Skip to content

envoy: Update to pick up deny policy support #28862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 9, 2023
Merged

envoy: Update to pick up deny policy support #28862

merged 1 commit into from
Nov 9, 2023

Conversation

jrajahalme
Copy link
Member

@jrajahalme jrajahalme commented Oct 30, 2023
edited
Loading

Update Envoy build to pick up support for deny policies.

Ingress policy enforcement for Cilium Ingress was recently added (#28126, #28462), but deny policies were not enforced in Envoy yet. This PR updates cilium-envoy to a version that enforces also deny policies. The only functional change in Cilium agent itself is the setting of the new Deny flag for PortNetworkPolicyRules in pkg/xds_server.go.

The updated cilium-envoy version also adds support for overlapping port ranges and hence also for overlapping port numbers, fixing #27816.

Fixes: #27816
Fixes: #28126

@jrajahalme jrajahalme requested review from a team as code owners October 30, 2023 06:26
@maintainer-s-little-helper maintainer-s-little-helper bot added the dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. label Oct 30, 2023
@jrajahalme jrajahalme requested a review from sayboras October 30, 2023 06:26
@jrajahalme jrajahalme marked this pull request as draft October 30, 2023 06:26
@jrajahalme
Copy link
Member Author

Keeping as draft until cilium/proxy dependency gets merged.

@jrajahalme jrajahalme requested review from sayboras and removed request for sayboras October 30, 2023 06:27
@jrajahalme
Copy link
Member Author

/test

@jrajahalme jrajahalme added area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. release-note/misc This PR makes changes that have no direct user impact. area/servicemesh GH issues or PRs regarding servicemesh labels Oct 30, 2023
@maintainer-s-little-helper maintainer-s-little-helper bot removed dont-merge/needs-release-note-label The author needs to describe the release impact of these changes. labels Oct 30, 2023
@jrajahalme jrajahalme force-pushed the envoy-duplicate-port-number-fix branch from eb9f7cc to 321a225 Compare October 31, 2023 15:10
@jrajahalme jrajahalme marked this pull request as ready for review October 31, 2023 15:10
@jrajahalme
Copy link
Member Author

cilium/proxy deny policy support merged, updated & opening for reviews.

@jrajahalme
Copy link
Member Author

/test

tklauser
tklauser approved these changes Oct 31, 2023
View reviewed changes
Copy link
Member

@tklauser tklauser left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look straightforward. Do we have a connectivity test covering this?

@jrajahalme
Copy link
Member Author

Changes look straightforward. Do we have a connectivity test covering this?

Not yet. Hopefully soon.

@christarazi christarazi added the sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. label Nov 1, 2023
sayboras
sayboras approved these changes Nov 1, 2023
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM ✅

pippolo84
pippolo84 approved these changes Nov 2, 2023
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💯

@jrajahalme jrajahalme force-pushed the envoy-duplicate-port-number-fix branch from 321a225 to 08b10d0 Compare November 7, 2023 09:54
@jrajahalme
Copy link
Member Author

Rebased to figure out if the privileged runtime test fail is related to this PR or not.

@jrajahalme
Copy link
Member Author

/test

@jrajahalme
envoy: Update to pick up deny policy support
1a7b295 
Ingress policy enforcement for Cilium Ingress was recently added (cilium#28126).
Update cilium-envoy to a version that enforces also deny policies. The
only functional change in Cilium agent itself is the setting of the new
Deny flag for PortNetworkPolicyRules in pkg/xds_server.go.

The updated cilium-envoy version also adds support for overlapping port
ranges and hence also for overlapping port numbers, as in when using a
named port that resolves to the same port number used as a number
elsewhere in the policy.

Fixes: cilium#27816
Fixes: cilium#28126

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the envoy-duplicate-port-number-fix branch from 08b10d0 to 1a7b295 Compare November 9, 2023 01:57
@jrajahalme
Copy link
Member Author

rebased for CI fixes

@jrajahalme
Copy link
Member Author

/test

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 9, 2023
@jrajahalme jrajahalme merged commit f99f128 into cilium:main Nov 9, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tklauser tklauser tklauser approved these changes

@pippolo84 pippolo84 pippolo84 approved these changes

@christarazi christarazi christarazi approved these changes

@sayboras sayboras sayboras approved these changes

Assignees
No one assigned
Labels
area/proxy Impacts proxy components, including DNS, Kafka, Envoy and/or XDS servers. area/servicemesh GH issues or PRs regarding servicemesh ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Unable to create pods when CNP has both port and port name
5 participants
@jrajahalme @tklauser @pippolo84 @christarazi @sayboras