New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubernetes network policy for api-server #20550
Comments
cc @nebril, something to potentially look into. Maybe we can discuss next week. |
Hi @christarazi . It's any news about this topic? |
This issue has been automatically marked as stale because it has not |
Still not corrected. |
@nebril Assigning to you for whenever you have free cycles. |
I can confirm that it also affects Cilium 1.12.5. I will try to find a reason as well next week but can't promise it... |
I could also use a fix for this. |
We got the same issue here with latest EKS Anywhere. Opening up all Egress with networkpolicy works:
Anyone found a workaround which does not require opening up everything? P.S.: eks anywhere does not have CiliumNetworkPolicy CRD :/ |
This issue has been automatically marked as stale because it has not |
we have the same problem on EKS |
same here ( |
also seeing this on cilium 1.12.3 against EKS 1.27 |
I'll try to fix this issue. Here is my proposals: The best way to fix this would be to add the IP in the frames from/to apiserver 1️⃣. I don't know if this is possible (and where ?). Another way would be to create
I'll start with 2️⃣ : create |
This is going to be fixed by #27464. |
An update: This is fixed by #27464, but it requires enabling a specific setting. Documentation to come. |
@squeed do I read the PR right that the fix for this bug will only be in 1.15 and is not slated for backporting? |
@embik that's right; the "fix" is an entirely new feature and thus unlikely to be backported. |
Okay, thanks for the clarification! |
@embik as it stands right now, this is only fixed when setting |
I don't think we have a strong opinion on this per se (we will probably ship Cilium with this setting enabled in our distribution and document the expectation for this to be turned on), but maybe some input from a user perspective: I was very surprised to run into this issue because I didn't expect a I would definitely expect this to work by default, or at the very least this should be mentioned in the default installation guide (as an option that you might want to turn on), since "limiting network access to everything except the Kubernetes API" feels like a fairly frequent use case with |
@embik that's basically my perspective as well. However, at least Cilium is consistent -- CIDR / IPBlock policies cannot select cluster entities (nodes, pods, service IPs) -- if not necessarily matching intuition. However, if we made this the default, it could make existing policies less restrictive. If, somehow, a user is depending on the current behavior to block node access, and we change that, it would be a rude surprise. Since this is a security feature, we need to be quite deliberate in how changes are made. I'm not opposed to changing the default, but it would need to be done with due consideration and consultation with users. |
Very valid points, reminds me of xkcd 1172 - just super charged for security considerations. There is no "good" way out of this apart from documenting behaviour IMHO. I can totally understand that changing the default behaviour at this point is not possible. |
You know, this conversation has tickled a memory; we actually have the ability to change a default via helm that is preserved on upgrade. |
I migrated from calico to cilium yesterday and migration was a breeze. But it cost me several hours to work around the restriction that ipBlocks with cidrs do not cover pods. But that is easy enough to fix. Just allow both traffic to a CIDR for external traffic and also add the pods you want to allow access to . However, that trick does not work with the API server. For instance:
The above network policy should work or am I missing something? The only weird thing is that the kubernetes service which is being accessed is in the 'default' namespace whereas it has an endpoint to a service using a node IP in the 'kube-system' namespace. For now, I have worked around the issue by using the CiliumNetworkPolicy mentioned above but I would rather use standard network policies since it would allow me to switch later on if needed to another CNI. Also, the Will it be possible in 1.15 to also configure API server access in a standard way? I think there is no need to configure IPs of the controller nodes in network policies if the api server is running as a pod in a kubeadm cluster. BTW. I am running kubernetes 1.28.5 on debian 12. |
@ErikEngerd your policy as written won't work, since the kube-apiserver pod is a host-network pod. It is currently undefined upstream how to treat host-network pods (most policy providers basically ignore them, which is probably correct). If you would like to select the apiserver via Kubernetes network policy, you will have to wait for v1.15, enable node selectability, then select via IPBlock selectors. Alternatively, you can solve this problem now with a CiliumNetworkPoliy toEntities selector. |
Is there an existing issue for this?
What happened?
kubectl describe svc kubernetes -n default
Trying to whitelist api-server via Kubernetes Network Policy
Trafic is still blocked.
In cilium monitor I see blocked 10.137.17.30:6443 , 10.137.17.31:6443, 10.137.17.32:6443
When I use Cilium Network Policy
Now everything works fine.
My issue is to use only Kubernetes Network Policy for all my clusters (some of them are based on calico from Tigera)
cilium identity list | grep kube-apiserver
cilium identity get 7
Cilium Version
1.11.2
Kernel Version
5.4.182 on Centos 8
Kubernetes Version
1.22.5
Sysdump
No response
Relevant log output
No response
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: