New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add policy support for named ports #11092
Conversation
test-me-please |
Coverage decreased (-0.05%) to 44.462% when pulling b149e9b170f7801c0dec325a3fae7789fb0f1dc4 on pr/jrajahalme/named-ports into 0b203d4 on master. |
2864669
to
0f45c77
Compare
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I didn't finish my review but I'm leaving some comments for now
// uint16 or port name string regex | ||
Pattern: `^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|` + | ||
`[1-5][0-9]{4}|[0-9]{1,4})$`, | ||
`[1-5][0-9]{4}|[0-9]{1,4}|` + | ||
`([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*)$`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This requires a bump in the version set in CustomResourceDefinitionSchemaVersion
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both places? (pkg/k8s/apis/cilium.io/v2/client/register.go
and pkg/k8s/apis/cilium.io/v2/register.go
)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, it looks like one in pkg/k8s/apis/cilium.io/v2/register.go
is not used for anything anymore.
pkg/endpoint/endpoint.go
Outdated
continue // skip unnamed ports | ||
} | ||
if !api.IsNamedPort(cp.Name) { | ||
log.WithField(logfields.PortName, cp.Name).Warning("ContainerPort: Invalid port name, not using as a named port") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How can the user visualize this error better? Thinking on this better, this should never happened has the validation is done in k8s side.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Right, this is likely not needed, but still wanted to have logging if this happens.
pkg/endpoint/endpoint.go
Outdated
log.WithField(logfields.PortName, cp.Name).Warning("ContainerPort: Invalid port name, not using as a named port") | ||
continue | ||
} | ||
name := strings.ToLower(cp.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume named ports are case insensitive?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. They are defined as IANA_SVC_NAME
, which is defined as case insensitive in
https://tools.ietf.org/rfc/rfc6335.txt
pkg/u8proto/u8proto.go
Outdated
@@ -41,6 +41,7 @@ var protoNames = map[U8proto]string{ | |||
} | |||
|
|||
var ProtoIDs = map[string]U8proto{ | |||
"": 0, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why this change?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure any more... To map a missing proto name to ANY, but then in K8s ContainerPort's Protocol defaults to "TCP". I'll check if this is still needed & verify the default behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems my assumption was that ContainerPort could have ANY protocol, but that is not the case, even though this PR would allow it. Our policy rules allow ANY protocol, which we internally treat as both UDP and TCP and generate two rules (one for each). One of them gets pruned away when the port name is resolved.
It might be better if I make this implementation less permissive and only allow one protocol, missing defaulting to TCP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed empty proto string to default to TCP, but kept the internal processing that allows "ANY".
// NamedPorts is the set of named ports for the pod | ||
NamedPorts policy.NamedPortsMap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would be extremely careful with this. Adding this field removes the ability to compare 2 variables created from this structure type with the ==
operator.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It has an Equal
method already, I did expand it. Could also consider making NamedPorts
a separate member/argument, although port names are semantically "k8s metadata".
0f45c77
to
fb11564
Compare
test-me-please |
pkg/endpoint/endpoint.go
Outdated
log.WithField(logfields.Port, cp.ContainerPort).Warning("ContainerPort: Port number out of 16-bit range") | ||
continue | ||
} | ||
k8sPorts[name] = policy.NamedPort{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we warn on duplicates?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is for the Endpoint, so these come from the POD spec, and I'd expect K8s to not allow duplicate names in the POD spec?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure. I would warn so we at least know.
fb11564
to
d6857cf
Compare
test-me-please |
d6857cf
to
62e9fde
Compare
test-me-please |
Fixed unit test breakage, Ginkgo passed except for one unrelated test that depended on external connectivity to 1.1.1.1, most likely a flake. |
test-gke |
@aanm Rebase is needed so I'm setting up for one more round for clean-ups. Now would be a good time for comments, if you have any now that I have addressed your requested changes :-) |
a7a26ad
to
b149e9b
Compare
Rebased, testing again. |
never-tell-me-the-odds |
VirtualBox fail with kernel-4.19 CI, retesting |
test-with-kernel |
Signed-off-by: André Martins <andre@cilium.io>
Init Containers should also be part of our Pod spec since the network namespace is shared for those containers as well otherwise we won't be able to enforce hostport or any other features in init containers Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Store the set of named ContainerPorts in Endpoint. The ports are immutable after Endpoint has been created. Signed-off-by: Andre Martins <andre@cilium.io> Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
When using named ports that map to an already existing port number in the policy we need to fold the rules together as otherwise Envoy will NACK them due to the duplicate port number. We probably should also detect mismatching L7 parsers here? Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Add named ports to endpoint status. Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Jarno Rajahalme <jarno@covalent.io>
b149e9b
to
ddd88e4
Compare
never-tell-me-the-odds |
Add support for container port names in policy ports. With this change, in addition to using a L4 port number (like "80") in the network policy (K8s Network Policy or Cilium Network Policy), the port number can be expressed as a name specified in any one of the POD specs in the cluster. If the port name is not specified in any container spec, the traffic specified in the network policy rule can't be allowed, but will be allowed as soon as a container with a matching port name is added.
Port names are stored from a POD spec on the node in which the POD is deployed, from where then name/port mappings are distributed to other nodes via CEP CRDs.