Add policy support for named ports #11092
Conversation
jrajahalme
added
pending-review
sig/k8s
|
test-me-please |
|
Coverage decreased (-0.05%) to 44.462% when pulling b149e9b170f7801c0dec325a3fae7789fb0f1dc4 on pr/jrajahalme/named-ports into 0b203d4 on master. |
aanm
added
the
dont-merge/needs-rebase
jrajahalme
force-pushed
the
pr/jrajahalme/named-ports
branch
from
2864669
to
0f45c77
Compare
|
test-me-please |
| // uint16 or port name string regex | ||
| Pattern: `^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|` + | ||
| `[1-5][0-9]{4}|[0-9]{1,4})$`, | ||
| `[1-5][0-9]{4}|[0-9]{1,4}|` + | ||
| `([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*)$`, |
There was a problem hiding this comment.
This requires a bump in the version set in CustomResourceDefinitionSchemaVersion
There was a problem hiding this comment.
Both places? (pkg/k8s/apis/cilium.io/v2/client/register.go and pkg/k8s/apis/cilium.io/v2/register.go)?
There was a problem hiding this comment.
Actually, it looks like one in pkg/k8s/apis/cilium.io/v2/register.go is not used for anything anymore.
pkg/endpoint/endpoint.go
Outdated
| continue // skip unnamed ports | ||
| } | ||
| if !api.IsNamedPort(cp.Name) { | ||
| log.WithField(logfields.PortName, cp.Name).Warning("ContainerPort: Invalid port name, not using as a named port") |
There was a problem hiding this comment.
How can the user visualize this error better? Thinking on this better, this should never happened has the validation is done in k8s side.
There was a problem hiding this comment.
Right, this is likely not needed, but still wanted to have logging if this happens.
pkg/endpoint/endpoint.go
Outdated
| log.WithField(logfields.PortName, cp.Name).Warning("ContainerPort: Invalid port name, not using as a named port") | ||
| continue | ||
| } | ||
| name := strings.ToLower(cp.Name) |
There was a problem hiding this comment.
I assume named ports are case insensitive?
There was a problem hiding this comment.
Yes. They are defined as IANA_SVC_NAME, which is defined as case insensitive in
https://tools.ietf.org/rfc/rfc6335.txt
pkg/u8proto/u8proto.go
Outdated
| @@ -41,6 +41,7 @@ var protoNames = map[U8proto]string{ | |||
| } | |||
|
|
|||
| var ProtoIDs = map[string]U8proto{ | |||
| "": 0, | |||
There was a problem hiding this comment.
Not sure any more... To map a missing proto name to ANY, but then in K8s ContainerPort's Protocol defaults to "TCP". I'll check if this is still needed & verify the default behavior.
There was a problem hiding this comment.
It seems my assumption was that ContainerPort could have ANY protocol, but that is not the case, even though this PR would allow it. Our policy rules allow ANY protocol, which we internally treat as both UDP and TCP and generate two rules (one for each). One of them gets pruned away when the port name is resolved.
It might be better if I make this implementation less permissive and only allow one protocol, missing defaulting to TCP?
There was a problem hiding this comment.
Changed empty proto string to default to TCP, but kept the internal processing that allows "ANY".
| // NamedPorts is the set of named ports for the pod | ||
| NamedPorts policy.NamedPortsMap |
There was a problem hiding this comment.
I would be extremely careful with this. Adding this field removes the ability to compare 2 variables created from this structure type with the == operator.
There was a problem hiding this comment.
It has an Equal method already, I did expand it. Could also consider making NamedPorts a separate member/argument, although port names are semantically "k8s metadata".
jrajahalme
force-pushed
the
pr/jrajahalme/named-ports
branch
from
0f45c77
to
fb11564
Compare
|
test-me-please |
pkg/endpoint/endpoint.go
Outdated
| log.WithField(logfields.Port, cp.ContainerPort).Warning("ContainerPort: Port number out of 16-bit range") | ||
| continue | ||
| } | ||
| k8sPorts[name] = policy.NamedPort{ |
There was a problem hiding this comment.
This is for the Endpoint, so these come from the POD spec, and I'd expect K8s to not allow duplicate names in the POD spec?
There was a problem hiding this comment.
Not sure. I would warn so we at least know.
jrajahalme
force-pushed
the
pr/jrajahalme/named-ports
branch
from
fb11564
to
d6857cf
Compare
|
test-me-please |
jrajahalme
force-pushed
the
pr/jrajahalme/named-ports
branch
from
d6857cf
to
62e9fde
Compare
|
test-me-please |
|
Fixed unit test breakage, Ginkgo passed except for one unrelated test that depended on external connectivity to 1.1.1.1, most likely a flake. |
|
test-gke |
|
@aanm Rebase is needed so I'm setting up for one more round for clean-ups. Now would be a good time for comments, if you have any now that I have addressed your requested changes :-) |
jrajahalme
force-pushed
the
pr/jrajahalme/named-ports
branch
from
a7a26ad
to
b149e9b
Compare
|
Rebased, testing again. |
|
never-tell-me-the-odds |
|
VirtualBox fail with kernel-4.19 CI, retesting |
|
test-with-kernel |
Signed-off-by: André Martins <andre@cilium.io>
Init Containers should also be part of our Pod spec since the network namespace is shared for those containers as well otherwise we won't be able to enforce hostport or any other features in init containers Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Store the set of named ContainerPorts in Endpoint. The ports are immutable after Endpoint has been created. Signed-off-by: Andre Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
When using named ports that map to an already existing port number in the policy we need to fold the rules together as otherwise Envoy will NACK them due to the duplicate port number. We probably should also detect mismatching L7 parsers here? Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Add named ports to endpoint status. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
jrajahalme
force-pushed
the
pr/jrajahalme/named-ports
branch
from
b149e9b
to
ddd88e4
Compare
|
never-tell-me-the-odds |
Add support for container port names in policy ports. With this change, in addition to using a L4 port number (like "80") in the network policy (K8s Network Policy or Cilium Network Policy), the port number can be expressed as a name specified in any one of the POD specs in the cluster. If the port name is not specified in any container spec, the traffic specified in the network policy rule can't be allowed, but will be allowed as soon as a container with a matching port name is added.
Port names are stored from a POD spec on the node in which the POD is deployed, from where then name/port mappings are distributed to other nodes via CEP CRDs.