Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support AWS Security Groups with security group rules ingress from another security group for Network Policies #30032

Closed
franceschongg opened this issue Dec 21, 2023 · 10 comments · Fixed by #30708
Closed

Support AWS Security Groups with security group rules ingress from another security group for Network Policies #30032

franceschongg opened this issue Dec 21, 2023 · 10 comments · Fixed by #30708
Labels
kind/community-report This was reported by a user in the Cilium community, eg via Slack. kind/enhancement This would improve or streamline existing functionality. kind/evaluate This needs consideration of the scope and impact of the change. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.

Comments

@franceschongg
Copy link

I'm looking to convert pod security groups over to either Network Policies or Cilium Network Policies.

Currently, both those CRs will support CIDR ranges, but with AWS Security Groups, there's an ability to have a security group rule for ingress that references another security group. This is common when it's an ec2 security group allowing ingress from the alb security group.

The feature request I'd like is to support the case where a security group can have another security group as the ingress.

Is this something that could be supported? It doesn't have to be in the Network Policy, it could also be at the Cilium Network Policy.
@squeed
Copy link
Contributor

squeed commented Jan 24, 2024

Interesting; can you explain this a bit more? (I like this idea; I sometimes think labels can be too finicky).

Would it be something like

kind: CiliumNetworkPolicy
spec:
  endpointSelector:
    matchLabels:
      env: dev
  ingress:
    - fromPolicy:
        name: "storage"
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "storage"
spec:
  endpointSelector:
    matchLabels:
      storage: "true"

@squeed squeed added kind/enhancement This would improve or streamline existing functionality. kind/evaluate This needs consideration of the scope and impact of the change. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. kind/community-report This was reported by a user in the Cilium community, eg via Slack. labels Jan 24, 2024
@franceschongg
Copy link
Author

I was thinking it would be something like this

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "l4-rule"
spec:
  endpointSelector:
    matchLabels:
      role: backend
  ingress:
  - fromEndpoints:
    awsSecurityGroups:
      - yourAWSSecurityGroupID
    toPorts:
    - ports:
      - port: "80"
        protocol: TCP

@shashankram
Copy link

Hey @franceschongg, to understand your request better, could you clarify what is your expectation from using CiliumNetworkPolicies to reference EC2 security group IDs? Do you want Cilium to auto-discover the pods that belong to a security group without needing to specify pod selectors? I am a bit confused because the mapping of pods -> security groups is handled via a custom resource (SecurityGroupPolicy) when using the Pod Security Group feature in EKS, and I am wondering why the CiliumNetworkPolicies cannot be used as-is.

@Alex-Waring
Copy link
Contributor

I am also interested in this, my requirement would not be for pods but for things like load balancers and RDS, that I can associate an SG to and then allow that SG into the pod with cilium.

@shashankram
Copy link

then allow that SG into the pod with cilium.

What do you mean by this? Are you referring to a form of associating security groups to pods or to allow pods to accept traffic from AWS resources belonging to the security group?

@Alex-Waring
Copy link
Contributor

Allowing pods to accept traffic from AWS resources associated with an SG. Probably by looking up ENIs, seeing which ones have the SG attached, and converting that into a list of CIDRs

@shashankram
Copy link

@franceschongg could you clarify what you mean by The feature request I'd like is to support the case where a security group can have another security group as the ingress. Do you just want to define Cilium policies to allow ingress from a security group or something more?

Alex-Waring added a commit to Alex-Waring/cilium that referenced this issue Feb 12, 2024
@Alex-Waring
ingress: Create FromGroups resource
7f8c38b 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
@Alex-Waring Alex-Waring mentioned this issue Feb 12, 2024
Merged
@Alex-Waring
Copy link
Contributor

I've created #30708 as a draft starting point as what I envisaged.

@franceschongg
Copy link
Author

@shashankram Yeap - that's correct. I'd like to define Cilium policies to allow ingress / egress from a AWS security group

Alex-Waring added a commit to Alex-Waring/cilium that referenced this issue Feb 13, 2024
@Alex-Waring
ingress: Create FromGroups resource
d53f7eb 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this issue Feb 28, 2024
@Alex-Waring
ingress: Create FromGroups resource
be78477 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this issue Feb 28, 2024
@Alex-Waring
ingress: Create FromGroups resource
3a67a32 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this issue Feb 28, 2024
@Alex-Waring
ingress: Create FromGroups resource
e29b75c 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this issue Feb 28, 2024
@Alex-Waring
ingress: Create FromGroups resource
7a7c60f 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this issue Feb 28, 2024
@Alex-Waring
ingress: Create FromGroups resource
0e39308 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this issue Mar 2, 2024
@Alex-Waring
ingress: Create FromGroups resource
8c68fdb 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
github-merge-queue bot pushed a commit that referenced this issue Mar 12, 2024
@Alex-Waring @nathanjsweet
ingress: Create FromGroups resource
cc82eff 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: #30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
@JonasKs
Copy link

JonasKs commented Apr 4, 2024

I'd like to define Cilium policies to allow ingress / egress from a AWS security group

I've created #31768, which basically says:

I'd like to define Cilium policies to allow ingress / egress from an external system

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/community-report This was reported by a user in the Cilium community, eg via Slack. kind/enhancement This would improve or streamline existing functionality. kind/evaluate This needs consideration of the scope and impact of the change. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ingress: Create FromGroups resource Alex-Waring/cilium
5 participants
@squeed @Alex-Waring @JonasKs @shashankram @franceschongg