Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

k8s: Invalidate Policies that Support "EndPort" #28704

Merged
merged 1 commit into from Nov 3, 2023
Merged

k8s: Invalidate Policies that Support "EndPort" #28704

merged 1 commit into from Nov 3, 2023

Conversation

nathanjsweet
Copy link
Member

Cilium does not currently support port ranges in
network policies.

policy: Cilium will not process or enforce network policies with port ranges or Kubernetes network policies that use "EndPort".

@nathanjsweet nathanjsweet added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Oct 19, 2023
@nathanjsweet nathanjsweet requested a review from a team as a code owner October 19, 2023 21:20
@nathanjsweet nathanjsweet added the needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch label Oct 19, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot added this to Needs backport from main in 1.14.4 Oct 19, 2023
@joestringer
Copy link
Member

I think the subtle question here is exactly what behaviour we want on upgrade. Currently the policy with endport will put endpoints into default deny and therefore lock down the endpoints. If we reject the policy completely, that could mean the policy is ineffective and opens up the endpoints completely if that's the only policy. It may be safer to accept but log, given this is long-standing behaviour (?)

@joestringer joestringer added the upgrade-impact This PR has potential upgrade or downgrade impact. label Oct 20, 2023
joamaki
joamaki previously requested changes Oct 23, 2023
View reviewed changes
pkg/k8s/network_policy.go Outdated Show resolved Hide resolved
@joamaki joamaki mentioned this pull request Oct 23, 2023
Closed
@nathanjsweet
k8s: Log Warning for Policies that Support "EndPort"
a69aee3 
Cilium does not currently support port ranges in
network policies.

Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/add-endport-unsupported-error-when-endport-is-present branch from 7c5f4d6 to a69aee3 Compare November 1, 2023 03:57
@nathanjsweet
Copy link
Member Author

/test

joestringer
joestringer approved these changes Nov 2, 2023
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this makes sense, it's hard for me to argue for something better for the short term and the existing stable releases. I know the support for this feature is making some progress soon so hopefully we won't need a better solution to communicating this problem in the end. 👍

@nathanjsweet nathanjsweet dismissed joamaki’s stale review November 2, 2023 20:45

comments addressed.

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 3, 2023
@joamaki joamaki merged commit d221e96 into main Nov 3, 2023
211 of 214 checks passed
@joamaki joamaki deleted the pr/nathanjsweet/add-endport-unsupported-error-when-endport-is-present branch November 3, 2023 06:26
@jibi jibi mentioned this pull request Nov 7, 2023
Merged
15 tasks
@jibi jibi added backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. and removed needs-backport/1.14 This PR / issue needs backporting to the v1.14 branch labels Nov 7, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot moved this from Needs backport from main to Backport pending to v1.14 in 1.14.4 Nov 7, 2023
@github-actions github-actions bot added backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. and removed backport-pending/1.14 The backport for Cilium 1.14.x for this PR is in progress. labels Nov 8, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed this from Backport pending to v1.14 in 1.14.4 Nov 8, 2023
@thorn3r thorn3r mentioned this pull request Nov 9, 2023
Merged
@joestringer joestringer mentioned this pull request Mar 5, 2024
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joamaki joamaki joamaki approved these changes

@joestringer joestringer joestringer approved these changes

Assignees
No one assigned
Labels
backport-done/1.14 The backport for Cilium 1.14.x for this PR is done. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. upgrade-impact This PR has potential upgrade or downgrade impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@nathanjsweet @joestringer @joamaki @jibi