New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change wording on toServices limitations (see #20067) #25796
Conversation
Commit e832a28b6303cb0fc3de2603d0e12f6df2d4bc96 does not contain "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
e832a28
to
aa8838a
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, thank you!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
Checkpatch (checks your commits) is failing with
Warning: WARNING:TYPO_SPELLING: 'unuseful' may be misspelled - perhaps 'useless'?
#11:
as valid but handles it in the unexpected and unuseful manner described
^^^^^^^^
aa8838a
to
0f68cc2
Compare
I agree about the "must not" RFC 2119 wording. Personally I'd avoid making any statements about how the limitation behaves, since it's a limitation - we don't want users to rely on this, this is not API, it is subject to change without warning. Ideally someone will pick this up and fix the limitation, and at that point I'd hope that users aren't assuming that the limitation always has these semantics. But 🤷 I don't feel super strongly about this. Just want to say, we reserve the right to break this statement at any time. |
I agree that documenting incorrect behavior is not a very good idea, even if it's explicitly stated that the behavior is incorrect. On the other hand a simple statement of limitation feels insufficiently scary: the rule apparently works (makes the service accessible), but has non-obvious and potentially dangerous additional effects. Perhaps it's best to simply make rules with both |
/test |
Some changes were made to CI in past weeks so this might need a rebase. I've approved the workflows and marked this a release blocker. This would be nice to ship in 1.14. |
@atykhyy Please rebase to re-run Travis and to pick up some fixes for flakes etc. |
fc190ee
to
bb76c09
Compare
@atykhyy one test failing:
|
ac7e9bf
to
b39a1c9
Compare
@ti-mo Right. It's the test which checks for toServices+toPorts policy which fails validation per this PR. I have reversed the test result. |
Sorry for the trouble, looks like image builds are failing, something probably changed on |
PR cilium#21052 updated Cilium documentation to say that, in network policy rules, `toServices` statements cannot be combined with `toPorts` statements. I believe it would be more informative for Cilium users to say (following RFC 2119) that `toServices` _must not_ be combined with `toPorts`, as technically Cilium accepts such a network policy as valid but handles it in the unexpected and potentially dangerous (e.g. if a setup relies on Cilium network policy to implement egress filtering) manner described in cilium#20067. Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
Currently, an egress rule combining toServices and toPorts has the unexpected and potentially dangerous side effect of allowing egress traffic to any remote endpoint on the port(s) specified (see cilium#20067). This change makes such rules fail validation. Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
b39a1c9
to
4b3fd29
Compare
/test |
#21052 updated Cilium documentation to say that, in network policy rules,
toServices
statements cannot be combined withtoPorts
statements. I believe it would be more informative for users of Cilium to say (following RFC 2119) thattoServices
must not be combined withtoPorts
, as technically Cilium accepts such a configuration as valid but handles it in the unexpected and unuseful manner described in #20067.