Skip to content

pkg/lpr: filter the backend based on the port #41411

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Sep 2, 2025
Merged

pkg/lpr: filter the backend based on the port #41411

merged 2 commits into from
Sep 2, 2025
+9 −3

Conversation

liyihuang
Copy link
Contributor

@liyihuang liyihuang commented Aug 27, 2025
edited
Loading

see the commit message

Fixes: #41407

Fix the bug local redirect policy not doing filter based destination port

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 27, 2025
@liyihuang liyihuang added kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Aug 27, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot removed the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Aug 27, 2025
@liyihuang
pkg/lpr: filter the backend based on the port
acf036c 
Fix the bug where proper port filtering based on the destination
is not applied.

consider the following dst pod with the LRP policy

  containers:
  - image: nginx:latest
    imagePullPolicy: Always
    name: nginx
    ports:
    - containerPort: 80
      name: http
      protocol: TCP
    - containerPort: 443
      name: https
      protocol: TCP
    - containerPort: 8080
      name: http-alt
      protocol: TCP
    - containerPort: 9090
      name: metrics
      protocol: TCP
    - containerPort: 3000
      name: app
      protocol: TCP
-----
 apiVersion: cilium.io/v2
 kind: CiliumLocalRedirectPolicy
 metadata:
   annotations:
   name: lrp-addr
   namespace: default
 spec:
   redirectBackend:
     localEndpointSelector:
       matchLabels:
         app: nginx-test
     toPorts:
     - port: "80"
       protocol: TCP
   redirectFrontend:
     addressMatcher:
       ip: 169.254.169.254
       toPorts:
       - port: "8080"
         protocol: TCP
   skipRedirectFromBackend: false

Without port filtering, all possible ports will be allowed, even if the
destination port is specifically configured as 80:

12   169.254.169.254:8080/TCP   LocalRedirect   1 => 10.244.1.86:80/TCP (active)
                                                2 => 10.244.1.86:443/TCP (active)
                                                3 => 10.244.1.86:3000/TCP (active)
                                                4 => 10.244.1.86:8080/TCP (active)
                                                5 => 10.244.1.86:9090/TCP (active)

With this patch, the correct port filtering is applied, and we get the
expected behavior:

14   169.254.169.254:8080/TCP   LocalRedirect   1 => 10.244.1.86:80/TCP (active)

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
@liyihuang liyihuang force-pushed the pr/liyi/lrp_port_filter branch from bb02044 to acf036c Compare August 27, 2025 21:10
@liyihuang
Copy link
Contributor Author

/test

1 similar comment
@liyihuang
Copy link
Contributor Author

/test

@liyihuang liyihuang added the area/lrp Impacts Local Redirect Policy. label Aug 27, 2025
@liyihuang liyihuang mentioned this pull request Aug 29, 2025
Closed
3 tasks
@liyihuang
pkg/lrp: fix the lrp unit test
e28aca9 
Based on our doc, we have ports specified in toPorts under redirectBackend
exist in the backend pod spec. I can see the unit test is using lrp to
forward to 8080 but the pod is listening port 80.

I ran into this issue when implementing filter the backend based on the port.
That's how I find this issue.

Signed-off-by: Liyi Huang <liyi.huang@isovalent.com>
@liyihuang
Copy link
Contributor Author

/test

@liyihuang liyihuang marked this pull request as ready for review August 31, 2025 17:55
@liyihuang liyihuang requested a review from a team as a code owner August 31, 2025 17:55
@liyihuang liyihuang requested a review from ysksuzuki August 31, 2025 17:55
@liyihuang liyihuang added the needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch label Sep 1, 2025
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Sep 2, 2025
@joamaki joamaki added this pull request to the merge queue Sep 2, 2025
@joamaki joamaki mentioned this pull request Sep 2, 2025
Merged
Merged via the queue into cilium:main with commit ce1f551 Sep 2, 2025
72 checks passed
@viktor-kurchenko viktor-kurchenko mentioned this pull request Sep 2, 2025
Merged
18 tasks
@viktor-kurchenko viktor-kurchenko added backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. and removed needs-backport/1.18 This PR / issue needs backporting to the v1.18 branch labels Sep 2, 2025
@github-actions github-actions bot added backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. and removed backport-pending/1.18 The backport for Cilium 1.18.x for this PR is in progress. labels Sep 9, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joamaki joamaki joamaki approved these changes

@ysksuzuki ysksuzuki ysksuzuki approved these changes

Assignees
No one assigned
Labels
area/lrp Impacts Local Redirect Policy. backport-done/1.18 The backport for Cilium 1.18.x for this PR is done. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/bug This PR fixes an issue in a previous release of Cilium.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

new LRP not filter port properly
4 participants
@liyihuang @joamaki @ysksuzuki @viktor-kurchenko