Open christiancadieux opened 4 months ago
Hi @christiancadieux , thanks for the report. Could you restate the problem in simpler terms, for instance "When I configure a policy exactly like the below, I expect _ but when I do curl ...
, I observe ___.
when I use the CCNP from https://isovalent.com/blog/post/cilium-1-15/#h-ingress-network-policy
apiVersion: cilium.io/v2
kind: CiliumClusterwideNetworkPolicy
metadata:
name: ingress-ccnp
spec:
endpointSelector: {}
ingress:
- fromCIDRSet:
- cidr: 172.18.0.10/32
- fromEntities:
- cluster
it works fine and does block ingress except for the specfied CIDR ( 172.18.0.10/32 in this example) - like the article explains.
but if I enter specific labels in the endpointSelector (to limit ingress to specific namespaces/pods), then it does not work anymore and any sourceIP is allowed access to the pods selected by the endpointSelector.
This is by design, as the policies are enforced in Ingress, before the backends are selected. The empty endpointSelector would select all endpoints but it's also possible to make it only apply to ingress by using
endpointSelector:
matchExpressions:
- key: reserved:ingress
operator: Exists
I am not following this. the goal of this new option enforce_policy_on_l7lb is to restrict ingress access from specific sourceIP. Can you give a complete CNP or CCNP example that would allow a specific pod in a specific namespace to receive ingress traffic from a specific external sourceIP and block all other sourceIP. I tried this for example (with an invalid cidr on 'outside-to-ingress'), but it does not block anything:
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: default-deny-expect-kube-system
spec:
egress:
- toEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
endpointSelector: {}
ingress:
- fromEndpoints:
- matchLabels:
k8s:io.kubernetes.pod.namespace: kube-system
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: outside-to-envoy
spec:
endpointSelector:
matchExpressions:
- key: reserved:ingress
operator: Exists
ingress:
- fromCIDRSet:
- cidr: 50.112.189.0/24
---
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
name: envoy-to-pods
spec:
endpointSelector: {}
ingress:
- fromEntities:
- ingress
This feature does not work per Ingress or per namespace, it only works with CCNP and applies globally to all Ingress/GwAPI resources.
right - so I don't understand to value of this feature. cilium is designed to support large multi-tenant clusters. each tenant has it's own security requirements. blocking cidrs for the whole cluster is not useful. that's the bug that I am describing. this feature is not consistent with Cilium NP in general.
that's the current scope of the feature. I agree, it's not as useful as it would've been with per-namespace or per-ingress support. This may still happen but most likely it'll be a separate feature. The current behaviour is a result of internal implementation detail: each Ingress reserves an IP on every node and this IP has 1-1 mapping to ingress identity.
I should not have closed this ticket.
I understand that "The feature does not work per Ingress or per Namespace", and the feature being referenced is "enforce_policy_on_l7lb" , but this bug is about the general problem that NetworkPolicies can only be written againt 'ingress' in general, and not against specific deployments and namespaces.
Just to make sure I understand this correctly, there currently is no way to allow external traffic to ingress_a from CIDR_a and to ingress_b from CIDR_b while blocking everything else?
I may not be following your ingress_a/ingress_b example, but yes, the feature only allows to limit ingress access to the whole cluster. it does not allow to be more specific than that. like networkop explained https://github.com/cilium/cilium/issues/32755#issuecomment-2147602124
Is there an existing issue for this?
What happened?
CCNP using fromCIDRSet and fromEntities does not work correctly on Ingress traffic to gateway
with this ccnp , the fromCIDRSet value is active and the traffic is blocked when the cidr is incorrect, as explained in the isovalent blog https://isovalent.com/blog/post/cilium-1-15/#h-ingress-network-policy
but as soon as an endpoint selector is added, the CIDR is ignored and the traffic is always allowed.
Or maybe I misunderstood this new feature enforce_policy_on_l7lb and it only works for "endpointSelector: {}" . But if that is true, they this new feature would not be very useful since it would block specific IP from ingress to the whole cluster, and these clusters are typically multi-tenant and each tenant need different CIDRs allowed.
for this test - there is a default-deny CNP at the namespace level:
when the CCNP endpointSelector is changed from app=details to app=details2, the traffic stops (because of th default-deny) thus confirming that the CCNP is active. Also tried without the default-deny CNP - still behaves incorrectly.
but with endpointSelector app=details, the traffic is back, even when the ingress.fromCidrSet.cidr is invalid. I also verify that adding the specific namespace in the CCNP does not help:
Cilium Version
cilium image (default): v1.14.6 cilium image (stable): v1.15.5
Kernel Version
Linux caas-bglab-comp009--10-112-182-135 5.15.119-flatcar #1 SMP Fri Jul 14 17:48:03 -00 2023 x86_64
Kubernetes Version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.4", GitCommit:"e6c093d87ea4cbb530a7b2ae91e54c0842d8308a", GitTreeState:"clean", BuildDate:"2022-02-16T12:38:05Z", GoVersion:"go1.17.7", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.15", GitCommit:"da6089da4974a0a180c226c9353e1921fa3c248a", GitTreeState:"clean", BuildDate:"2023-10-18T13:29:23Z", GoVersion:"go1.20.10", Compiler:"gc", Platform:"linux/amd64"}
Regression
No response
Sysdump
No response
Relevant log output
No response
Anything else?
cilium config
Cilium Users Document
Code of Conduct