Skip to content

fix: block pod to wireserver port 80 traffic on windows multitenancy #2515

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 8, 2024
Merged

fix: block pod to wireserver port 80 traffic on windows multitenancy #2515

merged 1 commit into from
Feb 8, 2024

Conversation

@QxBytes
Copy link
Contributor

@QxBytes QxBytes commented Jan 16, 2024
edited
Loading

Reason for Change:

Traffic from the pod to the wireserver on port 80 should not leave the VM.

Issue Fixed:

See above.

Requirements:

Notes:
Tested Windows Container on Windows 2022. After rule is added, wgets from the pod to websites such as google.com are still seen leaving the pod destined towards the 12:34... MAC. After the rule is added, traffic is still detected when pinging other pods (confirming the rule does not block pod-pod traffic). Tested routing wireserver requests to the eth0 and apipa eth inside the pod and confirmed that for hyper-v isolation containers, the vfp filter counter increases when requests to the wireserver are made (no traffic on the node is detected going to the wireserver from the pod either). Without the rule, traffic is detected on the node from the pod to the wireserver.

@QxBytes QxBytes marked this pull request as ready for review January 18, 2024 22:12
@QxBytes QxBytes requested a review from a team as a code owner January 18, 2024 22:12
@QxBytes QxBytes requested a review from jaer-tsun January 18, 2024 22:12
@tamilmani1989
Copy link
Member

tamilmani1989 commented Jan 22, 2024

@QxBytes can you also get approval from @ashvindeodhar

@vipul-21
Copy link
Contributor

vipul-21 commented Feb 1, 2024

Curious to know why this is only a problem in windows multitenancy and not others?

@QxBytes
Copy link
Contributor Author

QxBytes commented Feb 6, 2024

Curious to know why this is only a problem in windows multitenancy and not others?

Addressed this in linux multitenancy here (#2395)

@QxBytes QxBytes added cni Related to CNI. fix Fixes something. windows multitenancy labels Feb 6, 2024
@ashvindeodhar ashvindeodhar added this pull request to the merge queue Feb 6, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 7, 2024
@QxBytes QxBytes added this pull request to the merge queue Feb 7, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Feb 8, 2024
@QxBytes QxBytes added this pull request to the merge queue Feb 8, 2024
Merged via the queue into master with commit a1bf7bf Feb 8, 2024
@QxBytes QxBytes deleted the alew/windows-block-wireserver branch February 8, 2024 19:36
@pjohnst5 pjohnst5 mentioned this pull request Mar 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jaer-tsun jaer-tsun Awaiting requested review from jaer-tsun jaer-tsun is a code owner automatically assigned from Azure/acn-cni-reviewers

@tamilmani1989 tamilmani1989 Awaiting requested review from tamilmani1989

Assignees

No one assigned

Labels

cni Related to CNI. fix Fixes something. multitenancy windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@QxBytes @tamilmani1989 @vipul-21