v1.13: k8s: Restrict configuring reserved:init policy via CNP #28039
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[ upstream commit f48a4d7 ] Change the expected test for policies that apply to reserved:init pod to assume that CCNP is used to configure this type of policy. Signed-off-by: Joe Stringer <joe@cilium.io>
[ upstream commit c45b084 ] Typically if the policy target EndpointSelector does not include a namespace, parsing will inject the namespace to ensure that only Pods within the same namespace can be selected. Furthermore, for peer EndpointSelectors there is a similar behaviour where ingress or egress is allowed only to the current namespace unless the user specifies which namespace the peer exists in. However, these defaults did not previously apply to policies that select the reserved:init Identity, since this Identity is not inherently namespaced, and hence automatically injecting the namespace would cause the policy to no longer match this Identity. The reserved:init Identity was introduced in order to allow a different policy to apply to Pods as they start up, iff the full Identity of those workloads cannot be determined when they are first connecting to the Cilium network (CNI ADD). In order to support this special reserved:init Identity, various exceptions were introduced into CiliumNetworkPolicy parser that removed the automatic insertion of namespace into the policies when there were label matches for the reserved:init namespace. The awkward part about this abstraction early on was that there was no way to directly associate the reserved:init Identity to any specific Kubernetes namespace, and yet CiliumNetworkPolicy was always inherently tied to a specific namespace. Since the introduction of the reserved:init Identity, CiliumClusterwideNetworkPolicy was also introduced, which is a much better fit for the ability to select endpoints that are not inherently namespaced. This patch deprecates support for applying network policies for the reserved:init Identity via CiliumNetworkPolicy in favour of CiliumClusterwideNetworkPolicy. As a benefit, this allows us to simplify the logic that applies the namespaces into the policies and reduce the likelihood of misconfigurations. Signed-off-by: Joe Stringer <joe@cilium.io>
maintainer-s-little-helper
bot
added
backport/1.13
[ upstream commit 642768d ] [ Backporter's notes: Had to adjust sync.Once var name to avoid conflict ] Extend the CNP validation (including preflight checks) to warn users that they are using a policy configuration that is no longer supported. Signed-off-by: Joe Stringer <joe@cilium.io>
joestringer
force-pushed
the
pr/joe/backport-28007-1.13
branch
from
f67b233
to
97bef99
Compare
|
/test-backport-1.13 Job 'Cilium-PR-K8s-1.17-kernel-4.19' failed: Click to show.Test NameFailure OutputJenkins URL: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.17-kernel-4.19/146/ If it is a flake and a GitHub issue doesn't already exist to track it, comment Then please upload the Jenkins artifacts to that issue. |
|
k8s-1.19-kernel-4.19 (test-1.19-4.19) - Provisioning failed: https://jenkins.cilium.io/job/Cilium-PR-K8s-1.19-kernel-4.19/146/execution/node/90/log/ |
|
/test-1.19-4.19 |
aanm
approved these changes
Sep 8, 2023
|
/mlh new-flake Cilium-PR-K8s-1.17-kernel-4.19 |
|
/test-1.17-4.19 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Once this PR is merged, you can update the PR labels via:
or with