Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

enhancement(policy, aws): Construct CIDR rules for referenced AWS security groups by querying associated network interfaces #27071

Merged
merged 3 commits into from
Aug 2, 2023
Merged

enhancement(policy, aws): Construct CIDR rules for referenced AWS security groups by querying associated network interfaces #27071

merged 3 commits into from
Aug 2, 2023

Conversation

spacepants
Copy link
Contributor

👋 Hello!

In the current implementation, Cilium can enforce policies based on AWS metadata by cross-walking referenced security group IDs or names to the IP addresses of EC2 instances associated with matching security groups. This PR extends this functionality to any VPC-enabled service, e.g. RDS, ElastiCache, VPC endpoints, etc. by querying the underlying network interfaces directly.

Extend AWS metadata-based policy enforcement to work with any VPC-enabled service.

First time contributor. Please let me know if this need anything else. Thanks!

@spacepants spacepants requested review from a team as code owners July 26, 2023 03:39
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jul 26, 2023
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Jul 26, 2023
christarazi
christarazi reviewed Jul 26, 2023
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR!

Could you split up the PR into separate commits where the refactoring is separate from the new additions? This will make it easier to review. For example, the newly defined function could be part of a separate prior commit and then the next could use the commit.

pkg/policy/groups/aws/aws.go Outdated Show resolved Hide resolved
zacharysarah
zacharysarah requested changes Jul 26, 2023
View reviewed changes
Copy link
Contributor

@zacharysarah zacharysarah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@spacepants Welcome to the project and thanks for the contribution. Some nits to fix, otherwise LGTM.

Be sure to check out the documentation style guide.

Documentation/security/aws.rst Outdated Show resolved Hide resolved
Documentation/security/aws.rst Outdated Show resolved Hide resolved
Documentation/security/aws.rst Outdated Show resolved Hide resolved
Documentation/security/aws.rst Outdated Show resolved Hide resolved
pkg/policy/groups/aws/aws.go Outdated Show resolved Hide resolved
pkg/policy/groups/aws/aws.go Outdated Show resolved Hide resolved
pkg/policy/groups/aws/aws.go Outdated Show resolved Hide resolved
@maintainer-s-little-helper
Copy link

Commit 3de457fde6937b300e2e1da6decff2aee669c85b does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jul 30, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jul 30, 2023
@spacepants
Copy link
Contributor Author

Rebased into separate logical commits as requested and updated based on feedback. Thank you!

@christarazi
Copy link
Member

Thanks!

CI is reporting a couple of things:

  1. Commit title is too long
  Error: ERROR:CUSTOM: Please avoid long commit subjects (max: 75, found: 79)
  1. Go linter errors
  pkg/policy/groups/aws/aws.go:117: File is not `gofmt`-ed with `-s` (gofmt)
  			Name:   aws.String(policyEC2Labelskey +":"+ labelKey),

@spacepants
Copy link
Contributor Author

Thanks, updated!

@christarazi christarazi added kind/enhancement This would improve or streamline existing functionality. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. area/eni Impacts ENI based IPAM. integration/cloud Related to integration with cloud environments such as AKS, EKS, GKE, etc. sig/ipam IP address management, including cloud IPAM labels Jul 31, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Jul 31, 2023
@christarazi
Copy link
Member

/test

@spacepants spacepants requested a review from zacharysarah August 1, 2023 00:08
zacharysarah
zacharysarah approved these changes Aug 1, 2023
View reviewed changes
Copy link
Contributor

@zacharysarah zacharysarah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM for docs

@spacepants @christarazi
feat(policy, aws): Add new function for returning IP info from AWS ENIs
1257c74 
This adds a new getNetworkInterfaceIpsFromFilter function that returns the associated IP address info for a given query filter.

Signed-off-by: Paul Bailey <spacepants@users.noreply.github.com>
@spacepants @christarazi
refactor(policy, aws): Use ENI query for returning security group IPs
92aa73f 
GetIPsFromGroup now calls getNetworkInterfaceIpsFromFilter for all security group related queries as it provides functionally equivalent info for EC2 instance associated ENIs in addition to ENIs associated with other services. EC2 tag related queries still use getInstancesIpsFromFilter. EC2 client construction is moved upstream to GetIPsFromGroup and the client is plumbed into both getNetworkInterfaceIpsFromFilter and getInstancesIpsFromFilter.

Signed-off-by: Paul Bailey <spacepants@users.noreply.github.com>
@spacepants @christarazi
docs(policy, aws): Update docs to reflect new AWS group lookup behavior
e406e6c 
Signed-off-by: Paul Bailey <spacepants@users.noreply.github.com>
@christarazi
Copy link
Member

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Aug 2, 2023
@dylandreimerink dylandreimerink merged commit 32566db into cilium:main Aug 2, 2023
@spacepants spacepants deleted the aws-policy-eni branch August 2, 2023 11:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

@zacharysarah zacharysarah zacharysarah approved these changes

Assignees
No one assigned
Labels
area/eni Impacts ENI based IPAM. integration/cloud Related to integration with cloud environments such as AKS, EKS, GKE, etc. kind/community-contribution This was a contribution made by a community member. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/ipam IP address management, including cloud IPAM
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@spacepants @christarazi @zacharysarah @dylandreimerink