Skip to content

policy: Fix Deny Precedence Bug #22966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 13, 2023
Merged

policy: Fix Deny Precedence Bug #22966

merged 1 commit into from
Feb 13, 2023

Conversation

nathanjsweet
Copy link
Member

When the policy map state is created CIDRs
are now checked against one another to ensure
that deny-rules that supersede allow-rules
when they should.

Fixes: #15198

policy: Promote Deny Policies from Beta to Stable

@nathanjsweet nathanjsweet added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. release-note/bug This PR fixes an issue in a previous release of Cilium. labels Jan 6, 2023
@nathanjsweet nathanjsweet requested review from a team as code owners January 6, 2023 22:29
@nathanjsweet nathanjsweet requested a review from aditighag January 6, 2023 22:29
@nathanjsweet nathanjsweet marked this pull request as draft January 6, 2023 22:29
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/ensure-that-cidr-denies-override-allows branch from 30664b1 to 37456cf Compare January 6, 2023 22:33
@nathanjsweet
Copy link
Member Author

/test

@christarazi christarazi added kind/bug This is a bug in the Cilium logic. kind/enhancement This would improve or streamline existing functionality. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. area/agent Cilium agent related. release-blocker/1.13 and removed release-note/bug This PR fixes an issue in a previous release of Cilium. labels Jan 11, 2023
jrajahalme
jrajahalme reviewed Jan 12, 2023
View reviewed changes
jrajahalme
jrajahalme reviewed Jan 12, 2023
View reviewed changes
jrajahalme
jrajahalme reviewed Jan 12, 2023
View reviewed changes
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/ensure-that-cidr-denies-override-allows branch from 37456cf to 7b9f02f Compare January 13, 2023 23:30
joestringer
joestringer requested changes Jan 14, 2023
View reviewed changes
Copy link
Member

@joestringer joestringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that this broad approach should work. There's one main concern I have with the logic to pull the CIDR from the identity labels below. A lot of the comments are a scattering of random typo fixes and proposed comment updates just to try to help the readability in this area of the code. Some of the comments date from the previous iteration of the change, as I didn't realize you were updating the PR concurrently.

We'll also want to delete the limitation from the docs as part of this PR after the following PR is merged: #23095

@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/ensure-that-cidr-denies-override-allows branch 2 times, most recently from 1925ed6 to cecfad7 Compare January 14, 2023 23:15
@maintainer-s-little-helper
Copy link

Commit 8ea87df does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-sign-off The author needs to add signoff to their commits before merge. label Jan 18, 2023
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/ensure-that-cidr-denies-override-allows branch from 8ea87df to 9cf5315 Compare January 20, 2023 06:26
@maintainer-s-little-helper
Copy link

Commit 9cf5315f7e38d5c36a4f60f34958840e11a283e2 does not contain "Signed-off-by".

Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin

@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/ensure-that-cidr-denies-override-allows branch from 9cf5315 to e3b2b58 Compare January 20, 2023 19:16
@nathanjsweet
Copy link
Member Author

/test

@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/ensure-that-cidr-denies-override-allows branch 2 times, most recently from 899a9c6 to 336e5ce Compare February 6, 2023 08:46
@nathanjsweet
Copy link
Member Author

/test

@christarazi
Copy link
Member

CI is looking good 🎉

@nathanjsweet nathanjsweet mentioned this pull request Feb 12, 2023
Merged
@nathanjsweet nathanjsweet added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Feb 12, 2023
jrajahalme
jrajahalme approved these changes Feb 13, 2023
View reviewed changes
Copy link
Member

@jrajahalme jrajahalme left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The way in which the internal loops in denyPreferredInsertWithChanges() are flipped, while simplifying the logic, make it super hard to track what changed and what did not change. It would have been beneficial to have a refactoring commit flipping the looping without any functional changes first, then have the functional changes in a separate commit.

@nbusseneau
Copy link
Member

@nathanjsweet Do you wish to address the comment nits from Jarno before we merge? I see that CI is green, so if you only do a comment edit I will be OK to merge as-is without re-running the CI.

@nathanjsweet
policy: Fix Deny Precedence Bug
c0c815e 
- Add Tests for Deny Precedence Bug:

  Currently, when a broad "Deny" policy is paired with
  a specific "Unmanaged CIDR" policy, then the "Unmanaged
  CIDR" policy will still be inserted into the policy map
  for an endpoint. This results in "Deny" policies not
  always taking precedence over "Allow" policies. This
  test confirms the bugs existence.

- Fix Deny Precedence Bug:

  When the policy map state is created CIDRs
  are now checked against one another to ensure
  that deny-rules that supersede allow-rules
  when they should.

  `DenyPreferredInsert` has been refactored to
  use utility methods that make the complex boolean
  logic of policy precedence more atomic.

  Add `NetsContainsAny` method to `pkg/ip` to
  compare cases where one set of networks conatins
  or is equal to any network in another set.

- endpoint: Add policy.Identity Implementation

  A `policy.Identity` implementation is necessary
  for the incremental update to the endpoint's policy
  map that can occur with L7 changes. Valid deny-policy
  entries may prohibit these L7 changes based on CIDR
  rules, which are only obtainable by looking up all potentially
  conflicting policies' labels. Thus `l4.ToMapState` needs
  access to the identity allocater to lookup "random"
  identity labels.

Signed-off-by: Nate Sweet <nathanjsweet@pm.me>
@nathanjsweet nathanjsweet force-pushed the pr/nathanjsweet/ensure-that-cidr-denies-override-allows branch from 336e5ce to c0c815e Compare February 13, 2023 15:51
@nbusseneau nbusseneau merged commit c9f0def into master Feb 13, 2023
@nbusseneau nbusseneau deleted the pr/nathanjsweet/ensure-that-cidr-denies-override-allows branch February 13, 2023 15:52
@nathanjsweet nathanjsweet added release-note/major This PR introduces major new functionality to Cilium. and removed release-note/minor This PR changes functionality that users may find relevant to operating Cilium. labels Feb 22, 2023
@nathanjsweet nathanjsweet mentioned this pull request Feb 22, 2023
Merged
christarazi
christarazi reviewed Mar 10, 2023
View reviewed changes
@christarazi
Copy link
Member

FYI, #24322 was merged which was introduced by this PR.

@nathanjsweet nathanjsweet added backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. backport-pending/1.11 labels May 18, 2023
@nathanjsweet nathanjsweet added backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. and removed backport-pending/1.12 labels Jun 13, 2023
pippolo84 added a commit to pippolo84/cilium that referenced this pull request Jan 26, 2024
@pippolo84
policy: Wraps SelectorCache to reduce lock contention
0f48335 
In L4Filter.ToMapState a reference to the SelectorCache is passed down
to denyPreferredInsertWithChanges, in order to get the most specific
CIDR for a given identity with GetNetsLocked. GetNetsLocked requires the
SelectorCache to be read-locked.

denyPreferredInsertWithChanges is also called from
EndpointPolicy.ConsumeMapChanges, where the SelectorCache must already
be locked to avoid concurrent identity updates.

Instead, in the L4Filter.ToMapState, it is possible to lock the
SelectorCache just before its usage in GetNetsLocked. Narrowing the
critical section reduces the contention on the lock, hopefully improving
concurrency.

A SelectorCacheWrapper wraps a reference to a SelectorCache and
overloads the GetNetsLocked in order to lock the cache for the execution
of the method. The new type satisfies the policy.Identities interface
and can be used interchangeably with the wrapped SelectorCache.

This allows to remove the locking of the SelectorCache for the entire
duration of selectorPolicy.DistillPolicy and
L4DirectionPolicy.updateRedirects.

Related: cilium#24322
Related: cilium#22966

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 mentioned this pull request Jan 26, 2024
Closed
@jrajahalme jrajahalme mentioned this pull request Jun 28, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi left review comments

@jrajahalme jrajahalme jrajahalme approved these changes

@qmonnet qmonnet qmonnet approved these changes

@aditighag aditighag Awaiting requested review from aditighag aditighag was automatically assigned from cilium/sig-policy

@joestringer joestringer Awaiting requested review from joestringer

+1 more reviewer

@schlosna schlosna schlosna left review comments

Reviewers whose approvals may not affect merge requirements
Assignees

@nathanjsweet nathanjsweet

Labels
area/agent Cilium agent related. backport-done/1.11 The backport for Cilium 1.11.x for this PR is done. backport-done/1.12 The backport for Cilium 1.12.x for this PR is done. backport-done/1.13 The backport for Cilium 1.13.x for this PR is done. kind/bug This is a bug in the Cilium logic. kind/enhancement This would improve or streamline existing functionality. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/major This PR introduces major new functionality to Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

ClusterWideNetworkPolicy deny to CIDR not enforced
7 participants
@nathanjsweet @christarazi @nbusseneau @schlosna @joestringer @jrajahalme @qmonnet