►
From YouTube: Could network cache-based identity be mistaken?
Description
A few days ago, I published the Exploring Cilium Layer 7 Capabilities Compared to Istio blog where I mentioned network cache-based identity may fail when a pod dies, a new pod is created and gets the IP of the old pod but has a different identity. Thank you everyone for sending me feedback about the blog! In this video, I would like to demonstrate how identity could be mistaken for network cache-based identity.
Blog: https://www.solo.io/blog/could-network-cache-based-identity-be-mistaken/
A
A
A
Let's
review
our
application,
we
have
sleep
and
hello
world.
Both
have
two
versions:
sleep
version,
one
can
call
hollow
version,
one
sleep
version,
2
can
call
hollow
version
2
and
nothing
else
should
be
allowed
per
silliness
network
policy.
We're
going
to
install
now
that
we
have
cylinder
mostly
running.
Let's
go
ahead,
deploy
our
applications.
A
A
Now
that
we
have
our
parts
mostly
coming
up
notice,
we
have
15
replicas
of
version,
one
and
one
replica
of
version.
Two
all
right
looks
like
everything
is
up,
including
psyllium
and
our
application.
Let's
go
back
to
the
other
terminal
to
do
some
tests
right.
We
want
to
see
if
the
network
policy
is
working
right.
Only
the
version,
1,
client
and
server
can
talk.
Only
the
version,
2,
client
and
server
can
talk
and
nothing
else.
It
works
perfect.
A
That's
great!
Now
we're
going
to
figure
out
the
node
where
hello,
world
version
1
is
running
and
dump
the
ceiling
ipcache
for
that
node.
As
you
can
see,
it's
key
value
of
ip
address
mapped
to
its
identity
and
encryption
information.
I
would
guess
13174
is
the
sleep
version
one's
identity?
Let's
see
if
I'm
right,
all
right
looks
like
it
is
right.
Cylinder
has
endpoints
which
we
can
determine
from
endpoints
to
get
the
identity,
and
you
can
see
the
security
label
is
sleep
version
one
for
this
particular
identity,
one
one,
three
one,
seven
four.
A
Now
we're
going
to
trigger
a
arrow
scenario,
because
we
don't
live
in
a
perfect
world
right.
What
if
cilium
pod,
could
not
communicate
to
the
api
server?
What
if
the
ceiling
part
crashed
so
before
we
run
our
script,
let's
review
it.
The
first
thing
we're
going
to
do
is
capture
the
sleep
version.
Once
I
p
address
should
be
15
of
them.
A
Check
out
how
the
pod
is
coming
up
and
down,
so
you
can
see
sleep
version.
Two.
A
lot
of
them
are
scaled
up
and
there's
no
sleep
version
one.
So
you
you
can
see.
Parts
are
rapidly
coming
up
and
coming
down
because
we're
constantly
checking
on
the
conditions
to
see
if
there's
any
matching
ip
address
from
one
of
the
prior
ones.
Oh
looks
like
we
already
have
a
window
all
right,
so
this
particular
sleep
version.
2
pod
was
able
to
call
hollow
wood
version
1,
even
though
the
network
policy
says
it
should
not
be
allowed.
A
A
So
if
you
look
at
this
identity,
you
can
see
it
actually
have
sleep
version,
one's
identity
because
it
has
this
ip
address
that
was
used
by
one
of
the
sleep
version,
one
part,
so,
let's
double
check,
dash
or
white
double
check
the
ip
address,
which
is
2.65,
let's
search
and
making
sure.
Yes,
that
is
the
sleep
version
too.
A
A
Even
though
we
have
network
policy
in
place
that
says
only
the
version,
one
of
sleep
is
allowed
to
talk
hollow
version,
one
because
sleep
version
two
part
has
the
wrong
identity
assigned.
It
was
still
able
to
call
hollow
version.
One.
Thank
you
so
much
for
watching
and
please
subscribe
our
channel
for
future
educations
istio
envoy,
sir
liam
and
all
other
topics
bye
now.