-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Host Firewall: Attaching a label to a node before deploying Cilium breaks the host firewall #13676
Comments
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
I'm currently unable to reproduce with a GKE cluster. I tried with both Cilium master and v1.9.0-rc2. I also tried two series of steps:
The one difference that may matter is the K8s version. I tried with v1.18.16-gke.502 because that's what GKE now supports and I wasn't able to get a working GKE cluster with a v1.15.12-gke.20. I'll see if I can reproduce with the development VM and K8s 1.15. |
I was able to reproduce in #15714. Fix is incoming. |
Our current host policy tests need to the policy on all nodes. They therefore use an empty nodeSelector. However, if we want a basic test of the node label watcher, we can instead implement this with a nodeSelector matching on a label added to all nodes. This commit implements that change. The goal is also to help us catch such potential bugs as [1, 2]. 1 - #13676 2 - #13455 Signed-off-by: Paul Chaignon <paul@cilium.io>
Our current host policy tests need to the policy on all nodes. They therefore use an empty nodeSelector. However, if we want a basic test of the node label watcher, we can instead implement this with a nodeSelector matching on a label added to all nodes. This commit implements that change. The goal is also to help us catch such potential bugs as [1, 2]. 1 - #13676 2 - #13455 Signed-off-by: Paul Chaignon <paul@cilium.io>
Bug report
When trying to deploy the host firewall, attaching a label to the node before deploying Cilium makes the agent unable to pick up the label and deploy the host policy correctly.
While the issue was observed with the host firewall, the fact that the label is not displayed in
cilium endpoint list
may not be specific to this feature.General Information
How to reproduce the issue
node-access=ssh
label to a node, see the GSG at https://docs.cilium.io/en/v1.9.0-rc2/gettingstarted/host-firewall/:The
node-access=ssh
for the host should then appear in the list of endpoints. The ingress policy enforcement should also be marked asDisabled (Audit)
. What happens instead is that neither the label nor the policy are being reported:However, Kubernetes is aware of the label:
Attempting to display the policy verdicts for the host with
cilium monitor
prints nothing.The issue can be solved by removing and re-creating the label (or possibly by simply overwriting it, I have not tried):
After that, everything works as expected.
A note is being added to the GSG to make sure users attach the label first, in #13673.
The text was updated successfully, but these errors were encountered: