New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support egress CIDR-dependent L4 policies #1684

Closed
joestringer opened this Issue Oct 4, 2017 · 1 comment

Comments

Projects
None yet
3 participants
@joestringer
Copy link
Contributor

joestringer commented Oct 4, 2017

We don't currently support specifying policies that have both "ToCIDR" and "ToPorts" on egress. This should allow only traffic that matches both of these conditions.

Alternatively (and less importantly), on ingress we should be able to filter on "FromCIDR" + "ToPorts" (See #4129).

Related: #1599

Design

  • Map CIDRs into labels
  • Allocate identities for sets of CIDR labels
  • Extend datapath ipcache to accept CIDRs (LPM)
  • Push CIDR->identity mappings into the datapath
  • Allow L3-dependent L4 policies to match on CIDR labels

Daemon

  • Each time a CIDR policy is imported, convert CIDR to a (set of) label(s).
    • Example format "cidr:10.0.0.0/8"
    • For "CIDR Except xxx", expand CIDRs via #3619 and generate multiple labels based on the CIDRs
      • Eg, 10/8 except 10.0/10 => cidr:10.128.0.0/9 + cidr:10.64.0.0/10
  • Allocate identities for sets of cidr labels in KVstore
    • Simple case: Disjoint CIDRs
      • AllocateIdentity("cidr:10.0.0.0/8")
    • Advanced case: Overlapping CIDRs, eg 10/8 + 10.1/16 Becomes two identities:
      • 10.1/16 is associated with all cidr labels that cover the prefix: []string{"cidr:10.1.0.0/16", "cidr:10.0.0.0/15","cidr:10.0.0.0/14", ...}
      • 10/8 would need CIDR labels for all prefixes that cover it: []string{"cidr:10.0.0.0/8", "cidr:10.0.0.0/7", ... "cidr:0.0.0.0/0"}
    • Evaluate radix implementations to update labels on insert/remove
      • Radix unnecessary; we can just generate all labels for CIDRs that cover the current CIDR.
    • Prevent Cilium from allocating /32 addresses for which there is already a CIDR identity
      • Otherwise, the CIDR => identity mapping would conflict with a CiliumEndpoint => identity mapping
      • This will be handled in the ipcache watcher logic, to prioritize "192.0.2.3" over "192.0.2.3/32"
    • Special handling for CIDRS of special identities?
      • 0/0 - "world" (Want to use reserved:world identity, not a random allocated identity)
      • host
        • Not a CIDR
      • cluster?
  • Push CIDR->identity mappings into KVstore ipcache
    • CIDR->KVstore sync controller?
    • Always insert the cluster prefix
  • For each configured CIDR, push CIDR->identity mapping down to BPF layer
    • Perhaps, calculate/insert this into the CIDRPolicyMap?
  • In CreateL4Filter():
    • Convert CIDRs into labels
    • Set the up Endpoints wildcard selectors properly depending on CIDR/fromEndpoints wildcards
      • Only CiliumEndpoints
      • Only non-CiliumEndpoints ("Entities"?)
      • All Endpoints
  • Rename/Document to ensure that L4Filter.Endpoints is documented to imply that it represents any network endpoint, not just Cilium endpoints.
  • Improve policy trace to hide irrelevant CIDRs
    • Sort, take the most specific one

Datapath

  • Support LPM via hashmaps
  • Support LPM map type for ipcache (Linux >= 4.11)

Egress

  • Expand ipcache to become LPM (or LPM-like)
  • Remove existing egress CIDR lookups

Ingress

  • Will be handled by #4129

@tgraf tgraf added the roadmap label Jan 23, 2018

@tgraf tgraf referenced this issue Feb 22, 2018

Closed

Improved egress enforcement datapath #2901

1 of 2 tasks complete

@tgraf tgraf removed the project/1.0-gap label Mar 21, 2018

@eloycoto eloycoto referenced this issue Mar 30, 2018

Open

CI: add end-to-end tests for entities #3359

0 of 16 tasks complete

@joestringer joestringer referenced this issue Apr 5, 2018

Open

Review policy documentation #3539

16 of 24 tasks complete

@tgraf tgraf added priority/high and removed priority/medium labels Apr 9, 2018

@tgraf tgraf referenced this issue Apr 9, 2018

Closed

1.1 Release Planning #3585

31 of 36 tasks complete

@joestringer joestringer referenced this issue Apr 20, 2018

Merged

Support CIDR-dependent L4 egress policies #3835

16 of 16 tasks complete
@joestringer

This comment has been minimized.

Copy link
Contributor

joestringer commented May 16, 2018

Closing this issue as the egress CIDR+L4 policies work is merged. Opened a new issue to separately prioritise ingress CIDR+L4: #4129.

@ianvernon ianvernon changed the title Support CIDR-dependent L4 policies Support egress CIDR-dependent L4 policies May 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment