New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix endpoint selection for wildcard to/fromEndpoint in CCNP #12890
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was expecting this change to be made in the same (or similar) place where we inject the namespace selector for CNP EndpointSelector
s, but I don't see that logic here so it's hard to compare against that logic. Were you aware of that other code? Wondering if there's a functional tradeoff from having it here vs. wherever the namespace selector CNP injection logic is.
Hey Joe!
The policy user gets using
This was the reason in the PR, changes were pushed down for a policy update when we resolve the policy for the endpoints rather than injecting it earlier during a parse. On digging a bit deeper into how this(the current changes) might affect a user we figured that this implementation might also not be correct because we are adding semantics of K8s to a policy that might not even be related to k8s, because at this point we are resolving a general policy rule. So consider a case where user imports the below policy using
Even though the policy does not contain any reference to k8s it will still only allow traffic from cilium managed k8s endpoints. So in a non-K8s environment this is essentially blocking all the traffic. Now if we were to go back to doing this injection where we do namespace injection for CNP, we will also have the same issue we are trying to solve here for CCNP for all the policies imported via We are still discussing on slack what would be the best way to achieve this. I will mark the Pull Request draft for now. |
I think this is an acceptable trade-off. In Kubernetes mode with CNP, we inject the namespace which means that If there are users who actively care about this kind of case with non-k8s mode, I would encourage them to look into this topic themselves and come up with a proposal to modify the semantics of |
Yeah, that seems like a reasonable trade-off to me as well. So just to be clear we will the do namespace injection in @jrajahalme @aanm what do you think about this? We will still have the issue we were trying to address earlier, where we change the semantics of CCNP when doing parse. |
* This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
48f899f
to
7999dd1
Compare
Pushed the updated fix. After this patch, a CCNP created with the below configuration
Will end in the policy repository like this
eventually ending up to allow Ingress from all the endpoints having a namespace label(CIlium managed k8s endpoints), something similar to below output.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me, just one minor nit.
* This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
7999dd1
to
2888874
Compare
test-me-please |
ad2047c
to
504f815
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM; just one question below.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Just one minor nit below.
504f815
to
48cd098
Compare
test-me-please |
* This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
48cd098
to
e5d58cd
Compare
test-me-please |
* This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 905b8d4 ] * This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 905b8d4 ] * This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 905b8d4 ] * This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
[ upstream commit 905b8d4 ] * This commit fixes an issue in endpoint selection when we provide wildcard for to/fromEndpoint in CCNP. When a wildcard is provided in CCNP fromEndpoint selector we end up with a truly empty endpoint selector. This results in allowing all traffic. The commit restricts this to only include endpoints that are managed by cilium by checking the presence of namespace label in endpoint. * For a more detailed explaination of the approach and the issue take a look at discussion following this github comment - #12890 (comment) Signed-off-by: Deepesh Pathak <deepshpathak@gmail.com>
See individual commits for more details.
Example of preflight warning.