Cilium silently accepts k8s networkpolicy with endPort without implementing it

[joestringer]

Is there an existing issue for this?

• I have searched the existing issues

What happened?

If you configure a k8s networkpolicy with endPort statements, Cilium silently accepts it and ignores the endPort.

Cilium Version

1.15-dev, but I'm sure it applies to all versions

Kernel Version

N/A

Kubernetes Version

N/A

Sysdump

No response

Relevant log output

level=info msg="Policy Add Request" ciliumNetworkPolicy="[&{EndpointSelector:{\"matchLabels\":{\"k8s:io.kubernetes.pod.namespace\":\"default\"}} NodeSelector:{} Ingress:[{IngressCommonRule:{FromEndpoints:[{\"matchLabels\":{\"k8s:class\":\"deathstar\",\"k8s:io.kubernetes.pod.namespace\":\"default\",\"k8s:org\":\"empire\"}}] FromRequires:[] FromCIDR: FromCIDRSet:[] FromEntities:[] aggregatedSelectors:[]} ToPorts:[{Ports:[{Port:79 Protocol:TCP}] TerminatingTLS:<nil> OriginatingTLS:<nil> ServerNames:[] Listener:<nil> Rules:<nil>}] ICMPs:[] Authentication:<nil>}] IngressDeny:[] Egress:[] EgressDeny:[] Labels:[k8s:io.cilium.k8s.policy.derived-from=NetworkPolicy k8s:io.cilium.k8s.policy.name=endport-policy k8s:io.cilium.k8s.policy.namespace=default k8s:io.cilium.k8s.policy.uid=6ba0513f-1d5f-445e-b240-1f9b94bd7cbd] Description:}]" policyAddRequest=ef9cd617-c7b7-4a70-a096-ec1ed697e78b subsys=daemon
level=info msg="Policy imported via API, recalculating..." policyAddRequest=ef9cd617-c7b7-4a70-a096-ec1ed697e78b policyRevision=2 subsys=daemon
level=info msg="NetworkPolicy successfully added" k8sApiVersion= k8sNetworkPolicyName=endport-policy subsys=k8s-watcher

Anything else?

Network policy:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: endport-policy
spec:
  ingress:
  - from:
    - podSelector:
        matchLabels:
          org: empire
          class: deathstar
    ports:
    - endPort: 80
      port: 79
      protocol: TCP

Steps to reproduce:

1. Install Cilium in a k8s cluster
2. kubectl create -f https://raw.githubusercontent.com/cilium/cilium/1.14.3/examples/minikube/http-sw-app.yaml
3. kubectl create -f policy.yaml
4. kubectl exec xwing -- curl -s -XPOST deathstar.default.svc.cluster.local/v1/request-landing

Observe that the connections fail. Hubble also reports:

Oct 18 17:56:12.464: default/tiefighter:42178 (ID:26691) <> default/deathstar-54bb8475cc-ddz5c:80 (ID:35141) from-overlay FORWARDED (TCP Flags: SYN)
Oct 18 17:56:12.464: default/tiefighter:42178 (ID:26691) <> default/deathstar-54bb8475cc-ddz5c:80 (ID:35141) policy-verdict:none INGRESS DENIED (TCP Flags: SYN)

Related: #16622

Code of Conduct

• I agree to follow this project's Code of Conduct

[joestringer]

I think that Cilium should make this more obvious to the user until we implement #16622. Users should not be left confused why Cilium is not allowing the traffic when the cause is that the network policy is not being implemented as prescribed. The errors should be more obvious, at the very least by reporting them in cilium-agent logs.

[github-actions]

This issue has been automatically marked as stale because it has not
had recent activity. It will be closed if no further activity occurs.

[github-actions]

This issue has not seen any activity since it was marked stale.
Closing.

[joestringer]

Fixed by #28704 .