Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chaining: source security ID in hairpin might lead to policy denies in >=v1.7.4 #12136

Closed
aanm opened this issue Jun 17, 2020 · 8 comments
Closed

chaining: source security ID in hairpin might lead to policy denies in >=v1.7.4 #12136

aanm opened this issue Jun 17, 2020 · 8 comments
Assignees
@jrfastab
Labels
kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. priority/high This is considered vital to an upcoming release.

Comments

@aanm
Copy link
Member

aanm commented Jun 17, 2020

Bisecting blame 60b4210

xx drop (Policy denied) flow 0x53352ab to endpoint 694, identity 4417->56410: 172.16.166.201:53662 -> 172.16.166.200:80 tcp SYN

The security ID in the endpoint is different from the one being generated by the datapath:

ENDPOINT   POLICY (ingress)   POLICY (egress)   IDENTITY   LABELS (source:key[=value])                                       IPv6   IPv4             STATUS   
           ENFORCEMENT        ENFORCEMENT                                                                                                            
366        Disabled           Disabled          4428       k8s:class=tiefighter                                                     172.16.166.201   ready   
                                                           k8s:io.cilium.k8s.policy.cluster=default                                                          
                                                           k8s:io.cilium.k8s.policy.serviceaccount=default                                                   
                                                           k8s:io.kubernetes.pod.namespace=default                                                           
                                                           k8s:org=empire
@aanm aanm added priority/high This is considered vital to an upcoming release. needs/triage This issue requires triaging to establish severity and next steps. kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. needs-backport/1.7 labels Jun 17, 2020
@aanm aanm changed the title source security ID in hairpin might lead to policy denies in >=v1.7.4 < 1.8 source security ID in hairpin might lead to policy denies in >=v1.7.4 Jun 17, 2020
@tgraf
Copy link
Member

tgraf commented Jun 17, 2020

Is this a potential collision in the mark value?

@tgraf
Copy link
Member

tgraf commented Jun 17, 2020
edited

It looks like some bits changed:

4417 1000101000001
4428 1000101001100

@tgraf
Copy link
Member

tgraf commented Jun 17, 2020

@aanm How did you get into this state?

@aanm
Copy link
Member Author

aanm commented Jun 17, 2020

In that case yes, but it is more common to be off by 1

@tgraf
Copy link
Member

tgraf commented Jun 17, 2020

This could be a --set 1/0xF or similar where 4 bits get cleared and one bit gets set.

@tgraf tgraf removed the needs/triage This issue requires triaging to establish severity and next steps. label Jun 17, 2020
@tgraf tgraf changed the title source security ID in hairpin might lead to policy denies in >=v1.7.4 chaining: source security ID in hairpin might lead to policy denies in >=v1.7.4 Jun 17, 2020
@jrfastab jrfastab mentioned this issue Jun 18, 2020
Merged
@jrfastab
Copy link
Contributor

To close out discussion, this was caused by a conflicting mark value. So added a PR to opt-out of setting identity field in the mark. This will force the ingress path to do another lookup and obfuscate the trace logs some, but will allow policy to work correctly.

@borkmann
Copy link
Member

[Only thing left here is a doc follow-up to update the chaining guide.]

@borkmann
Copy link
Member

Fixed via #12185 and #12194.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrfastab jrfastab

Labels
kind/regression This functionality worked fine before, but was broken in a newer release of Cilium. priority/high This is considered vital to an upcoming release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@borkmann @jrfastab @tgraf @aanm