Validation Error unknown field "serviceMatch" in Calico 3.20.0

projectcalico / calico

Cloud native networking and network security

https://docs.tigera.io/calico/latest/about/

Apache License 2.0

5.93k stars 1.32k forks source link

Validation Error unknown field "serviceMatch" in Calico 3.20.0 #7680

Closed StromBreaker10 closed 1 year ago

StromBreaker10 commented 1 year ago

I am trying to create a network policy in kubernetes 1.24 and calico 3.20 environment so that my component connect to the database through service by making use of serviceMatch feild. This solution worked for us in 1.21 and 3.15 and 1.24 and 3.15 without any errors. But when we upgraded the calico to 3.20 we getting unknown feild error.

Network rule in NetworkPolicy yaml:

action: allow protocol: TCP source: selector: com.siemens.sdis.container.app == 'myApp' && com.siemens.sdis.container.component == 'my-component' destination: serviceMatch: name: db namespace: testnp ports:
- 8080

Error:

Error: INSTALLATION FAILED: unable to build kubernetes objects from release manifest: error validating "": error validating data: ValidationError(NetworkPolicy.spec.egress[2].destination): unknown field "serviceMatch" in org.projectcalico.crd.v1.NetworkPolicy.spec.egress.destination

Environment Details: kubernetes version: 1.24 calico version: 3.20 (docker.io/calico/node:v3.20.0) networkpolicy api version: crd.projectcalico.org/v1

caseydavenport commented 1 year ago

The field should be called "services".

Per the example from the docs:

apiVersion: projectcalico.org/v3
kind: NetworkPolicy
metadata:
  name: allow-api-access
  namespace: my-app
spec:
  selector: all()
  egress:
    - action: Allow
      destination:
        services:
          name: kubernetes
          namespace: default

https://docs.tigera.io/archive/v3.20/security/service-policy

StromBreaker10 commented 1 year ago

we tried the filed "services", still the same error.

caseydavenport commented 1 year ago

Could you provide the full yaml object you're trying to create?

StromBreaker10 commented 1 year ago

apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
  name: allow-my-component
  namespace: my-namespace
spec:
   selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
   types:
     - Ingress
     - Egress
   ingress:
   - action: allow
     protocol: TCP
     source: {}
     destination:
       selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
       ports:
       - 8888
   egress:
   - action: allow
     protocol: TCP
     source:
       selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
     destination:
       serviceMatch:
        name: service-svc
        namespace: my-namespace
       ports:
       - 777

caseydavenport commented 1 year ago

apiVersion: crd.projectcalico.org/v1

Please see this issue: https://github.com/projectcalico/calico/issues/6412

   serviceMatch:

Like I said in my previous message, this is wrong. It needs to be services

StromBreaker10 commented 1 year ago

How this field "serviceMatch" or "services" functionality is working with version V1 and CRDs in Calico 3.15 (kubernetes 1.21) and not in Calico 3.20 (kubernetes 1.24)? We have trigera resource apiserver also running in our 1.24env.

we are using the open source calico and not planning to migrate to enterprise edition.

Is this field deprecated in latest versions?

StromBreaker10 commented 1 year ago

Reminder on this issue. please reopen the issue.

caseydavenport commented 1 year ago

Could you provide the full yaml object you're trying to create?

Could you please show me a valid Calico API object? The one that you included in your previous comment is not valid for the two reasons I suggested:

It uses the crd.projectcalico.org/v1 API, which is unsupported and not validated / defaulted.
It uses the wrong name for the field - "serviceMatch" instead of "service"

Until I have that I can't reasonably say this is a bug in Calico.

StromBreaker10 commented 1 year ago

apiVersion: crd.projectcalico.org/v1
kind: NetworkPolicy
metadata:
  name: allow-my-component
  namespace: my-namespace
spec:
   selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
   types:
     - Ingress
     - Egress
   ingress:
   - action: allow
     protocol: TCP
     source: {}
     destination:
       selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
       ports:
       - 8888
   egress:
   - action: allow
     protocol: TCP
     source:
       selector: com.org.container.app == 'myApp' && com.org.container.component == 'my-component'
     destination:
       services:
        name: service-svc
        namespace: my-namespace
       ports:
       - 777

This the yaml we tested, as you can see we used the feild "services" instead of services. Regarding the api version we can't use v3 since we using open source calico not the enterprise edition. we using open source calico and crds hence v1 not v3.

caseydavenport commented 1 year ago

Regarding the api version we can't use v3 since we using open source calico not the enterprise edition. we using open source calico and crds hence v1 not v3.

Open-source Calico is what we're talking about here - in OSS Calico, the v3 API is supported and the v1 API is not. It's not a matter of OSS vs Enterprise