Add deny policies #12716
Add deny policies #12716
Conversation
|
test-me-please |
|
test-me-please |
pkg/policy/repository.go
Outdated
| } | ||
| } | ||
| } else if len(ingressPolicy) > 0 { | ||
| verdict = ingressPolicy.IngressCoversContext(ctx) |
There was a problem hiding this comment.
Normal policy should still be considered if verdict after checking deny policies is not api.Denied, so this can not be in an else block.
pkg/policy/rule.go
Outdated
| found += cnt | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
I wonder if SetDeny(true) needs to be called before this block as well?
pkg/policy/rule.go
Outdated
| found += cnt | ||
| } | ||
| } | ||
|
|
There was a problem hiding this comment.
I wonder if SetDeny(true) needs to be called before this block as well?
|
test-me-please |
|
Coverage increased (+0.04%) to 37.173% when pulling 94b466831133a88a11499dd369be30de3170fa28 on aanm:pr/denypolicies into bd89e83 on cilium:master. |
|
test-me-please |
There was a problem hiding this comment.
LGTM overall. My only concern is around handling of AlwaysAllowLocalhost when deny policy rules are loaded, in particular with L4-only deny rules (see comment below). I think all other comments can be addressed as follow ups.
Since L7 rules are not supported in deny rules, should we reject them during validation?
That last commit is really hard to review. Couldn't it be broken up in several commits?
|
@pchaigno thanks for the review
How? I mean, there isn't any L7 field in deny rules, so how could even be validated (or where)?
Unfortunately it couldn't, the unit tests would have been broken if that would be the case. |
288cfb7 to
65e3463
Compare
|
test-me-please |
|
test-focus K8sPolicyTest* |
|
test-focus K8sPolicyTest* |
There was a problem hiding this comment.
I did another brief pass particularly looking at the docs, I think there's some improvements we can make before release but I'm OK to push those out to a subsequent PR.
Given the level of review we've done between Jarno, you and I across the core logic + eyes on the overall k8s API behaviour from a broader set of folks, I think we have nailed down the desired behaviour. Furthermore we've caught a bunch of issues and added testing for several areas that were previously ambiguous so I'm getting towards diminishing returns on spending more time staring at the code in this PR. Given the beta tag I think we're safe to get this in, and push it out for broader exposure, testing, and iteration on top of this base.
Are there any remaining areas you feel could do with more eyes/attention?
Documentation/policy/language.rst
Outdated
| The current known limitation is a deny policy with ``toEntities`` "world" for | ||
| which a ``toFQDNs`` can bypass it. |
There was a problem hiding this comment.
Maybe we should file an issue for this and reference it here so if users are concerned about it, they can 👍 and/or investigate?
| Flags uint8 `align:"deny"` | ||
| Pad0 uint8 `align:"pad0"` |
There was a problem hiding this comment.
My comment was not about the naming, it was about the content of the values we populate. I think if we declare the PolicyEntry in Go, it will auto-zero the fields like Pad0 so we should be good.
This will allow to reuse functions. Signed-off-by: André Martins <andre@cilium.io>
This function can be refactored out of the pkg/endpoint. With this change it is also possible to unit test this function. Signed-off-by: André Martins <andre@cilium.io>
Create function to de-duplicate code and have the ability to re-use code. Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
With these changes users will have the ability to dump deny policy maps using 'cilium bpf policy map'. Signed-off-by: André Martins <andre@cilium.io>
This change adds the deny policy enforcement in the datapath. When checking the entry of the policy map, we will check the dedicated bit for policy denies. If that bit is set, which we will consider unlikely to avoid performance penalties for the allow case, the traffic will be dropped. Signed-off-by: André Martins <andre@cilium.io>
These changes only add the fields into the API for both Cilium and Kubernetes interactions. Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
Since not all functionalities will be available in the IngressDeny and EgressDeny fields of Rule, it was necessary to create a new structure, IngressDeny and EgressDeny. These 2 structures share common fields with the Ingress and Egress except the implementation of L7 Policies, which is part of the PortRule but not of the PortDenyRules. This requirement requires the introduction of some interfaces to avoid code duplication in the policy calculation. Signed-off-by: André Martins <andre@cilium.io>
These changes introduce automatic capability of performing unit tests by adding an algorithm used to derive map states and test cases. This commit keeps the same behavior used in the manually unit tests to check if the new algorithm used to derive map states breaks the old expectations. In follow up changes the manual tests will be removed. Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
Signed-off-by: André Martins <andre@cilium.io>
Add documentation and examples for policy denies. Signed-off-by: André Martins <andre@cilium.io>
|
test-me-please |
Deny rules will be configured with
ingressDenyandegressDeny.Policy example:
Since in the datapath the denies take priority over the allow rules, this rule will drop all packets from any pod running with the label
k8s-app.guestbook=redisin the default namespace that tries to reach any pod running with the labelk8s-app.guestbook=web.The
ingressDenydiffers from theingressas the L7 rules are not available in the L4 section. For example:ingress:vs
ingressDeny:And in
egressDenyvsegressthetoFQDNsare not available as well as, similar to theingressDeny, the L7 Rules.egress:egressDeny:TODO:
This was done in the last commit if we don't like it we can always revert it.
Fixes #7111