k8s: Fix CCNP for host policies #11638
Conversation
pchaigno
added
sig/k8s
|
test-me-please |
|
@pchaigno it seems the PR failed in the privileged tests. Is this a new failure? |
pchaigno
force-pushed
the
pr/pchaigno/fix-host-policies-ccnp
branch
from
a59f0ba
to
be6baf9
Compare
pchaigno
force-pushed
the
pr/pchaigno/fix-host-policies-ccnp
branch
from
be6baf9
to
437b696
Compare
|
test-me-please |
|
test-focus K8sFQDNTest Validate that multiple specs are working correctly |
|
Among the required builds, only I've seen other failures with |
|
|
|
@nebril It looks like |
There was a problem hiding this comment.
Doesn't require a 2nd review from my side but things that are missing:
- Needs an increment of
cilium/pkg/k8s/apis/cilium.io/v2/client/register.go
Lines 55 to 57 in f9c205d
- I was able to deploy this invalid policy:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
description: "Allow ports for kube-dns, kube-api, Cilium, and SSH, as well as queries to Google's DNS on UDP/53 only"
metadata:
name: "allow-google-dns-on-udp-53-only-2"
spec:
endpointSelector:
matchLabels:
{}
nodeSelector:
matchLabels:
{}
ingress:
- toPorts:
- ports:
- port: "6443"
protocol: TCP
- port: "22"
protocol: TCP
egress:
- toPorts:
- ports:
- port: "4240"
protocol: TCP
- port: "8080"
protocol: TCP
- toCIDR:
- "8.8.0.0/16"
toPorts:
- ports:
- port: "53"
protocol: UDP
- needs to be addressed
- can be done as a follow up as I suspect this is an existing bug (and not related with this new schema) cc @christarazi FYI this might be related with the fact that the schema contains all field properties in its root and/or the fact that we are allowing unknown fields (which should not be supported in a v1 CRD but can be on v1beta1)
This commit fixes the CCNP parsing to accept NodeSelectors, used to define host policies. NodeSelectors are only accepted in CCNP resources. Because host policies are never limited to a namespace, it would be misleading to accept NodeSelectors in CNP resources. This commit also adds a new CCNP example of host policies in the same directory as the existing JSON example. Fixes: f9c205d ("pkg/policy: Host network policies") Signed-off-by: Paul Chaignon <paul@cilium.io>
pchaigno
force-pushed
the
pr/pchaigno/fix-host-policies-ccnp
branch
from
437b696
to
0b5ff4f
Compare
|
Unknown fields are allowed as long as In v1 CRDs, @aanm What about your example is invalid? |
@christarazi |
I see. I believe the only way to prevent this or to throw a validation error, is to either:
Correct me if I'm wrong @aanm. |
|
retest-4.19 |
|
retest-gke |
|
net-next build failed with https://jenkins.cilium.io/job/Cilium-PR-K8s-oldest-net-next/431/testReport/Suite-k8s-1/11/K8sPolicyTest_Basic_Test_Validate_to_entities_policies_Validate_toEntities_All/. According to CI dashboard, we've hit this in master before (cf. https://jenkins.cilium.io/job/Ginkgo-CI-Tests-k8s1.18-Pipeline/434/testReport/Suite-k8s-1/18/K8sPolicyTest_Basic_Test_Validate_to_entities_policies_Validate_toEntities_All/); probably just a connectivity blip. test-focus K8sPolicyTest Basic Test Validate to-entities policies Validate toEntities All It passed in |
|
@aanm said:
and the version has been bumped. Marking as ready to merge. |
pchaigno
added
the
ready-to-merge
@christarazi It's probably better if we do this after 1.8 at the risk of breaking things |
pchaigno
added
the
area/host-firewall
This commit fixes the CNP/CCNP parsing to accept
NodeSelectors, used to define host policies.NodeSelectorsare only accepted in CCNP resources. Because host policies are never limited to a namespace, it would be misleading to acceptNodeSelectorsin CNP resources.This commit also adds a new CCNP example of host policies in the same directory as the existing JSON example.
Fixes: #11507