Skip to content

To world traffic incorrectly denied by network policy when enabling DNS observability #29666

New issue
New issue
Closed
#29958
Closed
To world traffic incorrectly denied by network policy when enabling DNS observability#29666
#29958
Assignees
squeed
Labels
affects/v1.15This issue affects v1.15 brancharea/fqdnAffects the FQDN policies featurekind/bugThis is a bug in the Cilium logic.kind/regressionThis functionality worked fine before, but was broken in a newer release of Cilium.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.
@giorio94

Description

@giorio94
giorio94
opened on Dec 6, 2023

Is there an existing issue for this?

  • I have searched the existing issues

What happened?

After applying a CiliumNetworkPolicy [1] allowing traffic to coredns and world entities only, as well as enabling DNS observability, all traffic towards external addresses gets incorrectly dropped. This issue reproduces only on main, and in case the network policy includes the DNS observability rule.

Relevant cilium monitor drop event:

Policy verdict log: flow 0xe0ba5513 local EP ID 556, remote ID 16777217, proto 6, egress, action deny, auth: disabled, match none, 10.244.1.111:55102 -> 216.58.204.132:80 tcp SYN
xx drop (Policy denied) flow 0xe0ba5513 to endpoint 0, ifindex 8, file bpf_lxc.c:1289, , identity 37740->16777217: 10.244.1.111:55102 -> 216.58.204.132:80 tcp SYN

Corresponding ipcache entry:

216.58.204.132/32               identity=16777217 encryptkey=0 tunnelendpoint=0.0.0.0

Identities:

16777217   cidr:216.58.204.132/32
           reserved:world-ipv4
16777218   cidr:2a00:1450:4002:403::2004/128
           reserved:world-ipv6

With v1.14, instead, the ipcache entry is not present, and the cilium monitor output reads:

Policy verdict log: flow 0xba9162c local EP ID 3165, remote ID world, proto 6, egress, action allow, auth: disabled, match L3-Only, 10.20.1.244:35236 -> 142.251.209.4:80 tcp SYN
-> stack flow 0xba9162c , identity 61645->world state new ifindex 0 orig-ip 0.0.0.0: 10.20.1.244:35236 -> 142.251.209.4:80 tcp SYN

Tested on the dual stack kind cluster created with:

KIND_CLUSTER_NAME=kind make kind && make kind-image && make kind-install-cilium

[1]:

apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
  name: to-world
spec:
  endpointSelector: {}
  egress:
    - toEntities:
        - world
    - toEndpoints:
        - matchLabels:
            io.kubernetes.pod.namespace: kube-system
            k8s-app: kube-dns
      toPorts:
        - ports:
            - port: "53"
              protocol: UDP
          rules:
            dns:
              - matchPattern: "*"

Cilium Version

Tip of main (d1128cf). Stable versions are not affected.

Sysdump

cilium-sysdump-20231206-143252.zip

Anything else?

Marked as release blocker given that it is a regression from v1.14.

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

Labels

affects/v1.15This issue affects v1.15 brancharea/fqdnAffects the FQDN policies featurekind/bugThis is a bug in the Cilium logic.kind/regressionThis functionality worked fine before, but was broken in a newer release of Cilium.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions