policy: Enforce ingress policy for Ingress #351
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jrajahalme
force-pushed
the
ingress-endpoint-policy
branch
4 times, most recently
from
5c8c12c
to
412c5b9
Compare
jrajahalme
force-pushed
the
ingress-endpoint-policy
branch
5 times, most recently
from
fb8bfea
to
f212570
Compare
Envoy can assert fail if local close reason is not set: envoy bug failure: !local_close_reason.empty(). Details: Local Close Reason was not set! Set error detail on local close to prevent this. Also Flush on proxylib close so that any remaining data is not cut off. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
Add enforce_policy_on_l7_lb to bpf_metadata config to maintain backwards compatibility by explicitly turning on policy enforcement on Ingress to support older Cilium releases on the same Envoy build. Store the original source identity for enforcing ingress policy for Ingress, that otherwise only enforces the egress policy, as it operates on the egress path. Now both ingress and egress policies for the ingress identity are enforced when enforce_policy_on_l7_lb is configured as 'true'. Ingress arrives to Cilium nodes at node ports, which are meaningless for Cilium Network Policies. To remedy this the destination port of the selected backend is used also in ingress path policy enforcement. Note that this destination port may be different from the one the traffic was first received at the external load balancer. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com> info: patch template saved to `-`
Refactor Config::getMetadata() processing of L7 LB config to be more explicit and to error out on invalid config so that invalid traffic does not accidentally slip through. Adjust tests accordingly and add new tests to cover the new 'enforce_policy_on_l7lb' option. Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
jrajahalme
force-pushed
the
ingress-endpoint-policy
branch
from
f212570
to
99a54f4
Compare
sayboras
approved these changes
Sep 26, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Store the original source identity for enforcing ingress policy for Ingress, that otherwise only enforces the egress policy, as it operates on the egress path. Now both ingress and egress policies defined for the ingress identity are enforced when configured with the new
enforce_policy_on_l7lboption.Ingress arrives to Cilium nodes at node ports, which are meaningless for Cilium Network Policies. To remedy this the destination port of the selected backend is used also in ingress path policy enforcement. Note that this destination port may be different from the one the traffic was first received at the external load balancer.
An allow-all Egress policy at Ingress continues to be supported until Cilium 1.14 is EOL. Newer Cilium versions properly generate an allow-all ingress and egress network policy for the Ingress identity also when policy is not enforced.
See cilium/cilium#28126 for reference on how this is used.