Cilium does not recognise identity thus got policy denied for a within namespace call on the same POD. #28320
Closed
2 tasks done
Labels
kind/bug
This is a bug in the Cilium logic.
kind/community-report
This was reported by a user in the Cilium community, eg via Slack.
need-more-info
More information is required to further debug or fix the issue.
sig/datapath
Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
sig/policy
Impacts whether traffic is allowed or denied based on user-defined policies.
stale
The stale bot thinks this issue is old. Add "pinned" label to prevent this from becoming stale.
Is there an existing issue for this?
What happened?
When deploying the following cnp it appears that Cilium incorrectly identifies the calls within namespace traffic as (world) entity. We expect it to accept calls within the same namespace.
We get the following drops:
The weird thing is that the drop also occurs when deploying this netpol instead of cnp and using the same pod.
So if you do a call to the same pod in the same namespace it fails with a drop on (world).
It appears to be related to one of these:
#21083
#14284
#23911
Cilium Version
Client: 1.13.4 4061cdf 2023-06-14T03:37:39+00:00 go version go1.19.10 linux/amd64
Daemon: 1.13.4 4061cdf 2023-06-14T03:37:39+00:00 go version go1.19.10 linux/amd64
Kernel Version
Linux ip-10-116-83-84.eu-central-1.compute.internal 5.10.186-179.751.amzn2.x86_64 #1 SMP Tue Aug 1 20:51:38 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Kubernetes Version
Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.3", GitCommit:"25b4e43193bcda6c7328a6d147b1fb73a33f1598", GitTreeState:"clean", BuildDate:"2023-06-14T09:47:38Z", GoVersion:"go1.20.5", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v5.0.1
Server Version: version.Info{Major:"1", Minor:"25+", GitVersion:"v1.25.12-eks-2d98532", GitCommit:"0aa16cf4fac4da27b9e9e9ba570b990867f6a3d8", GitTreeState:"clean", BuildDate:"2023-07-28T16:52:04Z", GoVersion:"go1.20.6", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.27) and server (1.25) exceeds the supported minor version skew of +/-1
Sysdump
cilium-sysdump-20230928-095303.zip
Relevant log output
No response
Anything else?
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: