Skip to content

static policy watcher ignores files with multiple YAML objects #37724

New issue
New issue
Closed
#40357
Closed
static policy watcher ignores files with multiple YAML objects#37724
#40357
Assignees
tamilmani1989anubhabMajumdar
Labels
affects/v1.17This issue affects v1.17 brancharea/agentCilium agent related.kind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.kind/regressionThis functionality worked fine before, but was broken in a newer release of Cilium.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.
@radhupr

Description

@radhupr
radhupr
opened on Feb 18, 2025

Is there an existing issue for this?

  • I have searched the existing issues

Version

equal or higher than v1.17.1 and lower than v1.18.0

What happened?

We have couple of cilium cluster wide network policies (for worker, coredns and konnectivity agent) which are added as static policies with below config

extraArgs:
  - --static-cnp-path=/policies
extraHostPathMounts:
  - name: static-policies
    mountPath: /policies
    hostPath: /data/k0s/cilium
    hostPathType: Directory

Recently we bumped the version from 1.16.6 to 1.17.1. While in dev cluster we had policy enforce mode never it didnt give any error/issues. But while upgrading other clusters which had policy enforce mode always failed the static policy to be taken into use.
We tried to switch to enable/disable the enforce mode in 1.17.1 version but it didnt work. At the end, we had to add the static policies to the cluster and apply them manually to get it working.
Could you check whats breaking the static policy behavior in new version?

How can we reproduce the issue?

  1. Install cilium 1.16.6, have policy enforce mode 'always' and load some static cilium cluster wide network policies
  2. Upgrade cilium to 1.17.x
  3. Notice that the static policies are not taken into effect

Cilium Version

1.17.1

Kernel Version

Red Hat Enterprise Linux release 8.10 (Ootpa) (4.18.0-553.16.1.el8_10.x86_64)

Kubernetes Version

v1.30.3

Regression

No response

Sysdump

No response

Relevant log output

Connection / polciies defined in the static policies fail. Eg: connection failing from our cilium agent logs

stream logs failed Get "https://10.25.216.7:10250/containerLogs/kube-system/cilium-smc9s/cilium-agent?follow=true&sinceSeconds=300&tailLines=100&timestamps │
│ stream logs failed Get "https://10.25.216.7:10250/containerLogs/kube-system/cilium-smc9s/cilium-agent?follow=true&sinceSeconds=300&tailLines=100&timestamps │
│ stream logs failed Get "https://10.25.216.7:10250/containerLogs/kube-system/cilium-smc9s/cilium-agent?follow=true&sinceSeconds=300&tailLines=100&timestamps │

Anything else?

Other testing done:

  • Version bump from 1.16.6 -> 1.17.x with policy enforce never and after upgrade add enforcement , everything works fine

Cilium Users Document

  • Are you a user of Cilium? Please add yourself to the Users doc

Code of Conduct

  • I agree to follow this project's Code of Conduct

Metadata

Metadata

Assignees

Labels

affects/v1.17This issue affects v1.17 brancharea/agentCilium agent related.kind/bugThis is a bug in the Cilium logic.kind/community-reportThis was reported by a user in the Cilium community, eg via Slack.kind/regressionThis functionality worked fine before, but was broken in a newer release of Cilium.sig/policyImpacts whether traffic is allowed or denied based on user-defined policies.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions