New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Policy with k8sService
on port 443 allows traffic on port 443 to world
#20067
Comments
Reproduction steps using sw-app example:
Requests to world:80 and world:443 work:
Apply the policy:
Request to world:80 works (the one specified in the policy
|
I have observed the same behavior with a |
This issue has been automatically marked as stale because it has not |
Maybe it's something that we should document as a limitation of |
This issue has been automatically marked as stale because it has not |
This issue has not seen any activity since it was marked stale. |
PR cilium#21052 updated Cilium documentation to say that, in network policy rules, `toServices` statements cannot be combined with `toPorts` statements. I believe it would be more informative for Cilium users to say (following RFC 2119) that `toServices` _must not_ be combined with `toPorts`, as technically Cilium accepts such a network policy as valid but handles it in the unexpected and potentially dangerous (e.g. if a setup relies on Cilium network policy to implement egress filtering) manner described in cilium#20067. Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
Currently, an egress rule combining toServices and toPorts has the unexpected and potentially dangerous side effect of allowing egress traffic to any remote endpoint on the port(s) specified (see cilium#20067). This change makes such rules fail validation. Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
PR #21052 updated Cilium documentation to say that, in network policy rules, `toServices` statements cannot be combined with `toPorts` statements. I believe it would be more informative for Cilium users to say (following RFC 2119) that `toServices` _must not_ be combined with `toPorts`, as technically Cilium accepts such a network policy as valid but handles it in the unexpected and potentially dangerous (e.g. if a setup relies on Cilium network policy to implement egress filtering) manner described in #20067. Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
Currently, an egress rule combining toServices and toPorts has the unexpected and potentially dangerous side effect of allowing egress traffic to any remote endpoint on the port(s) specified (see #20067). This change makes such rules fail validation. Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
…ause of breakage in Cilium v1.14 See cilium/cilium#20067 - the combination is not supported anymore and Cilium prints warnings about the non-effective policy.
…ause of breakage in Cilium v1.14 See cilium/cilium#20067 - the combination is not supported anymore and Cilium prints warnings about the non-effective policy.
…ause of breakage in Cilium v1.14 (#128) See cilium/cilium#20067 - the combination is not supported anymore and Cilium prints warnings about the non-effective policy.
Apologies for the noise, I discovered this issue as it is referenced in the code and the limitation still applies. To reflect that, I've relabeled it as a "question" since this is a known and (now) documented limitation. |
Is there an existing issue for this?
What happened?
Policy defined:
Expected: Only traffic to service svc.ns on port 443 is allowed
Result: All traffic to "world" on port 443 is allowed
Observed in local k3d install and EKS
Cilium Version
1.10.x and 1.11.x
Kernel Version
Kubernetes Version
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: