Policy simplification

[tgraf]

Fixes: #674

[rlenglet]

applicable -> enforced

[rlenglet]

I would also specify that for a flow between two endpoints to be allowed by Cilium, it must be allowed by both the egress section of the source endpoint and by the ingress section of the destination endpoint.

[tgraf]

That is only true to some extent. Endpoint to endpoint policy is only specified at Ingress. We only do egress specification for things where we do not control the receiving endpoint.

I've added a note to clarify this.

[rlenglet]

Comment -> Description (?)

[tgraf]

I inherited comment from iptables but I like Description better as well, fixed.

[rlenglet]

This should be a slice, not a single rule.

[tgraf]

All members of IngressRule are sliced which saves us to enforce oneOf at IngressRule level. What benefit do you see in one over the over? I'm fine with both actually.

[rlenglet]

Because the semantics is different.
I would like to be able to specify:

• allow from 10/8 to port 80
  and
• allow from 11/8 to port 443

That's very different from:

• allow from "either 10/8 or 11/8" to "either port 80 or port 443"

[tgraf]

As mentioned in another comment as well: The datapath does support the coupling of L3 and L4 rules at this point and we have to support the decoupled version anyway for k8s policy.

I'm fine changing this as I said but we can't support the coupling right now.

[rlenglet]

Actually you could. It would just cost you the calculation of a cartesian product of the k8s L3 rules with the K8s L4 rules in the same k8s policy, to obtain those "coupled" rule versions. It may be costly only in case of complicated k8s policies, e.g. with contain many criteria. I don't think that will be common, nor very costly.

[rlenglet]

This should be a slice, not a single rule.

[rlenglet]

Why mentioning "IngressRule" here? Did you mean "EgressRule"?

[tgraf]

I meant EgressRule but I believe the paragraph is not required at all for understanding.

[rlenglet]

I find this confusing. This looks like a conjunction of rules.
I would prefer if all the rules form a disjunction, i.e. if a rule allows some flows, no addition or removal of any other rule can alter that.

[tgraf]

Not sure which paragraph this comment refers to.

[rlenglet]

specifices -> specifies
protocol -> transport protocol

[tgraf]

fixed

[rlenglet]

It's usually useful. Actually, a list combining individual ports and ranges seems common, e.g.:
["80", "443", "2000-2100"]
The only negative aspect about it is that it requires the data to be passed as strings, but that's a small price to pay.

[tgraf]

I agree, I will change it to a string for now so we can easily add ranges later on.

[aanm]

What about:

type PortProtocol struct {
      Port PortRange
}

type PortRange stuct{
      min uint16
      max uint16
}

func NewPort(p uint16) *PortRange{
     return &PortRange{min: p, max: p}
}

func NewPortRange(min, max uint16) *PortRange{
     return &PortRange{min: min, max: max}
}

func (p *PortRange) Contains(p uint16) bool {
   return p.min >= p && p <= p.max
}

At least we don't deal with strings

[rlenglet]

In case of ICMP, how can one match on the code / type?
If that's not supported, specify it.

[tgraf]

Note added, we do not support matching on ICMP.

[aanm]

What about port 0 with proto any?

[tgraf]

Such a rule would never match right now. I've added the case to the Validate() function.

[ashwinp]

Initial review comments.

[ashwinp]

Please consider renaming this to AppliedEndpoints.

// Mandatory field. Identifies the endpoints where this rule should be applied.
AppliedEndpoints EndpointSelector json:"selector"

[tgraf]

I like selector because it is in line with the k8s API which uses the word selector for everything to select objects to apply rules onto.

[ashwinp]

I see. Thanks.

[ashwinp]

The field is a pointer to IngressRule, and can hold only 1 ingress rule. The document needs to be fixed, or we need to have a collection of IngressRules here.

[tgraf]

comment fixed

[ashwinp]

Please consider renaming this to Policy. A Policy can contain multiple rules. Each rule can be of type Egress or Ingress.

[tgraf]

That's what it is. The policy is not part of the API. Cilium owns a policy repository which consists of a list of rules which can be modified via the API by adding/removing/changing rules.

[ashwinp]

Got it. Thanks.

[ashwinp]

Can we simplify this by having a collection of Rules (a new type that only contains match predicates)? A Rule can either be of type Egress or Ingress. The current type Rule can be renamed to Policy.

[tgraf]

See the comment from @rlenglet. I'm trying to avoid oneOf as it can't be described and enforced with swagger.

[ashwinp]

OK, thanks.

[ashwinp]

Please consider renaming this to SourceEndpoints

[tgraf]

Source has some implications as it could be confused for source addresses. "From" is clearer in that sense, "rule selects b and allows ingress from a"

[ashwinp]

Please remove this paragraph. We're referring to fromCIDR, which is defined later, and the comment is redundant as the params are tagged as optional.

[tgraf]

Agreed, only obfuscates, removed both occurrences.

[ashwinp]

I did not understand the purpose of FromRequires. The example about group=A talks about labels, but isn't this field of type endpointselector?

[tgraf]

I have reworded the paragraph to make it clearer

[ashwinp]

Please consider renaming to destinationPorts

[ashwinp]

Please consider renaming to SourceCIDRs

[tgraf]

SourceCIDRs would definitely be mistaken for source address CIDR

[tgraf]

2nd thought, this is exactly what we want so I'm making this change.

[ashwinp]

Can we make this:
Ports []uint16 ?
That way, one can specify TCP: [80, 8080], as an example.

[tgraf]

See @rlenglet comment to move to strong to support ranges, I like that approach. We could eventually support all of "10", "10, 11", "10-15"

[aanm]

What happens if a label is not valid?

[tgraf]

How can a label not be valid?

[aanm]

Good question, since it returns a pointer I was assuming it could be nil

[aanm]

For the omitted ones please also add the case where they are empty. "If omitted, or empty,..."

[tgraf]

Agreed, will do.

[aanm]

I've been thinking about this. What about "Metadata" instead, seems wrong?
Also, why the json variable is called Group? I mean, I would like to see Group instead of Labels in the go struct.

[aanm]

[]*labels.Label -> labels.LabelArray

[aanm]

Does it this means all slices in this structure will be "ORed" or "ANDed"?

[tgraf]

ORed. Rephrased.

[aanm]

I don't get this, if the policy has multiple rules, and one of the rules can't be reachable why does that means it is automatically denied?

Shouldn't you first check for all the rules that have its ingress matching the ctx.To and then check if one of them allows receiving from ctx.From?

[tgraf]

api.Denied is only returned if it is denied for sure. This only happens for Require rules. If the requirement for a require rule is not met, the potential consumer is never allowed.

[aanm]

Why a pointer to the rule itself?

[tgraf]

I've masked it behind a new api.Rules type now so we can easily change this. I don't see a problem with a pointer.

[aanm]

👍

[aanm]

Why not implement the MarshalJSON itself? because it returns byte and error

Why not ToString() or String() or even GoString()?

[tgraf]

Because we return JSON :-) It's not meant to be human readable.

[aanm]

why not %s/%d instead?

[tgraf]

Either is fine, it doesn't matter. Never exposed. Will change this if you look this better.

[tgraf]

What about port 0 with proto any?

[ashwinp]

pkg/policy/api/rule.go, line 24 at r3 (raw file):

// labels contained in the endpointSelector
//
// Multiple rules are related to each with a logical OR.

related to each?

---

Comments from Reviewable

[ashwinp]

pkg/policy/api/rule.go, line 44 at r4 (raw file):

	// Egress is a list of EgressRule which are enforced at egress.
	// If omitted or empty, this rule does not apply at ingress.

typo: at egress.

---

Comments from Reviewable

[tgraf]

typo: at egress.

Fixed, thanks

[ashwinp]

pkg/policy/api/rule.go, line 183 at r4 (raw file):

// rules which must be met.
type PortRule struct {
	// Ports is a lst of L4 port/protocol

typo: list

---

Comments from Reviewable

[ashwinp]

pkg/policy/api/rule.go, line 193 at r4 (raw file):

	// RedirectPort is the L4 port which, if set, all traffic matching the
	// Ports ie being redirected to. Whatever listener behind that port

/ie/is/

---

Comments from Reviewable

[ashwinp]

Please update the comment; There is no FromEndpoints in the EgressRule.

[tgraf]

Fixed

[ashwinp]

"All members of this structure are evaluated independently". This would imply that as a user, I cannot enforce the following:

• Allow Ingress only from container labeled A (FromEndpoint=A) to port 80.
• Allow Ingress only from container labeled B (FromEndpoint=B) to port 8080.

B will be allowed to connect to port 80 in addition to port 8080. Similarly, A will be allowed to connect to port 8080 in addition to port 80. Right?

[tgraf]

Correct. Two reasons:

• The BPF datapath is currently not capable of enforcing this. L3 endpoints are whitelisted via BPF map. The per endpoint L4 map is another BPF map. Referring to a 2nd BPF map from a 1st BPF map value was only just recently added so we will start supporting this with more recent kernels.
• k8s NetworkPolicy also defines this separate notion and we need to able to map k8s NetworkPolicy to our policy.

The idea is to add a field later on which introduces L4 policies which depend on a specific L3 rule. This could be done by adding a new ToPorts inside FromEndpoints or to add a flag to ToPorts which allows to tie the ToPorts to FromEndpoints and FromCIDR within the same IngressRule.

[aanm]

Really awesome work @tgraf !