-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Visual k8s cluster mapping tutorial - new screenshots #126
Closed
Closed
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
|
@@ -117,17 +117,17 @@ In the Otterize Cloud UI, your [cluster](https://app.otterize.com/clusters) shou | |||||
|
||||||
And when you go back to the [access graph](https://app.otterize.com/access-graph) (and select your cluster from the dropdown, if needed), you should see the following map for the demo running in your cluster: | ||||||
|
||||||
![Access graph](/img/quick-tutorials/shadow-mode/phase-0.png) | ||||||
![Access graph](/img/quick-tutorials/cluster-mapping/base.png) | ||||||
|
||||||
Each service is shown as a node in the access graph, while the thick lines (edges) connecting the services show access between them, as detected by the network mapper. | ||||||
|
||||||
### The network map of the cluster | ||||||
|
||||||
If only the network mapper were connected to the Cloud, the services would be shown without the lock icons, and the thick connecting lines would be shown in blue, because we would have no more information about what access is or would be blocked once enforcement were turned on. | ||||||
If only the network mapper were connected to the Cloud, the services would be shown as "Would be blocked", and the thick connecting lines would be shown in yellow, because we would have no more information about what access is or would be blocked once enforcement were turned on. | ||||||
|
||||||
The network mapper gives insights on which services are trying to, or actually are, calling other services, which already provides useful insights. We call these "discovered intents": the intent of the client service to call the server service is discovered by the attempt to call the server service, not by an explicit declaration. | ||||||
|
||||||
![Access graph - network mapper](/img/quick-tutorials/shadow-mode/network-mapper-only.png) | ||||||
![Access graph - network mapper](/img/quick-tutorials/cluster-mapping/network-mapper-only.png) | ||||||
|
||||||
### Understanding access and building confidence | ||||||
|
||||||
|
@@ -143,17 +143,15 @@ We also (as a default) told Otterize Cloud that there is a global default-deny n | |||||
|
||||||
#### Blocking status | ||||||
|
||||||
Note that the locks themselves are green, indicating that you could now turn on enforcement without blocking any clients. | ||||||
Note that the locks themselves are yellow, indicating that you could now turn on enforcement and blocking not intented clients. | ||||||
|
||||||
Similarly, all the thick connecting lines between the services are green: none of these client calls would be blocked if enforcement were turned on. If one were red, that would tell you it would be blocked, as you might have guessed. | ||||||
Similarly, all the thick connecting lines between the services are yellow: Client calls would be blocked if enforcement were turned on. If one were red, that would tell you it is blocked, as you might have guessed. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @sapirwo Can you add a screenshot here to show the explanation on the edge, showing that if the service is protected, then it would block? |
||||||
|
||||||
But why would these clients not be blocked if enforcement were on — doesn't that mean the services they call would not be protected? Yes, and the access graph lets you know that too. | ||||||
Click on a service, e.g. the payment service: | ||||||
orishoshan marked this conversation as resolved.
Show resolved
Hide resolved
|
||||||
|
||||||
Note the red notifications on the services. Click on a service, e.g. the payment service: | ||||||
![Access graph - clicked service](/img/quick-tutorials/cluster-mapping/would-be-blocked-unprotected.png) | ||||||
|
||||||
![Access graph - clicked service](/img/quick-tutorials/shadow-mode/would-not-block-unprotected.png) | ||||||
|
||||||
- You can see the service isn't protected now, and it's ready to turn on enforcement without blocking any clients. | ||||||
- You can see the service isn't protected now, and it's ready to turn on enforcement and blocking clients. | ||||||
- You can also see it won't be protected even after enabling enforcement — and what you need to do: | ||||||
- If you explicitly create and apply intents from the clients, they will be guaranteed access, but also the server will be protected from any undeclared access. | ||||||
- So why do you need to declare intents to *protect* services as well as to *enable* clients? | ||||||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+175 KB
static/img/quick-tutorials/cluster-mapping/would-be-blocked-unprotected.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Binary file removed
BIN
-39.8 KB
static/img/quick-tutorials/shadow-mode/would-not-block-unprotected.png
Binary file not shown.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sapirwo Yellow actually means would be blocked, so it's not safe to turn on enforcement at this point!