Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce default deny for calico-system #2636

Merged
merged 2 commits into from
May 15, 2023
Merged

Enforce default deny for calico-system #2636

merged 2 commits into from
May 15, 2023

Conversation

pasanw
Copy link
Contributor

@pasanw pasanw commented May 10, 2023
edited
Loading

Description

Renders a default deny in the calico-system namespace. This change also fixes issues with NodeLocal DNSCache through the inclusion of calico-system in the Tigera namespace selector.

Change was tested in a MCM setup with NodeLocal DNSCache and L7 logging enabled (for CSI validation) in both management and managed clusters.

The following calico components are in the calico-system namespace and were tested*:

  • kube-controllers: flows are policed, existing policy needed an additional ingress rule based on flow logs.
  • es-kube-controllers: flows are policed, no new rules required based on flow logs.
  • CSI daemonset: does not require networking (driver communicates with kubelet via UDS, also confirmed no flows in flow logs)
  • Windows upgrader daemon set: not tested*, but appears to not require networking to install/upgrade.

For PR author

  • Tests for change.
  • If changing pkg/apis/, run make gen-files
  • If changing versions, run make gen-versions

For PR reviewers

A note for code reviewers - all pull requests must have the following:

  • Milestone set according to targeted release.
  • Appropriate labels:
    • kind/bug if this is a bugfix.
    • kind/enhancement if this is a a new feature.
    • enterprise if this PR applies to Calico Enterprise only.

@marvin-tigera marvin-tigera added this to the v1.30.0 milestone May 10, 2023
@pasanw pasanw force-pushed the enforce-ingress-calico-system branch 3 times, most recently from 94c79bc to 26f3594 Compare May 12, 2023 19:23
@pasanw pasanw force-pushed the enforce-ingress-calico-system branch from 26f3594 to cadf0a0 Compare May 12, 2023 22:35
@pasanw pasanw marked this pull request as ready for review May 12, 2023 23:13
@pasanw pasanw requested a review from a team as a code owner May 12, 2023 23:13
@pasanw pasanw merged commit 88d6475 into tigera:master May 15, 2023
3 checks passed
@pasanw pasanw deleted the enforce-ingress-calico-system branch May 15, 2023 17:41
@pasanw pasanw mentioned this pull request May 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@caseydavenport caseydavenport caseydavenport approved these changes

Assignees
No one assigned
Labels
docs-pr-required release-note-required
Projects
None yet
Milestone
v1.30.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@pasanw @caseydavenport @marvin-tigera