Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change wording on toServices limitations (see #20067) #25796

Merged
merged 2 commits into from Jun 26, 2023
Merged

Change wording on toServices limitations (see #20067) #25796

merged 2 commits into from Jun 26, 2023

Conversation

atykhyy
Copy link
Contributor

@atykhyy atykhyy commented May 31, 2023

#21052 updated Cilium documentation to say that, in network policy rules, toServices statements cannot be combined with toPorts statements. I believe it would be more informative for users of Cilium to say (following RFC 2119) that toServices must not be combined with toPorts, as technically Cilium accepts such a configuration as valid but handles it in the unexpected and unuseful manner described in #20067.

@atykhyy atykhyy requested review from a team as code owners May 31, 2023 13:39
@maintainer-s-little-helper
Copy link

Commit e832a28b6303cb0fc3de2603d0e12f6df2d4bc96 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels May 31, 2023
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label May 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label May 31, 2023
qmonnet
qmonnet approved these changes May 31, 2023
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thank you!

@qmonnet qmonnet added area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. release-note/misc This PR makes changes that have no direct user impact. labels May 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label May 31, 2023
@christarazi christarazi added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label May 31, 2023
christarazi
christarazi reviewed May 31, 2023
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Checkpatch (checks your commits) is failing with

   Warning: WARNING:TYPO_SPELLING: 'unuseful' may be misspelled - perhaps 'useless'?
  #11: 
  as valid but handles it in the unexpected and unuseful manner described
                                                ^^^^^^^^

@joestringer
Copy link
Member

I agree about the "must not" RFC 2119 wording. Personally I'd avoid making any statements about how the limitation behaves, since it's a limitation - we don't want users to rely on this, this is not API, it is subject to change without warning. Ideally someone will pick this up and fix the limitation, and at that point I'd hope that users aren't assuming that the limitation always has these semantics.

But 🤷 I don't feel super strongly about this. Just want to say, we reserve the right to break this statement at any time.

@atykhyy
Copy link
Contributor Author

atykhyy commented Jun 8, 2023

I agree that documenting incorrect behavior is not a very good idea, even if it's explicitly stated that the behavior is incorrect. On the other hand a simple statement of limitation feels insufficiently scary: the rule apparently works (makes the service accessible), but has non-obvious and potentially dangerous additional effects. Perhaps it's best to simply make rules with both toServices and toPorts fail validation? A couple lines in pkg\policy\api\rule_validation.go:sanitize(*EgressRule) would suffice.

@atykhyy atykhyy requested a review from a team as a code owner June 10, 2023 20:13
@ti-mo
Copy link
Contributor

ti-mo commented Jun 20, 2023

/test

@ti-mo ti-mo added the release-blocker/1.14 This issue will prevent the release of the next version of Cilium. label Jun 20, 2023
@ti-mo
Copy link
Contributor

ti-mo commented Jun 20, 2023

Some changes were made to CI in past weeks so this might need a rebase. I've approved the workflows and marked this a release blocker. This would be nice to ship in 1.14.

@ti-mo ti-mo added the dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. label Jun 20, 2023
@ti-mo
Copy link
Contributor

ti-mo commented Jun 20, 2023

@atykhyy Please rebase to re-run Travis and to pick up some fixes for flakes etc.

@ti-mo
Copy link
Contributor

ti-mo commented Jun 21, 2023

@atykhyy one test failing:

--- FAIL: Test/PolicyAPITestSuite#01/TestToServicesSanitize (0.00s)

    rule_validation_test.go:630: 

        ... value *errors.errorString = &errors.errorString{s:"Combining ToServices and ToPorts is not supported yet"} ("Combining ToServices and ToPorts is not supported yet")

@atykhyy atykhyy force-pushed the to-services-wording branch 2 times, most recently from ac7e9bf to b39a1c9 Compare June 21, 2023 08:24
@atykhyy
Copy link
Contributor Author

atykhyy commented Jun 21, 2023

@ti-mo Right. It's the test which checks for toServices+toPorts policy which fails validation per this PR. I have reversed the test result.

@ti-mo
Copy link
Contributor

ti-mo commented Jun 23, 2023

Sorry for the trouble, looks like image builds are failing, something probably changed on main. Could you give this another rebase? 🙏

@ti-mo ti-mo requested a review from christarazi June 23, 2023 08:56
@atykhyy
Change wording on toServices limitations (see cilium#20067)
46f062c 
PR cilium#21052 updated Cilium documentation to say that, in network policy
rules, `toServices` statements cannot be combined with `toPorts`
statements. I believe it would be more informative for Cilium users
to say (following RFC 2119) that `toServices` _must not_ be combined
with `toPorts`, as technically Cilium accepts such a network policy
as valid but handles it in the unexpected and potentially dangerous
(e.g. if a setup relies on Cilium network policy to implement egress
filtering) manner described in cilium#20067.

Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
@atykhyy
Make rules combining toServices and toPorts fail validation
4b3fd29 
Currently, an egress rule combining toServices and toPorts has
the unexpected and potentially dangerous side effect of allowing egress
traffic to any remote endpoint on the port(s) specified (see cilium#20067).
This change makes such rules fail validation.

Signed-off-by: Anton Tykhyy <atykhyy@gmail.com>
@ti-mo
Copy link
Contributor

ti-mo commented Jun 23, 2023

/test

@ldelossa ldelossa merged commit 7959bf5 into cilium:main Jun 26, 2023
63 of 65 checks passed
@joestringer joestringer mentioned this pull request Jun 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@qmonnet qmonnet qmonnet approved these changes

@christarazi christarazi Awaiting requested review from christarazi

Assignees
No one assigned
Labels
area/documentation Impacts the documentation, including textual changes, sphinx, or other doc generation code. dont-merge/needs-rebase This PR needs to be rebased because it has merge conflicts. kind/community-contribution This was a contribution made by a community member. release-blocker/1.14 This issue will prevent the release of the next version of Cilium. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@atykhyy @joestringer @ti-mo @nathanjsweet @christarazi @qmonnet @ldelossa