CFP: CiliumNetworkPolicy validation

giorio94 commented 1 year ago

Cilium Feature Proposal

Is your feature request related to a problem?

Malformed/invalid CNPs (e.g., L7 policies without the protocol: TCP field set) get silently discarded by the agent, emitting only the corresponding log entry about the error encountered during validation (e.g., L7 rules can only apply to TCP (not ANY) except for DNS rules). For non-experts, this makes it tricky to understand why the CNP is not being enforced as expected, as no errors are reported while creating the resource, nor they are attached to it.

Describe the feature you'd like

In my opinion, a great QoL addition would be the introduction of a validation webhook to prevent the creation of invalid network policies, making it immediately clear to the user that something is wrong with that.

Alternatively, the feedback might be returned as part of the status stanza of the resource, or emitted as a Kubernetes event, which are typically looked for before the logs.

christarazi commented 1 year ago

Relevant K8s documentation: https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#webhook-configuration

One thing that is not entirely clear to me is what should be the clientConfig configuration. Specifying the URL has localhost would be an obvious first choice, as Cilium runs as a daemonset so it will be available on every node, however we can't assume that the kube-apiserver is always running within the cluster on a node(s).

We need to somehow specify a destination API endpoint (i.e. http://host:port...) in a manner where we don't assume the location of the kube-apiserver. Specifying a service could potentially work. The Operator could create the service and receive / respond to the validation requests. This seems to be a better approach than having each Cilium Agent handle this.

squeed commented 1 year ago

Running webhooks, especially for network providers, can be kind of a pain:

the service network may not be up
we need to use hostNetwork pods
we must avoid chicken-and-egg scenarios where we can’t recover the network without the network running
We can’t always rely on connectivity from the apiserver to arbitrary node ports, especially for managed control planes[1]

as a first pass, what if we wrote CEL rules for our types?

1: this one has bitten me really hard in the past; it turns out some managed control plane offerings have incomplete connectivity between the apiserver and the underlying nodes. Connections to the pod network are fine, but not necessarily to nodes directly

christarazi commented 1 year ago

1: this one has bitten me really hard in the past; it turns out some managed control plane offerings have incomplete connectivity between the apiserver and the underlying nodes. Connections to the pod network are fine, but not necessarily to nodes directly

But then how do the kubelet healthchecks work? Aren't they apiserver-to-node traffic too?

christarazi commented 1 year ago

as a first pass, what if we wrote CEL rules for our types?

But immutability is not validation? How does this help?

squeed commented 1 year ago

Whoops, I pasted the wrong blog link. CEL is a general-purpose validation language. See https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definitions/ — sorry

christarazi commented 1 year ago

Ah great, yes this looks very promising. I didn't realize this sort of complex validation expressions have landed. We've done a lot of work a few years ago to get our CRDs statically validated, but it hasn't been touched since then, so it seems we should be able to switch some (hopefully all) fields to CEL expressions. This might even allow us to get rid of our nasty fork of controller-tools.

christarazi commented 1 year ago

cc @aanm ^ :slightly_smiling_face: