Logo Wael's Digital Garden

enable_audit.sh

#!/usr/bin/env bash
set -euo pipefail

NAMESPACE="mastodon"
SELECTOR="app.kubernetes.io/name=mastodon"

echo "🔍 Finding Mastodon pods and enabling Cilium Policy Audit Mode..."

# 1. Loop through pod names directly
for POD_NAME in $(kubectl get pods -n "$NAMESPACE" -l "$SELECTOR" -o jsonpath='{.items[*].metadata.name}'); do

    # 2. Get the NODE NAME from the Pod itself (Reliable)
    NODE_NAME=$(kubectl get pod -n "$NAMESPACE" "$POD_NAME" -o jsonpath='{.spec.nodeName}')

    # 3. Get the ENDPOINT ID from the CiliumEndpoint (Same name as pod)
    EP_ID=$(kubectl get cep -n "$NAMESPACE" "$POD_NAME" -o jsonpath='{.status.id}')

    echo "---------------------------------------------------"
    echo "target: $POD_NAME"
    echo "  node: $NODE_NAME"
    echo "    id: $EP_ID"

    # 4. Find the Cilium Agent Pod running on that specific node
    CILIUM_POD=$(kubectl get pod -n kube-system -l k8s-app=cilium --field-selector spec.nodeName="$NODE_NAME" -o jsonpath='{.items[0].metadata.name}')

    if [[ -z "$CILIUM_POD" ]]; then
        echo "❌ ERROR: Could not find Cilium agent on node '$NODE_NAME'. Skipping..."
        continue
    fi

    # 5. Exec into the agent and toggle Audit Mode
    echo "  exec: Enabling PolicyAuditMode on $CILIUM_POD..."
    kubectl exec -n kube-system "$CILIUM_POD" -c cilium-agent -- cilium-dbg endpoint config "$EP_ID" PolicyAuditMode=Enabled

    echo "  ✅ Done."
done

echo "---------------------------------------------------"
echo "🎉 Audit Mode enabled. You can now apply the NetworkPolicy without dropping traffic."