Enforce host policies when using per-endpoint routes #13121
Labels
area/host-firewall
Impacts the host firewall or the host endpoint.
kind/feature
This introduces new functionality.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Milestone
The host firewall currently doesn't work with per-endpoint routes (
global.endpointRoutes
&--enable-endpoint-routes
) because host policies are only enforced in thebpf_host
program attached tocilium_host/cilium_net
(for hostns<->local pods) and native devices (for hostns<->remote pods/remote nodes/world). When per-endpoint routes are enabled, the first two devices do not exist. Allowing the host firewall to be enabled with per-endpoint routes would thus result in a bypass of policies on paths hostns<->local pods.High-level idea is to perform a tail call to a BPF program in
bpf_host
frombpf_lxc
when packets ingress and egress of local pods. On egress from pods, we need to jump tobpf_host
program, enforce ingress host policies and deliver as usual. On ingress to pods, we need to jump tobpf_host
program, enforce egress host policies, then jump back tobpf_lxc
program.bpf_host
to be called for packets egressing local pods and destined to the hostns. Should be similar to equivalent inbpf_lxc
program.bpf_lxc
program to entrypoint function via policy call map, in the same way as is currently done for pods.bpf_lxc
to entrypoint inbpf_host
and second tail call to come back tobpf_lxc
. May need to use the same entrypoint as before with metadata bit to differentiate. A metadata bit or other skb bit will also be needed to avoid looping in tail calls.ci/host-firewall
.HOST_EP_ID
needs to be static data, Support host policies with per-endpoint routes #15217 (comment).If it does, then we may want to useIt doesn't need to be static data.tail_call_dynamic
for static data, Support host policies with per-endpoint routes #15217 (comment).enable-remote-node-identity
, Support host policies with per-endpoint routes #15217 (comment).The text was updated successfully, but these errors were encountered: