New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
k8s: Fix CCNP for host policies #11638
Conversation
test-me-please |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Non-blocking comments, feel free to implement or ignore.
@pchaigno it seems the PR failed in the privileged tests. Is this a new failure? |
a59f0ba
to
be6baf9
Compare
be6baf9
to
437b696
Compare
test-me-please |
test-focus K8sFQDNTest Validate that multiple specs are working correctly |
Among the required builds, only
I've seen other failures with |
|
@nebril It looks like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't require a 2nd review from my side but things that are missing:
- Needs an increment of
cilium/pkg/k8s/apis/cilium.io/v2/client/register.go
Lines 55 to 57 in f9c205d
// CustomResourceDefinitionSchemaVersion is semver-conformant version of CRD schema // Used to determine if CRD needs to be updated in cluster CustomResourceDefinitionSchemaVersion = "1.19" - I was able to deploy this invalid policy:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
description: "Allow ports for kube-dns, kube-api, Cilium, and SSH, as well as queries to Google's DNS on UDP/53 only"
metadata:
name: "allow-google-dns-on-udp-53-only-2"
spec:
endpointSelector:
matchLabels:
{}
nodeSelector:
matchLabels:
{}
ingress:
- toPorts:
- ports:
- port: "6443"
protocol: TCP
- port: "22"
protocol: TCP
egress:
- toPorts:
- ports:
- port: "4240"
protocol: TCP
- port: "8080"
protocol: TCP
- toCIDR:
- "8.8.0.0/16"
toPorts:
- ports:
- port: "53"
protocol: UDP
- needs to be addressed
- can be done as a follow up as I suspect this is an existing bug (and not related with this new schema) cc @christarazi FYI this might be related with the fact that the schema contains all field properties in its root and/or the fact that we are allowing unknown fields (which should not be supported in a v1 CRD but can be on v1beta1)
This commit fixes the CCNP parsing to accept NodeSelectors, used to define host policies. NodeSelectors are only accepted in CCNP resources. Because host policies are never limited to a namespace, it would be misleading to accept NodeSelectors in CNP resources. This commit also adds a new CCNP example of host policies in the same directory as the existing JSON example. Fixes: f9c205d ("pkg/policy: Host network policies") Signed-off-by: Paul Chaignon <paul@cilium.io>
437b696
to
0b5ff4f
Compare
|
Unknown fields are allowed as long as In v1 CRDs, @aanm What about your example is invalid? |
@christarazi |
I see. I believe the only way to prevent this or to throw a validation error, is to either:
Correct me if I'm wrong @aanm. |
retest-4.19 |
retest-gke |
net-next build failed with https://jenkins.cilium.io/job/Cilium-PR-K8s-oldest-net-next/431/testReport/Suite-k8s-1/11/K8sPolicyTest_Basic_Test_Validate_to_entities_policies_Validate_toEntities_All/. According to CI dashboard, we've hit this in master before (cf. https://jenkins.cilium.io/job/Ginkgo-CI-Tests-k8s1.18-Pipeline/434/testReport/Suite-k8s-1/18/K8sPolicyTest_Basic_Test_Validate_to_entities_policies_Validate_toEntities_All/); probably just a connectivity blip. test-focus K8sPolicyTest Basic Test Validate to-entities policies Validate toEntities All It passed in |
@aanm said:
and the version has been bumped. Marking as ready to merge. |
@christarazi It's probably better if we do this after 1.8 at the risk of breaking things |
This commit fixes the CNP/CCNP parsing to accept
NodeSelectors
, used to define host policies.NodeSelectors
are only accepted in CCNP resources. Because host policies are never limited to a namespace, it would be misleading to acceptNodeSelectors
in CNP resources.This commit also adds a new CCNP example of host policies in the same directory as the existing JSON example.
Fixes: #11507