Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k8s/watchers: Fix erroneous warning logs due to empty CIDRGroupRef #25072

Merged
merged 1 commit into from Apr 24, 2023
Merged

k8s/watchers: Fix erroneous warning logs due to empty CIDRGroupRef #25072

merged 1 commit into from Apr 24, 2023

Conversation

christarazi
Copy link
Member

@christarazi christarazi commented Apr 24, 2023
edited

Previously, the logic to detect whether a CIDRGroupRef has been set did
not consider CNP policies which only reference a CIDR. This is relevant
because CIDRs and CIDRGroupRefs are mutually exclusive, i.e. oneOf
validation is applied on them.

This triggered the following warning log to be triggered quite often as
each update to the CNP would run through the translation logic:

level=warning msg="Unable to translate all cidr groups to cidrs" cidrGroupRef="[group-1 ]" ciliumNetworkPolicyName=tofqdn-dns-visibility error="cidr group \"group-1\" not found, skipping translation; cidr group \"\" not found, skipping translation" k8sApiVersion= k8sNamespace=default subsys=k8s-watcher

For example, the following will trigger the buggy behavior:

ingress:
  - fromCIDRSet:
    - cidr: "3.3.3.3/32"

With the fix, we detect that a CIDR has been set and therefore, we avoid
returning an empty CIDRGroupRef name.

Fixes: dd4aba4 ("k8s: Add support for cidrGroupRef field in
CNP/CCNP")
Fixes: #25020

Signed-off-by: Chris Tarazi chris@isovalent.com

@christarazi christarazi added kind/bug This is a bug in the Cilium logic. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/misc This PR makes changes that have no direct user impact. sig/agent Cilium agent related. labels Apr 24, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. and removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Apr 24, 2023
@christarazi christarazi force-pushed the pr/christarazi/fix-cidrgroup-erroneous-warning branch 2 times, most recently from 8d3287d to fa2e597 Compare April 24, 2023 03:15
@christarazi christarazi marked this pull request as ready for review April 24, 2023 03:16
@christarazi christarazi requested a review from a team as a code owner April 24, 2023 03:16
@christarazi christarazi requested a review from nebril April 24, 2023 03:16
@christarazi
k8s/watchers: Fix erroneous warning logs due to empty CIDRGroupRef
781665a 
Previously, the logic to detect whether a CIDRGroupRef has been set did
not consider CNP policies which only reference a CIDR. This is relevant
because CIDRs and CIDRGroupRefs are mutually exclusive, i.e.  oneOf
validation is applied on them.

This triggered the following warning log to be triggered quite often as
each update to the CNP would run through the translation logic:

```
level=warning msg="Unable to translate all cidr groups to cidrs" cidrGroupRef="[group-1 ]" ciliumNetworkPolicyName=tofqdn-dns-visibility error="cidr group \"group-1\" not found, skipping translation; cidr group \"\" not found, skipping translation" k8sApiVersion= k8sNamespace=default subsys=k8s-watcher
```

For example, the following will trigger the buggy behavior:

```
ingress:
  - fromCIDRSet:
    - cidr: "3.3.3.3/32"
```

With the fix, we detect that a CIDR has been set and therefore, we avoid
returning an empty CIDRGroupRef name.

Fixes: dd4aba4 ("k8s: Add support for cidrGroupRef field in
CNP/CCNP")
Fixes: cilium#25020

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi force-pushed the pr/christarazi/fix-cidrgroup-erroneous-warning branch from fa2e597 to 781665a Compare April 24, 2023 05:19
@christarazi
Copy link
Member Author

/test

pippolo84
pippolo84 approved these changes Apr 24, 2023
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! 🚀

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Apr 24, 2023
@christarazi christarazi merged commit c94b475 into cilium:main Apr 24, 2023
56 checks passed
@christarazi christarazi deleted the pr/christarazi/fix-cidrgroup-erroneous-warning branch April 24, 2023 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nebril nebril nebril approved these changes

@pippolo84 pippolo84 pippolo84 approved these changes

Assignees
No one assigned
Labels
kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/agent Cilium agent related. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Fix cosmetic bug in error msg where a nonexistent CIDRGroup is referenced
3 participants
@christarazi @nebril @pippolo84