Add support for references to CiliumCIDRGroup inside FromCIDRSet for ingress rules in CNPs #24638
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
maintainer-s-little-helper
bot
added
the
dont-merge/needs-release-note-label
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
pippolo84
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
4 times, most recently
from
e7ecffd
to
7a0f675
Compare
christarazi
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
from
7a0f675
to
c6b6633
Compare
christarazi
added
kind/feature
christarazi
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
2 times, most recently
from
d9763d4
to
1b055b0
Compare
christarazi
requested changes
Mar 31, 2023
pippolo84
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
2 times, most recently
from
dce042a
to
10615c4
Compare
christarazi
reviewed
Apr 3, 2023
pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml
Outdated
Show resolved
Hide resolved
pippolo84
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
6 times, most recently
from
4d15cc5
to
de686ff
Compare
This comment was marked as outdated.
This comment was marked as outdated.
christarazi
reviewed
Apr 4, 2023
This comment was marked as outdated.
This comment was marked as outdated.
pippolo84
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
from
de686ff
to
74873ee
Compare
joestringer
approved these changes
Apr 13, 2023
|
/test Job 'Cilium-PR-K8s-1.24-kernel-5.4' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.24-kernel-5.4/1754/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Job 'Cilium-PR-K8s-1.16-kernel-4.19' hit: #24697 (88.40% similarity) Edit:
|
christarazi
reviewed
Apr 14, 2023
This generates the CiliumCIDRGroup type, to reference a group of CIDRs as a single entity in CiliumNetworkPolicies. Co-authored-by: Chris Tarazi <chris@isovalent.com> Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Embed `cidrGroupRef` field in api.CIDRRule to reference CiliumCIDRGroup objects in Cilium Network Policies. The field can be used to allow ingress traffic from a set of CIDRs listed in the referenced CiliumCIDRGroup object. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
christarazi
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
from
daa64f1
to
39f51d6
Compare
CNP and CCNP events handling is based on the same code, since each CNP and CCNP is first translated to an intermediate types.SlimCNP representation. To support the handling of CNP/CCNP updates, there are two separate caches, one for CNP and one for CCNP. This commit unify the events handling and the caches, relying on the two event channels to avoid any additional locking mechanism. This sets the stage for the fromCIDRGroupRef feature, where we need to reference another k8s object (CiliumCIDRGroup) to get the CIDRs the policies are going to allow when filtering ingress traffic. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
christarazi
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
from
39f51d6
to
d30af4e
Compare
Add support for cidrGroupRef field in Ingress rules for Cilium Network Policies. The new field allows to reference a list of CiliumCIDRGroup objects that contain the CIDRs from which we wants to allow traffic from. The feature is implemented as a wrapper to the existing FromCIDRSet Ingress rule. Each policy with a reference to a cidr group is translated in an equivalent "FromCIDRSet policy" after looking up the CIDRs in the referenced CiliumCIDRGroup objects. To do that, we use a single handler for CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy and CiliumCIDRGroup in the k8s watcher, in order to avoid further locking when accessing the CNP/CCNP cache or the CIDRGroup one. Every time the referenced CiliumCIDRGroups are updated, the CNP rules are recalculated, in order to append to the Ingress.FromCIDRSet field the updated lists of CIDRs. In case the referenced CiliumCIDRGroups k8s objects are all empty or deleted, the policy behaviour is default-deny. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
policy_change_total metric counts all the policies change events and should take into account Cilium Clusterwide Network Policied events too. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Inspired from the CNP watcher. Co-authored-by: Fabio Falzoi <fabio.falzoi@isovalent.com> Signed-off-by: Chris Tarazi <chris@isovalent.com>
The NoOp* variables are used in pkg/metrics to define metrics that can be disabled. All of those metrics are grouped together as a slice of prometheus.Collector and then registered to the prometheus register. To add a metric of type prometheus.Histogram that can also be disabled, a type that satisfies both `prometheus.Collector` and `prometheus.Observer` is needed, so the NoOpHistogram of type prometheus.histogram is added. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Add a metric to measure the time taken to translate the FromCIDRGroupRef field in CNPs and CCNPs. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Add a gauge metric to count the current number of CNPs and CCNPs that reference at least a CiliumCIDRGroup object. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
Assign the following files: - k8s/pkg/watcher/cilium_network_policy.go - k8s/pkg/watcher/cilium_cidr_group.go - k8s/pkg/watcher/cilium_cidr_group_test.go containing the shared handler for CNP, CCNP and CCG objects to sig-policy group. Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
christarazi
force-pushed
the
pr/pippolo84/from-cidr-group-refs-policy
branch
from
d30af4e
to
60506a7
Compare
|
/test Job 'Cilium-PR-K8s-1.16-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.16-kernel-4.19/916/ If it is a flake and a GitHub issue doesn't already exist to track it, comment |
|
4.19 hit #24840 |
|
/test-1.16-4.19 |
christarazi
changed the title
2 tasks
This was referenced Feb 23, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Add support for
cidrGroupRefin CIDR ingress rules in Cilium Network Policies.The new rule allows to reference a list of CiliumCIDRGroup objects that contain the CIDRs from which we want to allow traffic from.
An example of the newly introduced CiliumCIDRGroup CRD is the following:
The feature is implemented as a wrapper to the existing FromCIDR Ingress rule. Each
cidrGroupReffield is translated to the equivalentfromCIDRSetblock with the CIDRs from the referenced CiliumCIDRGroup object.To do that, we use a single handler for CiliumNetworkPolicy, CiliumClusterwideNetworkPolicy and CiliumCIDRGroup in the k8s watcher.
Every time the referenced CiliumCIDRGroups are updated, the CNP rules are recalculated, in order to append to the Ingress.FromCIDR field the updated lists of CIDRs.
In case the lists of CIDRs in the referenced CiliumCIDRGroups are all empty, the policy will have an Ingress rule with all fields equal to nil, except the
cidrGroupRefone. That would result in the same behavior as an empty FromCIDR rule, which means default deny.This PR also adds some metrics to get info about the new Ingress rule impact and usage. Specifically:
cidrGroupReffield into CIDRsFixes #10349