-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Limiting Identity-Relevant Labels breaks CiliumNetworkPolicies #18878
Comments
Hello @alex-berger thanks for opening the GH issue, can you provide a Cilium sysdump for the working and non-working case of both source and destination nodes? Thank you! |
@alex-berger no need for the Cilium sysdump. After giving a little bit of consideration we think it's probably better to document this corner case in Limiting Identity-Relevant Labels instead of automatically allowing |
@aanm I don't think that this is a corner case. Entities like for example IMHO the relevant labels (or their prefixes) should always be added to the set of identity-relevant labels. Otherwise this will just cause a lot of (bug) tickets on GitHub as people run into problems when using those entities in their CiliumNetworkPolicies. |
This issue has been automatically marked as stale because it has not |
This issue has not seen any activity since it was marked stale. |
I want to re-open this issue, I ran into this exact corner case. Since |
I agree with @soggiest. I found an issue that I cannot use We have a use-case where a StatefulSet from 10 pods are utilising different egress gateways. The idea was to use pod-index label, and route traffic from a 10 different gateways, however as Cilium doesn't respect a "labels" declaration and removes |
Thank you @joestringer ! |
Apart from the standard list what about adding a new label "the initial identity of the pod" to the list of identity-relevant labels? This could help to track changes and also built dynamic network policies which prevent or make spoofing more difficult. |
@pjablonski123 could you expand on your suggestion a bit more? An Identity is a list of labels, which are derived from Pods. The configurable daemon argument |
@joestringer could you please consider an option to allow explicitly including |
@ruslanys I don't understand your proposal. Is this directly related to limiting identity-relevant labels? You may also consider filing a fresh issue describing exactly the problem that you are facing, how you think that a |
I mean an additional label derived from the current identity, eg. How this identity label could help with the security? Upon a new deployment of pods a network policy could be generated based on the assigned label identities. Any attempt of the identity manipulation could lead to:
|
@pjablonski123 it sounds like this is a much bigger proposal that is distinct from the question in this issue, and it may be trying to mitigate some sort of potential control plane attacker or malicious node attacker scenarios. In general I would consider that Identities are mostly immutable at the moment so I'm not sure I understand the notion of "restoring immutable identity labels". Perhaps if we think that the mutability constraints around Identities are not strong enough then we could harden the control plane to provide stronger guarantees around that, in the worst case with some clear grace periods or stronger boundaries if a numeric identity needs to be returned to the pool for reallocation. Either way I'm curious to explore your idea a bit deeper, but I think we'll need a proper CFP on https://github.com/cilium/design-cfps to outline the goals, assumptions, background and proposal for such a change. |
Entities are special selectors used by network policies. The Cluster entity relies on the `io.cilium.k8s.policy.cluster` label which is removed by Cilium if a strict identity label configuration is applied. This PR adds the relevant Cilium policy label to the list of default labels so it will always be applied regardless of configuration, and includes this label to the associated test file. Fixes: cilium#18878 Signed-off-by: soggiest <nicholas@isovalent.com>
Entities are special selectors used by network policies. The Cluster entity relies on the `io.cilium.k8s.policy.cluster` label which is removed by Cilium if a strict identity label configuration is applied. This PR adds the relevant Cilium policy label to the list of default labels so it will always be applied regardless of configuration, and includes this label to the associated test file. Fixes: cilium#18878 Signed-off-by: soggiest <nicholas@isovalent.com>
Entities are special selectors used by network policies. The Cluster entity relies on the `io.cilium.k8s.policy.cluster` label which is removed by Cilium if a strict identity label configuration is applied. This PR adds the relevant Cilium policy label to the list of default labels so it will always be applied regardless of configuration, and includes this label to the associated test file. Fixes: #18878 Signed-off-by: soggiest <nicholas@isovalent.com>
Entities are special selectors used by network policies. The Cluster entity relies on the `io.cilium.k8s.policy.cluster` label which is removed by Cilium if a strict identity label configuration is applied. This PR adds the relevant Cilium policy label to the list of default labels so it will always be applied regardless of configuration, and includes this label to the associated test file. Fixes: cilium#18878 Signed-off-by: soggiest <nicholas@isovalent.com>
Is there an existing issue for this?
What happened?
Limiting Identity-Relevant Labels by setting the
labels
value in thecilium-config
ConfigMap breaks CiliumNetworkPolicies which usecluster
infromEntities
. All traffic is dropped as cilium does not recognize that it originates from in-cluster peers (cluster
).I suspect that this is caused by the fact that the
k8s:io.cilium.k8s.policy.cluster
identity label is not (automatically) set as soon as there are any inclusive label rules.Given the following
CiliumNetworkPolicy
:Scenario 1 - Identity-Relevant Labels are not constrained
Using Cilium's default settings not constraining (limiting) the set of identity-relevant labels, everything works as expected and all in-cluster peers (Pods) can successfully connect to the coredns Pods protected by the above
CiliumNetworkPolicy
. In that case the.status.identity.labels
in the coredns' correspondingCiliumEndpoint
object looks like this:Scenario 2 - Identity-Relevant Labels are constrained
Constraining (limiting) the set of identity-relevant labels, by setting
labels
in thecilium-config
ConfigMap like this:Traffic from in-cluster peers (Pods) to the coredns Pods is rejected (dropped) and the
.status.identity.labels
in the coredns' correspondingCiliumEndpoint
object looks like this:The notable differences between scenarios 1 and 2 are that in 2 the labels
k8s:io.cilium.k8s.policy.cluster=default
andk8s:io.cilium.k8s.policy.serviceaccount=coredns
are not present in theCiliumEndpoint
.Workaround
Explicitly allowing
k8s:io.cilium.k8s.policy
prefixed labels by adding the following additional inclusive label rules in thecilium-config
ConfigMap (as outlined below) resolved the problem.With that setting, bot missing identity labels (
k8s:io.cilium.k8s.policy.cluster=default
andk8s:io.cilium.k8s.policy.serviceaccount=coredns
) are set in the correspondingCiliumEndpoint
and in-cluster clients can successfully connect to the coredns Pods.Expected Behavior
The prefix
k8s:io.cilium.k8s.policy
(or maybe evenk8s:io.cilium.k8s
) should always be automatically added to the set of identity-relevant labels.Cilium Version
1.11.1
Kernel Version
Kubernetes Version
1.21 (EKS)
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: