k8s: Restrict configuring reserved:init policy via CNP #28007

joestringer · 2023-09-07T20:15:41Z

Typically if the policy target EndpointSelector does not include a
namespace, parsing will inject the namespace to ensure that only Pods
within the same namespace can be selected. Furthermore, for peer
EndpointSelectors there is a similar behaviour where ingress or egress
is allowed only to the current namespace unless the user specifies which
namespace the peer exists in. However, these defaults did not previously
apply to policies that select the reserved:init Identity, since this
Identity is not inherently namespaced. Automatically injecting the
namespace would cause the policy to no longer match this Identity.

The reserved:init Identity was introduced in order to allow a different
policy to apply to Pods as they start up, iff the full Identity of those
workloads cannot be determined when they are first connecting to the
Cilium network (CNI ADD). In order to support this special reserved:init
Identity, various exceptions were introduced into CiliumNetworkPolicy
parser that removed the automatic insertion of namespace into the
policies when there were label matches for the reserved:init namespace.

The awkward part about this abstraction early on was that there was no
way to directly associate the reserved:init Identity to any specific
Kubernetes namespace, and yet CiliumNetworkPolicy was always inherently
tied to a specific namespace. Since the introduction of the
reserved:init Identity, CiliumClusterwideNetworkPolicy was also
introduced, which is a much better fit for the ability to select
endpoints that are not inherently namespaced. This is because CCNP is
also not restricted to any specific namespace, it applies to Endpoints
in all namespaces. This patch proposes to even extend that policy to
apply to Endpoints that are not inside a namespace, such as Endpoints
with the reserved:init Identity.

This patch removes support for applying network policies for the
reserved:init Identity via CiliumNetworkPolicy in favour of
CiliumClusterwideNetworkPolicy. As a benefit, this allows us to simplify
the logic that applies the namespaces into the policies and reduce the
likelihood of misconfigurations.

Change the expected test for policies that apply to reserved:init pod to assume that CCNP is used to configure this type of policy. Signed-off-by: Joe Stringer <joe@cilium.io>

Typically if the policy target EndpointSelector does not include a namespace, parsing will inject the namespace to ensure that only Pods within the same namespace can be selected. Furthermore, for peer EndpointSelectors there is a similar behaviour where ingress or egress is allowed only to the current namespace unless the user specifies which namespace the peer exists in. However, these defaults did not previously apply to policies that select the reserved:init Identity, since this Identity is not inherently namespaced, and hence automatically injecting the namespace would cause the policy to no longer match this Identity. The reserved:init Identity was introduced in order to allow a different policy to apply to Pods as they start up, iff the full Identity of those workloads cannot be determined when they are first connecting to the Cilium network (CNI ADD). In order to support this special reserved:init Identity, various exceptions were introduced into CiliumNetworkPolicy parser that removed the automatic insertion of namespace into the policies when there were label matches for the reserved:init namespace. The awkward part about this abstraction early on was that there was no way to directly associate the reserved:init Identity to any specific Kubernetes namespace, and yet CiliumNetworkPolicy was always inherently tied to a specific namespace. Since the introduction of the reserved:init Identity, CiliumClusterwideNetworkPolicy was also introduced, which is a much better fit for the ability to select endpoints that are not inherently namespaced. This patch deprecates support for applying network policies for the reserved:init Identity via CiliumNetworkPolicy in favour of CiliumClusterwideNetworkPolicy. As a benefit, this allows us to simplify the logic that applies the namespaces into the policies and reduce the likelihood of misconfigurations. Signed-off-by: Joe Stringer <joe@cilium.io>

Extend the CNP validation (including preflight checks) to warn users that they are using a policy configuration that is no longer supported. Signed-off-by: Joe Stringer <joe@cilium.io>

joestringer · 2023-09-07T20:59:07Z

/test

lambdanis

docs ok

joestringer added 2 commits September 7, 2023 13:13

k8s: Change test for reserved:init to CCNP

029cb44

Change the expected test for policies that apply to reserved:init pod to assume that CCNP is used to configure this type of policy. Signed-off-by: Joe Stringer <joe@cilium.io>

maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 7, 2023

joestringer requested review from aanm and christarazi September 7, 2023 20:15

maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Sep 7, 2023

maintainer-s-little-helper bot added this to Needs backport from main in 1.13.7 Sep 7, 2023

maintainer-s-little-helper bot added this to Needs backport from main in 1.14.2 Sep 7, 2023

maintainer-s-little-helper bot added this to Needs backport from main in 1.12.14 Sep 7, 2023

k8s: Add validation for init policy selection

f555761

Extend the CNP validation (including preflight checks) to warn users that they are using a policy configuration that is no longer supported. Signed-off-by: Joe Stringer <joe@cilium.io>

joestringer marked this pull request as ready for review September 7, 2023 20:59

joestringer requested review from a team as code owners September 7, 2023 20:59

joestringer requested a review from lambdanis September 7, 2023 20:59

joestringer added the backport/author The backport will be carried out by the author of the PR. label Sep 8, 2023

lambdanis approved these changes Sep 8, 2023

View reviewed changes

ferozsalam added release-blocker/1.12 This issue will prevent the release of the next version of Cilium. release-blocker/1.13 This issue will prevent the release of the next version of Cilium. release-blocker/1.14 This issue will prevent the release of the next version of Cilium. labels Sep 8, 2023

aanm approved these changes Sep 8, 2023

View reviewed changes

aanm merged commit 642768d into main Sep 8, 2023
203 of 206 checks passed

aanm deleted the pr/joe/cnp-dne-op branch September 8, 2023 13:00

joestringer mentioned this pull request Sep 8, 2023

v1.14: k8s: Restrict configuring reserved:init policy via CNP #28038

Merged

1 task

This was referenced Sep 8, 2023

v1.13: k8s: Restrict configuring reserved:init policy via CNP #28039

Merged

v1.12: k8s: Restrict configuring reserved:init policy via CNP #28040

Merged

joestringer added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Sep 8, 2023

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.14 in 1.14.2 Sep 8, 2023

joestringer added backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. and removed needs-backport/1.13 This PR / issue needs backporting to the v1.13 branch labels Sep 8, 2023

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.13 in 1.13.7 Sep 8, 2023

joestringer added backport-pending/1.12 and removed needs-backport/1.12 labels Sep 8, 2023

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.12 in 1.12.14 Sep 8, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Needs backport from main in 1.12.14 Sep 8, 2023

maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.12 in 1.12.14 Sep 8, 2023

joestringer added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Sep 8, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.14 to Backport done to v1.14 in 1.14.2 Sep 8, 2023

joestringer added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. and removed backport-pending/1.13 The backport for Cilium 1.13.x for this PR is in progress. labels Sep 9, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.13 to Backport done to v1.13 in 1.13.7 Sep 9, 2023

joestringer added backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Sep 9, 2023

maintainer-s-little-helper bot moved this from Backport pending to v1.12 to Backport done to v1.12 in 1.12.14 Sep 9, 2023

This was referenced Sep 9, 2023

Prepare for release v1.14.2 #28052

Merged

Prepare for release v1.13.7 #28053

Merged

Prepare for release v1.12.14 #28054

Merged

GoVulnBot mentioned this pull request Sep 27, 2023

x/vulndb: potential Go vuln in github.com/cilium/cilium: CVE-2023-41333 golang/vulndb#2083

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

k8s: Restrict configuring reserved:init policy via CNP #28007

k8s: Restrict configuring reserved:init policy via CNP #28007

joestringer commented Sep 7, 2023 •

edited

joestringer commented Sep 7, 2023

lambdanis left a comment

k8s: Restrict configuring reserved:init policy via CNP #28007

k8s: Restrict configuring reserved:init policy via CNP #28007

Conversation

joestringer commented Sep 7, 2023 • edited

joestringer commented Sep 7, 2023

lambdanis left a comment

Choose a reason for hiding this comment

joestringer commented Sep 7, 2023 •

edited