Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CIDRGroup reference metric will not count nonexistent CIDRGroups #26133

Merged
merged 1 commit into from Jun 28, 2023
Merged

CIDRGroup reference metric will not count nonexistent CIDRGroups #26133

merged 1 commit into from Jun 28, 2023

Conversation

akstron
Copy link
Contributor

@akstron akstron commented Jun 12, 2023
edited

Please ensure your pull request adheres to the following guidelines:

  • For first time contributors, read Submitting a pull request
  • All code is covered by unit and/or runtime tests where feasible.
  • All commits contain a well written commit description including a title,
    description and a Fixes: #XXX line if the commit addresses a particular
    GitHub issue.
  • If your commit description contains a Fixes: <commit-id> tag, then
    please add the commit author[s] as reviewer[s] to this issue.
  • All commits are signed off. See the section Developer’s Certificate of Origin
  • Provide a title or release-note blurb suitable for the release notes.
  • Are you a user of Cilium? Please add yourself to the Users doc
  • Thanks for contributing!

Fixes: #25022

Added a check on CIDRGroupRef to make sure that the reference is valid.

CIDRGroup reference metric will not count nonexistent CIDRGroups

Signed-off-by: Alok Kumar Singh alokaks601@gmail.com

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 12, 2023
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jun 12, 2023
@akstron akstron marked this pull request as ready for review June 12, 2023 17:19
@akstron akstron requested a review from a team as a code owner June 12, 2023 17:19
@akstron akstron requested a review from aditighag June 12, 2023 17:19
@christarazi
Copy link
Member

/test

pippolo84
pippolo84 reviewed Jun 14, 2023
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your PR. 🙏

Could you please explain in more detail in which case you ended up with rule.CIDR and rule.CIDRGroupRef both empty?

Given the kubebuilder validation that should not be possible:

cilium/pkg/policy/api/cidr.go

Lines 39 to 49 in fb48741

// CIDR is a CIDR prefix / IP Block.
//
// +kubebuilder:validation:OneOf
Cidr CIDR `json:"cidr,omitempty"`
// CIDRGroupRef is a reference to a CiliumCIDRGroup object.
// A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to
// the rule, can (Ingress) or cannot (IngressDeny) receive connections from.
//
// +kubebuilder:validation:OneOf
CIDRGroupRef CIDRGroupRef `json:"cidrGroupRef,omitempty"`

In fact, trying to apply this:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "cidr-group-ref-cnp"
spec:
  endpointSelector:
    matchLabels:
      run: app
  ingress:
  - fromCIDRSet:
    - cidrGroupRef: ""

is failing as expected:

The CiliumNetworkPolicy "cidr-group-ref-cnp" is invalid: spec.ingress[0].fromCIDRSet[0].cidrGroupRef: Invalid value: "": spec.ingress[0].fromCIDRSet[0].cidrGroupRef in body should match '^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'

And a null value:

spec:
  endpointSelector:
    matchLabels:
      run: app
  ingress:
  - fromCIDRSet:
    - cidrGroupRef: null

is leading to a validation error, too.

@christarazi
Copy link
Member

christarazi commented Jun 14, 2023
edited

@pippolo84 I think the case is when the user applies a policy with a ref that doesn't exist, like

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "cidr-group-ref-cnp"
spec:
  endpointSelector:
    matchLabels:
      run: app
  ingress:
  - fromCIDRSet:
    - cidrGroupRef: "doesn't-exist"

the metric is still incremented.

@pippolo84
Copy link
Member

pippolo84 commented Jun 14, 2023
edited

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "cidr-group-ref-cnp"
spec:
endpointSelector:
matchLabels:
run: app
ingress:

  • fromCIDRSet:
    • cidrGroupRef: "doesn't-exist"

If I'm not mistaken the proposed change is just checking the length of rule.CIDRGroupRef, that is, the length of the string "doesn't-exist" in your example policy.
If we want to avoid incrementing the metric for a non-existing reference I think we need to check cidrGroupCache to see if a CiliumCIDRGroup with that name actually exists.

@akstron
Copy link
Contributor Author

akstron commented Jun 17, 2023

Hi @pippolo84, probably I misunderstood the issue. What I understand from the conversation above is that we can add a particular groupRef, even though the object itself does not exist and we need to check this existence to resolve the issue.

What I suggest is we can use cidrGroupRefsToCIDRsSets, to translate the cidrGroupRefs we receive during metric update to get valid CIDRSets and check its length instead of the length of cidrGroupRefs.

@akstron akstron requested a review from pippolo84 June 20, 2023 05:44
pippolo84
pippolo84 requested changes Jun 20, 2023
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the current approach is the correct one, thanks! I've left a suggestion to improve the comment.

Could you please squash this last commit into the previous one?
Also, you need to use your real name for the Signed-off-by line. I suggest to read the Cilium Contribution Guidelines and the Developer's Certificate of Origin section.

pkg/k8s/watchers/cilium_network_policy.go Outdated Show resolved Hide resolved
@ti-mo ti-mo added the release-note/misc This PR makes changes that have no direct user impact. label Jun 20, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 20, 2023
@ti-mo ti-mo added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. and removed release-note/misc This PR makes changes that have no direct user impact. labels Jun 20, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jun 20, 2023
@ti-mo
Copy link
Contributor

ti-mo commented Jun 20, 2023

@akstron Looks like your second commit overwrites the first, please squash.

@akstron akstron requested a review from a team as a code owner June 21, 2023 14:09
@joestringer
Copy link
Member

It's likely that the test failures could be resolved by rebasing against the tip of the main branch.

@akstron @christarazi
Updated the metric update logic to only account for existing cidrGrou…
f9bbe5f 
…pRefs

Signed-off-by: Alok Kumar Singh <alokaks601@gmail.com>
@christarazi christarazi added the sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. label Jun 27, 2023
@christarazi christarazi added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Jun 27, 2023
pippolo84
pippolo84 approved these changes Jun 27, 2023
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! 🚀

@pippolo84
Copy link
Member

/test

@pippolo84 pippolo84 added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 28, 2023
@borkmann borkmann merged commit ef59981 into cilium:main Jun 28, 2023
65 checks passed
@joestringer joestringer mentioned this pull request Jun 28, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pippolo84 pippolo84 pippolo84 approved these changes

@christarazi christarazi christarazi approved these changes

@aditighag aditighag aditighag approved these changes

@michi-covalent michi-covalent michi-covalent approved these changes

@derailed derailed Awaiting requested review from derailed derailed is a code owner automatically assigned from cilium/metrics

Assignees
No one assigned
Labels
kind/bug This is a bug in the Cilium logic. kind/community-contribution This was a contribution made by a community member. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CIDRGroup references metric should count live references only and not count nonexistent CIDRGroups
8 participants
@akstron @christarazi @pippolo84 @ti-mo @joestringer @aditighag @michi-covalent @borkmann