k8s: Add validation for init policy selection

[ upstream commit 642768d ] [ Backporter's notes: Had to adjust sync.Once var name to avoid conflict ] Extend the CNP validation (including preflight checks) to warn users that they are using a policy configuration that is no longer supported. Signed-off-by: Joe Stringer <joe@cilium.io>
cilium · Sep 9, 2023 · 611f75b · 611f75b
1 parent c5d7463
commit 611f75b
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 0 deletions.
diff --git a/pkg/k8s/apis/cilium.io/v2/validator/validator.go b/pkg/k8s/apis/cilium.io/v2/validator/validator.go
@@ -17,6 +17,7 @@ import (
 
 	"github.com/cilium/cilium/pkg/k8s/apis/cilium.io/client"
 	cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"
+	"github.com/cilium/cilium/pkg/labels"
 	"github.com/cilium/cilium/pkg/logging/logfields"
 	"github.com/cilium/cilium/pkg/policy/api"
 )
@@ -102,6 +103,10 @@ func (n *NPValidator) ValidateCNP(cnp *unstructured.Unstructured) error {
 		return err
 	}
 
+	if err := checkInitLabelsPolicy(cnp); err != nil {
+		return err
+	}
+
 	return nil
 }
 
@@ -116,6 +121,16 @@ var (
 		"detailed discussion on the topic, see https://github.com/cilium/cilium/issues/12844"
 
 	logOnce sync.Once
+
+	// We can remove the check for this warning once 1.15 is the oldest supported Cilium version.
+	logInitPolicyCNP = "It seems you have a CiliumNetworkPolicy with a " +
+		"match on the 'reserved:init' labels. This label is not " +
+		"supported in CiliumNetworkPolicy any more. If you wish to " +
+		"define a policy for endpoints before they receive a full " +
+		"security identity, change the resource type for the policy " +
+		"to CiliumClusterwideNetworkPolicy."
+	errInitPolicyCNP  = fmt.Errorf("CiliumNetworkPolicy incorrectly matches reserved:init label")
+	logOnceInitPolicy sync.Once
 )
 
 // ValidateCCNP validates the given CCNP accordingly the CCNP validation schema.
@@ -211,3 +226,33 @@ func containsWildcardToFromEndpoint(rule *api.Rule) bool {
 
 	return false
 }
+
+func checkInitLabelsPolicy(cnp *unstructured.Unstructured) error {
+	cnpBytes, err := cnp.MarshalJSON()
+	if err != nil {
+		return err
+	}
+
+	resCNP := cilium_v2.CiliumNetworkPolicy{}
+	err = json.Unmarshal(cnpBytes, &resCNP)
+	if err != nil {
+		return err
+	}
+
+	for _, spec := range append(resCNP.Specs, resCNP.Spec) {
+		if spec == nil {
+			continue
+		}
+		podInitLbl := labels.LabelSourceReservedKeyPrefix + labels.IDNameInit
+		if spec.EndpointSelector.HasKey(podInitLbl) {
+			logOnceInitPolicy.Do(func() {
+				log.WithFields(logrus.Fields{
+					logfields.CiliumNetworkPolicyName: cnp.GetName(),
+				}).Error(logInitPolicyCNP)
+			})
+			return errInitPolicyCNP
+		}
+	}
+
+	return nil
+}
diff --git a/pkg/k8s/apis/cilium.io/v2/validator/validator_test.go b/pkg/k8s/apis/cilium.io/v2/validator/validator_test.go
@@ -471,3 +471,32 @@ specs:
 		}
 	}
 }
+
+func (s *CNPValidationSuite) Test_GH28007(c *C) {
+	cnp := []byte(`apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: exampleapp
+  namespace: examplens
+spec:
+  egress:
+  - toEntities:
+    - world
+  endpointSelector:
+    matchExpressions:
+    - key: reserved:init
+      operator: DoesNotExist
+`)
+	jsnByte, err := yaml.YAMLToJSON(cnp)
+	c.Assert(err, IsNil)
+
+	us := unstructured.Unstructured{}
+	err = json.Unmarshal(jsnByte, &us)
+	c.Assert(err, IsNil)
+
+	validator, err := NewNPValidator()
+	c.Assert(err, IsNil)
+	err = validator.ValidateCNP(&us)
+	// Err can't be nil since validation should detect the policy is not correct.
+	c.Assert(err, Equals, errInitPolicyCNP)
+}