Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Limit DNS matchname/matchpattern rule lengths #21491

Open
4 tasks
joestringer opened this issue Sep 28, 2022 · 4 comments
Open
4 tasks

Limit DNS matchname/matchpattern rule lengths #21491

joestringer opened this issue Sep 28, 2022 · 4 comments
Labels
help-wanted Please volunteer for this by adding yourself as an assignee! kind/enhancement This would improve or streamline existing functionality. pinned These issues are not marked stale by our issue bot. sig/agent Cilium agent related. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.

Comments

@joestringer
Copy link
Member

DNS names can only be up to 255 characters in length:

https://datatracker.ietf.org/doc/html/rfc1035#section-2.3.4

Furthermore, DNS matchpattern rules that are excessively long could cause Cilium agent to take a long time to process the rules. It would make sense to impose a (configurable?) limit on these, perhaps something like 63 to begin with.

Tasks:

  • Check whether matchName statements are limited to the maximum length of a DNS name
  • Create a new hidden configuration flag for max dns matchpattern string length
  • Extend the CiliumNetworkPolicy sanitization logic to limit the length of DNS matchname/matchpattern rules
  • Extend the preflight check to validate whether any existing CNPs or CCNPs have matchpattern / matchnames that exceed the default limits. If yes, highlight the statements. Instruct the user to configure the above Cilium flag to raise the limits to match the policies they use in their environment.
@joestringer joestringer added kind/enhancement This would improve or streamline existing functionality. help-wanted Please volunteer for this by adding yourself as an assignee! labels Sep 28, 2022
@aanm aanm added the sig/agent Cilium agent related. label Nov 8, 2022
@github-actions
Copy link

github-actions bot commented Jan 8, 2023

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

@github-actions github-actions bot added the stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale. label Jan 8, 2023
@github-actions
Copy link

This issue has not seen any activity since it was marked stale.
Closing.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 23, 2023
@joestringer joestringer reopened this Feb 9, 2023
@joestringer joestringer added the pinned These issues are not marked stale by our issue bot. label Feb 9, 2023
@kwakubiney
Copy link
Member

Stale? Interested.

@joestringer
Copy link
Member Author

Hi @kwakubiney , awesome that you're interested in this topic! Feel free to write up a CFP / proposal for more discussion, or create a PR with an implementation and we can discuss on the PR. If you would like more up-front design discussion then there is the https://github.com/cilium/design-cfps/ repo which has a template for considerations for an implementation, and you can start either with a PR on that repo or a Google doc (+ link it here).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help-wanted Please volunteer for this by adding yourself as an assignee! kind/enhancement This would improve or streamline existing functionality. pinned These issues are not marked stale by our issue bot. sig/agent Cilium agent related. stale The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joestringer @aanm @kwakubiney