter != nil {
 		if ipIdentity, ok := p.ipGetter.GetIPIdentity(ip); ok {
-			securityIdentity = uint64(ipIdentity.Identity)
+			securityIdentity = uint32(ipIdentity.Identity)
 			namespace, podName = ipIdentity.Namespace, ipIdentity.PodName
 		}
 	}
 	var labels []string
 	if p.identityGetter != nil {
-		if id, err := p.identityGetter.GetIdentity(securityIdentity); err != nil {
+		if id, err := p.identityGetter.GetIdentity(uint64(securityIdentity)); err != nil {
 			logger.GetLogger().
 				WithError(err).WithField("identity", securityIdentity).
 				Warn("failed to resolve identity")
@@ -424,27 +424,27 @@ func decodeCiliumEventType(eventType, eventSubType uint8) *pb.CiliumEventType {
 }
 
 func decodeSecurityIdentities(dn *monitor.DropNotify, tn *monitor.TraceNotify, pvn *monitor.PolicyVerdictNotify) (
-	sourceSecurityIdentiy, destinationSecurityIdentity uint64,
+	sourceSecurityIdentiy, destinationSecurityIdentity uint32,
 ) {
 	switch {
 	case dn != nil:
-		sourceSecurityIdentiy = uint64(dn.SrcLabel)
-		destinationSecurityIdentity = uint64(dn.DstLabel)
+		sourceSecurityIdentiy = dn.SrcLabel
+		destinationSecurityIdentity = dn.DstLabel
 	case tn != nil:
-		sourceSecurityIdentiy = uint64(tn.SrcLabel)
-		destinationSecurityIdentity = uint64(tn.DstLabel)
+		sourceSecurityIdentiy = tn.SrcLabel
+		destinationSecurityIdentity = tn.DstLabel
 	case pvn != nil:
 		if pvn.IsTrafficIngress() {
-			sourceSecurityIdentiy = uint64(pvn.RemoteLabel)
+			sourceSecurityIdentiy = pvn.RemoteLabel
 		} else {
-			destinationSecurityIdentity = uint64(pvn.RemoteLabel)
+			destinationSecurityIdentity = pvn.RemoteLabel
 		}
 	}
 
 	return
 }
 
-func decodeTrafficDirection(srcEP uint64, dn *monitor.DropNotify, tn *monitor.TraceNotify, pvn *monitor.PolicyVerdictNotify) pb.TrafficDirection {
+func decodeTrafficDirection(srcEP uint32, dn *monitor.DropNotify, tn *monitor.TraceNotify, pvn *monitor.PolicyVerdictNotify) pb.TrafficDirection {
 	if dn != nil && dn.Source != 0 {
 		// If the local endpoint at which the drop occurred is the same as the
 		// source of the dropped packet, we assume it was an egress flow. This

diff --git a/pkg/hubble/parser/threefour/parser_test.go b/pkg/hubble/parser/threefour/parser_test.go
@@ -477,7 +477,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f := parseFlow(dn, localIP, remoteIP)
 	assert.Equal(t, pb.TrafficDirection_TRAFFIC_DIRECTION_UNKNOWN, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetSource().GetID())
+	assert.Equal(t, uint32(localEP), f.GetSource().GetID())
 
 	// DROP Egress
 	dn = monitor.DropNotify{
@@ -486,7 +486,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(dn, localIP, remoteIP)
 	assert.Equal(t, pb.TrafficDirection_EGRESS, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetSource().GetID())
+	assert.Equal(t, uint32(localEP), f.GetSource().GetID())
 
 	// DROP Ingress
 	dn = monitor.DropNotify{
@@ -495,7 +495,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(dn, remoteIP, localIP)
 	assert.Equal(t, pb.TrafficDirection_INGRESS, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetDestination().GetID())
+	assert.Equal(t, uint32(localEP), f.GetDestination().GetID())
 
 	// TRACE_TO_LXC at unknown endpoint
 	tn := monitor.TraceNotifyV0{
@@ -504,7 +504,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(tn, localIP, remoteIP)
 	assert.Equal(t, pb.TrafficDirection_TRAFFIC_DIRECTION_UNKNOWN, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetSource().GetID())
+	assert.Equal(t, uint32(localEP), f.GetSource().GetID())
 
 	// TRACE_TO_LXC Egress
 	tn = monitor.TraceNotifyV0{
@@ -514,7 +514,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(tn, localIP, remoteIP)
 	assert.Equal(t, pb.TrafficDirection_EGRESS, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetSource().GetID())
+	assert.Equal(t, uint32(localEP), f.GetSource().GetID())
 
 	// TRACE_TO_LXC Egress, reversed by CT_REPLY
 	tn = monitor.TraceNotifyV0{
@@ -525,7 +525,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(tn, localIP, remoteIP)
 	assert.Equal(t, pb.TrafficDirection_INGRESS, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetSource().GetID())
+	assert.Equal(t, uint32(localEP), f.GetSource().GetID())
 
 	// TRACE_TO_HOST Ingress
 	tn = monitor.TraceNotifyV0{
@@ -535,7 +535,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(tn, remoteIP, localIP)
 	assert.Equal(t, pb.TrafficDirection_INGRESS, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetDestination().GetID())
+	assert.Equal(t, uint32(localEP), f.GetDestination().GetID())
 
 	// TRACE_TO_HOST Ingress, reversed by CT_REPLY
 	tn = monitor.TraceNotifyV0{
@@ -546,7 +546,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(tn, remoteIP, localIP)
 	assert.Equal(t, pb.TrafficDirection_EGRESS, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetDestination().GetID())
+	assert.Equal(t, uint32(localEP), f.GetDestination().GetID())
 
 	// TRACE_FROM_LXC (traffic direction not supported)
 	tn = monitor.TraceNotifyV0{
@@ -556,7 +556,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(tn, localIP, remoteIP)
 	assert.Equal(t, pb.TrafficDirection_TRAFFIC_DIRECTION_UNKNOWN, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetSource().GetID())
+	assert.Equal(t, uint32(localEP), f.GetSource().GetID())
 
 	// PolicyVerdictNotify Egress
 	pvn := monitor.PolicyVerdictNotify{
@@ -566,7 +566,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(pvn, localIP, remoteIP)
 	assert.Equal(t, pb.TrafficDirection_EGRESS, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetSource().GetID())
+	assert.Equal(t, uint32(localEP), f.GetSource().GetID())
 
 	// PolicyVerdictNotify Ingress
 	pvn = monitor.PolicyVerdictNotify{
@@ -576,7 +576,7 @@ func TestDecodeTrafficDirection(t *testing.T) {
 	}
 	f = parseFlow(pvn, remoteIP, localIP)
 	assert.Equal(t, pb.TrafficDirection_INGRESS, f.GetTrafficDirection())
-	assert.Equal(t, uint64(localEP), f.GetDestination().GetID())
+	assert.Equal(t, uint32(localEP), f.GetDestination().GetID())
 }
 
 func Test_filterCidrLabels(t *testing.T) {
@@ -763,8 +763,8 @@ func TestTraceNotifyLocalEndpoint(t *testing.T) {
 	err = parser.Decode(&pb.Payload{Data: data}, f)
 	require.NoError(t, err)
 
-	assert.Equal(t, ep.ID, f.Source.ID)
-	assert.Equal(t, uint64(ep.Identity), f.Source.Identity)
+	assert.Equal(t, uint32(ep.ID), f.Source.ID)
+	assert.Equal(t, uint32(ep.Identity), f.Source.Identity)
 	assert.Equal(t, ep.PodNamespace, f.Source.Namespace)
 	assert.Equal(t, ep.Labels, f.Source.Labels)
 	assert.Equal(t, ep.PodName, f.Source.PodName)