Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pkg/k8s: handle nil PodSelector and NamespaceSelector within ingress rules #2699

Merged
merged 3 commits into from
Feb 5, 2018
Merged

pkg/k8s: handle nil PodSelector and NamespaceSelector within ingress rules #2699

merged 3 commits into from
Feb 5, 2018

Conversation

ianvernon
Copy link
Member

@ianvernon ianvernon commented Feb 2, 2018
edited

Kubernetes NetworkPolicyPeer allows for PodSelector and NamespaceSelector fields to be optional.
Gracefully handle when these objects are nil when we are parsing NetworkPolicy.

Signed-off by: Ian Vernon ian@cilium.io

Fixes: #2698

Kubernetes NetworkPolicyPeer allows for PodSelector and NamespaceSelector fields to be optional.
Gracefully handle when these objects are nil when we are parsing NetworkPolicy.

How to test:

  1. Start up the Kubernetes developer VM:
    K8S=1 ./contrib/vagrant/start.sh
  2. Import the following NetworkPolicy:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: andre-example-policy
  namespace: default
spec:
  podSelector:
    matchLabels:
      id: app1
  policyTypes:
  - Ingress
  ingress:
  - from:
    - ipBlock:
        cidr: 172.17.0.0/16
        except:
        - 172.17.1.0/24

kubectl create -f <policy file>
3. Cilium doesn't crash and the policy is present in cilium policy get

[
  {
    "endpointSelector": {
      "matchLabels": {
        "k8s:id": "app1",
        "k8s:io.kubernetes.pod.namespace": "default"
      }
    },
    "ingress": [
      {
        "fromCIDRSet": [
          {
            "cidr": "172.17.0.0/16",
            "except": [
              "172.17.1.0/24"
            ]
          }
        ]
      }
    ],
    "labels": [
      {
        "key": "io.cilium.k8s-policy-name",
        "value": "andre-example-policy",
        "source": "unspec"
      },
      {
        "key": "io.cilium.k8s-policy-namespace",
        "value": "default",
        "source": "unspec"
      }
    ]
  }
]
Revision: 12

@ianvernon ianvernon added stable/needs-backport priority/high This is considered vital to an upcoming release. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Feb 2, 2018
@ianvernon ianvernon requested a review from a team February 2, 2018 00:45
@ianvernon
Copy link
Member Author

test-me-please

tgraf
tgraf requested changes Feb 2, 2018
View reviewed changes
pkg/k8s/network_policy.go Outdated
endpointSelector := parseNetworkPolicyPeer(namespace, &rule)

// Case where no label-based selectors were in rule.
if endpointSelector != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a debug message that we are skipping to import a rule here

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll add a log saying that the rule has no PodSelector / NamespaceSelector in ParseNetworkPolicyPeer. We aren't skipping to import a rule because the rule could also have IPBlock restrictions in it which are parsed following this line. Is that OK?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, the comment is incorrect, I'll move it accordingly as well.

aanm
aanm requested changes Feb 2, 2018
View reviewed changes
pkg/k8s/network_policy_test.go Outdated

rules, err := ParseNetworkPolicy(&np)
c.Assert(err, IsNil)
c.Assert(rules, NotNil)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Create a golang struct with your expectations of what will be the result of ParseNetworkPolicy and assert for deep equalness between your expectations and the result of ParseNetworkPolicy

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

nebril
nebril approved these changes Feb 2, 2018
View reviewed changes
pkg/k8s/network_policy_test.go

// Ingress with neither pod nor namespace selector set.
ex1 := []byte(`{
"kind": "NetworkPolicy",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor nitpick - since it's json you can indent this string, but it's nothing of great importance.

@ianvernon ianvernon changed the title pkg/k8s: handle nil PodSelector and NamespaceSelector pkg/k8s: handle nil PodSelector and NamespaceSelector within ingress rules Feb 2, 2018
@ianvernon ianvernon force-pushed the 2698-allow-nil-selector-networkpolicy branch from 68d39cb to d3a99ca Compare February 2, 2018 18:35
@ianvernon
Copy link
Member Author

test-me-please

1 similar comment
@ianvernon
Copy link
Member Author

test-me-please

@ianvernon ianvernon force-pushed the 2698-allow-nil-selector-networkpolicy branch from d3a99ca to 6b563f8 Compare February 2, 2018 22:57
@ianvernon
Copy link
Member Author

test-me-please

@ianvernon ianvernon requested review from tgraf and aanm February 2, 2018 22:57
aanm
aanm requested changes Feb 3, 2018
View reviewed changes
pkg/k8s/network_policy_test.go Outdated
}

rules, err := ParseNetworkPolicy(&np)
fmt.Printf("parsedRule: %v", rules[0])
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leftovers fmt.Printfs

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed.

@ianvernon ianvernon force-pushed the 2698-allow-nil-selector-networkpolicy branch from 6b563f8 to bfcf076 Compare February 3, 2018 03:54
@ianvernon
Copy link
Member Author

test-me-please

@ianvernon ianvernon requested a review from aanm February 3, 2018 03:55
@aanm
Copy link
Member

aanm commented Feb 5, 2018

test-me-please

Ian Vernon added 3 commits February 5, 2018 09:10
pkg/k8s: handle nil PodSelector and NamespaceSelector
2fdc134 
Kubernetes NetworkPolicyPeer allows for PodSelector and NamespaceSelector fields to be optional.
Gracefully handle when these objects are nil when we are parsing NetworkPolicy.

Signed-off by: Ian Vernon <ian@cilium.io>
pkg/k8s: log when NetworkPolicy does not have Pod / Namespace Selector
f33d09b 
Signed-off by: Ian Vernon <ian@cilium.io>
pkg/k8s: add DeepEquals check in TestParseNetworkPolicyNoSelectors
4d28106 
Signed-off by: Ian Vernon <ian@cilium.io>
@ianvernon ianvernon force-pushed the 2698-allow-nil-selector-networkpolicy branch from bfcf076 to 4d28106 Compare February 5, 2018 17:11
@ianvernon
Copy link
Member Author

test-me-please

@ianvernon
Copy link
Member Author

test-me-please

@ianvernon
Copy link
Member Author

Keep hitting issues that were fixed by #2686 :

17:37:10 ==> runtime: cp: cannot open '/src/pkg/envoy/lds.sock' for reading: Input/output error
17:37:10 ==> runtime: cp: cannot open '/src/pkg/envoy/access_log.sock' for reading: Input/output error
17:37:10 ==> runtime: cp: cannot open '/src/pkg/envoy/rds.sock' for reading: Input/output error

This is in no way related to my changes, so I tried again. I notice that the node used is workhouse-0, which is always running as an agent of Jenkins. This means that while my branch is rebased, the sockets are left around within the workspace from before I rebased :/

@ianvernon ianvernon merged commit 142add0 into master Feb 5, 2018
@tgraf tgraf deleted the 2698-allow-nil-selector-networkpolicy branch March 31, 2018 01:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nebril nebril nebril approved these changes

@tgraf tgraf tgraf approved these changes

@aanm aanm aanm approved these changes

Assignees
No one assigned
Labels
priority/high This is considered vital to an upcoming release. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/k8s Impacts the kubernetes API, or kubernetes -> cilium internals translation layers.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ianvernon @aanm @nebril @tgraf