-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support AWS Security Groups with security group rules ingress from another security group for Network Policies #30032
Comments
Interesting; can you explain this a bit more? (I like this idea; I sometimes think labels can be too finicky). Would it be something like kind: CiliumNetworkPolicy
spec:
endpointSelector:
matchLabels:
env: dev
ingress:
- fromPolicy:
name: "storage"
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: "storage"
spec:
endpointSelector:
matchLabels:
storage: "true" |
I was thinking it would be something like this
|
Hey @franceschongg, to understand your request better, could you clarify what is your expectation from using CiliumNetworkPolicies to reference EC2 security group IDs? Do you want Cilium to auto-discover the pods that belong to a security group without needing to specify pod selectors? I am a bit confused because the mapping of pods -> security groups is handled via a custom resource (SecurityGroupPolicy) when using the Pod Security Group feature in EKS, and I am wondering why the CiliumNetworkPolicies cannot be used as-is. |
I am also interested in this, my requirement would not be for pods but for things like load balancers and RDS, that I can associate an SG to and then allow that SG into the pod with cilium. |
What do you mean by this? Are you referring to a form of associating security groups to pods or to allow pods to accept traffic from AWS resources belonging to the security group? |
Allowing pods to accept traffic from AWS resources associated with an SG. Probably by looking up ENIs, seeing which ones have the SG attached, and converting that into a list of CIDRs |
@franceschongg could you clarify what you mean by |
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: cilium#30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
I've created #30708 as a draft starting point as what I envisaged. |
@shashankram Yeap - that's correct. I'd like to define Cilium policies to allow ingress / egress from a AWS security group |
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: cilium#30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: cilium#30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: cilium#30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: cilium#30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: cilium#30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: cilium#30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: cilium#30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules. Fixes: #30032 Signed-off-by: Alex Waring <ajmwaring@gmail.com>
I've created #31768, which basically says:
|
I'm looking to convert pod security groups over to either Network Policies or Cilium Network Policies.
Currently, both those CRs will support CIDR ranges, but with AWS Security Groups, there's an ability to have a security group rule for ingress that references another security group. This is common when it's an ec2 security group allowing ingress from the alb security group.
The feature request I'd like is to support the case where a security group can have another security group as the ingress.
Is this something that could be supported? It doesn't have to be in the Network Policy, it could also be at the Cilium Network Policy.
The text was updated successfully, but these errors were encountered: