Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ingress: Create FromGroups resource #30708

Merged
merged 3 commits into from Mar 12, 2024
Merged

ingress: Create FromGroups resource #30708

merged 3 commits into from Mar 12, 2024

Conversation

Alex-Waring
Copy link
Contributor

@Alex-Waring Alex-Waring commented Feb 12, 2024
edited

Duplicates the structures inplace to evaluate the toGroups resource into the ingress section, allowing the creation of FromGroups. This means AWS SG groups can be included as ingress resources and directly translated into fromCIDR rules.

Example usage:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: "l4-rule"
spec:
  endpointSelector:
    matchLabels:
      role: backend
  ingress:
  - toPorts:
    - ports:
      - port: '80'
        protocol: TCP
    fromGroups:
    - aws:
        securityGroupsIds:
        - 'sg-0123456789abcdefg'

Fixes: #30032

Allows for using AWS SGs in the ingress section of rules.

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 12, 2024
@github-actions github-actions bot added the kind/community-contribution This was a contribution made by a community member. label Feb 12, 2024
@Alex-Waring Alex-Waring mentioned this pull request Feb 12, 2024
Closed
@Alex-Waring Alex-Waring marked this pull request as ready for review February 13, 2024 19:59
@Alex-Waring Alex-Waring requested review from a team as code owners February 13, 2024 19:59
@ti-mo ti-mo added the release-note/minor This PR changes functionality that users may find relevant to operating Cilium. label Feb 22, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Feb 22, 2024
christarazi
christarazi reviewed Feb 26, 2024
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR, initial approach LGTM. A few comments below. I'd also suggest making the rename of ToGroups to Groups a separate commit, just to help scope down the review.

pkg/policy/api/ingress.go Outdated Show resolved Hide resolved
pkg/policy/api/ingress.go Outdated Show resolved Hide resolved
@christarazi christarazi added kind/feature This introduces new functionality. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels Feb 26, 2024
@Alex-Waring Alex-Waring force-pushed the AWar/groups/ingress branch 3 times, most recently from f3ddfba to a08ac45 Compare February 28, 2024 09:35
@ldelossa ldelossa assigned Alex-Waring and unassigned Alex-Waring Feb 28, 2024
christarazi
christarazi approved these changes Feb 28, 2024
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looking good! Could you take care of the two comments below and it's good to go from my perspective?

pkg/policy/groups/helpers.go Outdated Show resolved Hide resolved
pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml Outdated Show resolved Hide resolved
@Alex-Waring Alex-Waring force-pushed the AWar/groups/ingress branch 3 times, most recently from 7a7c60f to 0e39308 Compare February 28, 2024 21:34
@christarazi
Copy link
Member

/test

@Alex-Waring
Copy link
Contributor Author

Hey @christarazi, I'm happy to do more investigation but these errors don't seem to be related to my change. I can rebase onto master?

@christarazi
Copy link
Member

Sure, rebase and I will retrigger the tests.

@Alex-Waring
ingress: Rename FromGroups resource
9fe893d 
In preparation for making the groups resource applicable to both ingress and egress
rules, this commit changes the name of the ToGroups struct to Groups.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
@Alex-Waring
abstract out ExtractCidrSet
8a3cca8 
As I am going to be copying the Create Derivative functions, this commit abstracts out some
of the logic into a helper function, to make the code more DRY.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
@Alex-Waring
ingress: Create FromGroups resource
8c68fdb 
Duplicates the structures inplace to evaluate the toGroups resource into the ingress
section, allowing the creation of FromGroups. This means AWS SG groups can be
included as ingress resources and directly translated into fromCIDR rules.

Fixes: cilium#30032
Signed-off-by: Alex Waring <ajmwaring@gmail.com>
@nathanjsweet
Copy link
Member

Looks good!

@nathanjsweet
Copy link
Member

nathanjsweet commented Mar 4, 2024
edited by christarazi

/test

Edit:

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Mar 12, 2024
@nathanjsweet nathanjsweet added this pull request to the merge queue Mar 12, 2024
Merged via the queue into cilium:main with commit cc82eff Mar 12, 2024
62 checks passed
@JonasKs JonasKs mentioned this pull request Apr 4, 2024
Open
@joestringer
Copy link
Member

Hi @Alex-Waring , is the example in the PR description correct? The indentation seems odd, and it's not referring to fromGroups.

@Alex-Waring
Copy link
Contributor Author

Hi @joestringer no it was very much not correct, apologies. I've updated it now.

Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request Apr 29, 2024
@Alex-Waring
ingress: Correct FromGroups rule Parsing
d9d886b 
Currently fromGroups, which was added in cilium#30708,
is correctly represented in the YAML but not being converted to a rule.
This commit fixes that by:
- Reporting that a rule requires derivation when an ingress component
  does, and making sure to clear ingress rules when creating that
  derivative.
- Adding FromGroups to parseToCiliumIngressCommonRule logic
- During validation make sure that fromGroups is not combined with other
  L3 rules.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request Apr 29, 2024
@Alex-Waring
ingress: Testing for FromGroups
e0ad59b 
In the previous commit and cilium#30708
the fromGroups resource was added, but testing was not covered properly.
This commit validates that we are working as expected.
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request Apr 29, 2024
@Alex-Waring
ingress: Correct FromGroups rule Parsing
5219294 
Currently fromGroups, which was added in cilium#30708,
is correctly represented in the YAML but not being converted to a rule.
This commit fixes that by:
- Reporting that a rule requires derivation when an ingress component
  does, and making sure to clear ingress rules when creating that
  derivative.
  - Adding FromGroups to parseToCiliumIngressCommonRule logic
  - During validation make sure that fromGroups is not combined with
    other L3 rules.
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request Apr 29, 2024
@Alex-Waring
ingress: Testing for FromGroups
61c7b27 
In the previous commit and cilium#30708
the fromGroups resource was added, but testing was not covered properly.
This commit validates that we are working as expected.
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request Apr 29, 2024
@Alex-Waring
ingress: Correct FromGroups rule Parsing
3adf4f7 
Currently fromGroups, which was added in cilium#30708,
is correctly represented in the YAML but not being converted to a rule.
This commit fixes that by:
- Reporting that a rule requires derivation when an ingress component
  does, and making sure to clear ingress rules when creating that
  derivative.
- Adding FromGroups to parseToCiliumIngressCommonRule logic
- During validation make sure that fromGroups is not combined with other
  L3 rules.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request Apr 29, 2024
@Alex-Waring
ingress: Testing for FromGroups
08e967f 
In the previous commit and cilium#30708
the fromGroups resource was added, but testing was not covered properly.
This commit validates that we are working as expected.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
@Alex-Waring Alex-Waring mentioned this pull request Apr 29, 2024
Merged
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request May 3, 2024
@Alex-Waring
ingress: Correct FromGroups rule Parsing
5d05593 
Currently fromGroups, which was added in cilium#30708,
is correctly represented in the YAML but not being converted to a rule.
This commit fixes that by:
- Reporting that a rule requires derivation when an ingress component
  does, and making sure to clear ingress rules when creating that
  derivative.
- Adding FromGroups to parseToCiliumIngressCommonRule logic
- During validation make sure that fromGroups is not combined with other
  L3 rules.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request May 3, 2024
@Alex-Waring
ingress: Testing for FromGroups
47e1e85 
In the previous commit and cilium#30708
the fromGroups resource was added, but testing was not covered properly.
This commit validates that we are working as expected.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request May 3, 2024
@Alex-Waring
ingress: Testing for FromGroups
c23a75e 
In the previous commit and cilium#30708
the fromGroups resource was added, but testing was not covered properly.
This commit validates that we are working as expected.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Alex-Waring added a commit to Alex-Waring/cilium that referenced this pull request May 3, 2024
@Alex-Waring
ingress: Testing for FromGroups
36e83ae 
In the previous commit and cilium#30708
the fromGroups resource was added, but testing was not covered properly.
This commit validates that we are working as expected.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
github-merge-queue bot pushed a commit that referenced this pull request May 7, 2024
@Alex-Waring @aanm
ingress: Correct FromGroups rule Parsing
87ca7b7 
Currently fromGroups, which was added in #30708,
is correctly represented in the YAML but not being converted to a rule.
This commit fixes that by:
- Reporting that a rule requires derivation when an ingress component
  does, and making sure to clear ingress rules when creating that
  derivative.
- Adding FromGroups to parseToCiliumIngressCommonRule logic
- During validation make sure that fromGroups is not combined with other
  L3 rules.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
github-merge-queue bot pushed a commit that referenced this pull request May 7, 2024
@Alex-Waring @aanm
ingress: Testing for FromGroups
87ed04b 
In the previous commit and #30708
the fromGroups resource was added, but testing was not covered properly.
This commit validates that we are working as expected.

Signed-off-by: Alex Waring <ajmwaring@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@christarazi christarazi christarazi approved these changes

Assignees
No one assigned
Labels
kind/community-contribution This was a contribution made by a community member. kind/feature This introduces new functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support AWS Security Groups with security group rules ingress from another security group for Network Policies
5 participants
@Alex-Waring @christarazi @nathanjsweet @joestringer @ti-mo