New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v1.13: k8s: Restrict configuring reserved:init policy via CNP #28039
Conversation
[ upstream commit f48a4d7 ] Change the expected test for policies that apply to reserved:init pod to assume that CCNP is used to configure this type of policy. Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit c45b084 ] Typically if the policy target EndpointSelector does not include a namespace, parsing will inject the namespace to ensure that only Pods within the same namespace can be selected. Furthermore, for peer EndpointSelectors there is a similar behaviour where ingress or egress is allowed only to the current namespace unless the user specifies which namespace the peer exists in. However, these defaults did not previously apply to policies that select the reserved:init Identity, since this Identity is not inherently namespaced, and hence automatically injecting the namespace would cause the policy to no longer match this Identity. The reserved:init Identity was introduced in order to allow a different policy to apply to Pods as they start up, iff the full Identity of those workloads cannot be determined when they are first connecting to the Cilium network (CNI ADD). In order to support this special reserved:init Identity, various exceptions were introduced into CiliumNetworkPolicy parser that removed the automatic insertion of namespace into the policies when there were label matches for the reserved:init namespace. The awkward part about this abstraction early on was that there was no way to directly associate the reserved:init Identity to any specific Kubernetes namespace, and yet CiliumNetworkPolicy was always inherently tied to a specific namespace. Since the introduction of the reserved:init Identity, CiliumClusterwideNetworkPolicy was also introduced, which is a much better fit for the ability to select endpoints that are not inherently namespaced. This patch deprecates support for applying network policies for the reserved:init Identity via CiliumNetworkPolicy in favour of CiliumClusterwideNetworkPolicy. As a benefit, this allows us to simplify the logic that applies the namespaces into the policies and reduce the likelihood of misconfigurations. Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit 642768d ] [ Backporter's notes: Had to adjust sync.Once var name to avoid conflict ] Extend the CNP validation (including preflight checks) to warn users that they are using a policy configuration that is no longer supported. Signed-off-by: Joe Stringer <joe@cilium.io>
f67b233
to
97bef99
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✨
/test-backport-1.13 Job 'Cilium-PR-K8s-1.17-kernel-4.19' failed: Click to show.Test Name
Failure Output
Jenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.17-kernel-4.19/146/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
k8s-1.19-kernel-4.19 (test-1.19-4.19) - Provisioning failed: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.19-kernel-4.19/146/execution/node/90/log/ |
/test-1.19-4.19 |
/mlh new-flake Cilium-PR-K8s-1.17-kernel-4.19 |
/test-1.17-4.19 |
Once this PR is merged, you can update the PR labels via:
or with