Skip to content

policy: Do not select any identity with empty slices #29608

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Dec 21, 2023
Merged

policy: Do not select any identity with empty slices #29608

merged 4 commits into from
Dec 21, 2023

Conversation

pippolo84
Copy link
Member

@pippolo84 pippolo84 commented Dec 4, 2023
edited
Loading

This PR aims to redefine the semantic of a non-nil empty slice in CNP/CCNP. Specifically, In case of egress/ingress policies with an explicit (non-nil) empty slice in one of:

  • toEndpoints/fromEndpoints
  • toCIDR/fromCIDR
  • toCIDRSet/fromCIDRSet
  • toEntities/fromEntities

no identities should be selected, thus falling back to default deny for an allow policy.

An example of the different behavior introduced with this PR can be seen with the following two L4 ingress policies:

apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  ...
spec:
  endpointSelector:
    ...
  ingress:
    - fromCIDR: []
      toPorts:
        - ports:
            - port: "80"
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  ...
spec:
  endpointSelector:
    ...
  ingress:
    - toPorts:
        - ports:
            - port: "80"

The first one, with an explicit empty fromCIDR slice, does not select any identity (thus resulting in default deny) while the second one keeps the current behavior and allow traffic to port 80 for all identities.

This behavior also fixes a bug in policies referencing a CiliumCIDRGroup in the fromCIDRSet/cidrGroupRef field. If the referenced CIDR Group is empty or non-existent, the policy is equivalent to the first one, and therefore it won't select any identities.

@pippolo84 pippolo84 added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. dont-merge/preview-only Only for preview or testing, don't merge it. area/agent Cilium agent related. labels Dec 4, 2023
@pippolo84 pippolo84 changed the title policy: Do not select any identity with non-nil empty slices policy: Do not select any identity with empty slices in L4 policies Dec 4, 2023
@pippolo84 pippolo84 force-pushed the pr/pippolo84/no-identities-empty-slices branch from 7bc0a93 to ab776e6 Compare December 4, 2023 15:03
@aanm aanm added the dont-merge/blocked Another PR must be merged before this one. label Dec 4, 2023
@pippolo84
Copy link
Member Author

/test

@pippolo84 pippolo84 force-pushed the pr/pippolo84/no-identities-empty-slices branch from ab776e6 to cbe8190 Compare December 4, 2023 16:15
@pippolo84
Copy link
Member Author

/test

@aanm aanm added dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs and removed dont-merge/blocked Another PR must be merged before this one. labels Dec 4, 2023
@pippolo84 pippolo84 force-pushed the pr/pippolo84/no-identities-empty-slices branch from cbe8190 to c606bc5 Compare December 5, 2023 17:58
@pippolo84
Copy link
Member Author

/test

@pippolo84 pippolo84 changed the title policy: Do not select any identity with empty slices in L4 policies policy: Do not select any identity with empty slices Dec 5, 2023
@pippolo84 pippolo84 added the kind/bug This is a bug in the Cilium logic. label Dec 6, 2023
@pippolo84 pippolo84 marked this pull request as ready for review December 6, 2023 12:33
@pippolo84 pippolo84 requested review from a team as code owners December 6, 2023 12:33
nathanjsweet
nathanjsweet approved these changes Dec 11, 2023
View reviewed changes
Copy link
Member

@nathanjsweet nathanjsweet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes sense. Thanks!

qmonnet
qmonnet approved these changes Dec 12, 2023
View reviewed changes
Copy link
Member

@qmonnet qmonnet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thank you

@joestringer joestringer removed the dont-merge/wait-until-release Freeze window for current release is blocking non-bugfix PRs label Dec 15, 2023
@pippolo84 pippolo84 removed the dont-merge/preview-only Only for preview or testing, don't merge it. label Dec 18, 2023
@pippolo84

This comment was marked as outdated.

Sign in to view
@pippolo84
policy: Do not select any identity with ingress empty slices
6b2cf90 
In case of L4 ingress policies with an explicit (non-nil) empty slice in
either:

- fromEndpoints
- fromCIDR
- fromCIDRSet
- fromEntities

no identities should be selected, thus falling back to default deny for
an allow policy.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
policy: Do not select any identity with egress empty slices
1dab940 
In case of L4 egress policies with an explicit (non-nil) empty slice in
one of:

- toEndpoints
- toCIDR
- toCIDRSet
- toEntities

no identities should be selected, thus falling back to default deny for
an allow policy.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
policy: Add unit test for empty ToEndpoints egress CNP
0318e61 
Add a unit test to check that a non-nil empty ToEndpoints slice in an
egress CiliumNetworkPolicy does not select any identity.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
docs: Add upgrade note for CNP empty slices new semantic
015b71b 
Following the changes in previous commits, where the semantic of an
empty non-nil slice in CNPs has been changed, an upgrade note is added
to the upgrade guide.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 force-pushed the pr/pippolo84/no-identities-empty-slices branch from aafebcb to 015b71b Compare December 20, 2023 16:08
@pippolo84
Copy link
Member Author

/test

@pippolo84 pippolo84 mentioned this pull request Dec 20, 2023
Closed
@pippolo84
Copy link
Member Author

ci-runtime failure tracked in #28415 (comment), rerunning

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Dec 20, 2023
@julianwiedmann
Copy link
Member

👋 if this is a bug fix, do we need backports?

@julianwiedmann julianwiedmann added this pull request to the merge queue Dec 21, 2023
Merged via the queue into cilium:main with commit 5f77d50 Dec 21, 2023
@gandro gandro added the upgrade-impact This PR has potential upgrade or downgrade impact. label Jun 26, 2024
@f1ko f1ko mentioned this pull request Jun 27, 2024
Closed
3 tasks
christarazi added a commit to christarazi/cilium that referenced this pull request Jun 27, 2024
@christarazi
policy/api: Fix bug that skips other selectors if ToEndpoints is empty
32a5910 
As reported in ciliumGH-33432, do not skip other selectors in the case
ToEndpoints is empty. For example, if the user defined a ToCIDR with an
empty ToEndpoints, then
getDestinationEndpointSelectorsWithRequirements() /
GetSourceEndpointSelectorsWithRequirements() returns nil, causing the
ToCIDRs section to be skipped. Instead, return the aggregated selectors,
which aggregates selectors such as ToCIDRs, prior to the call to the
aforementioned functions inside SetAggregatedSelectors().

Fixes: e97df7b ("policy: Do not select any identity with ingress empty slices")
Fixes: 6ccd044 ("policy: Do not select any identity with egress empty slices")
Fixes: cilium#29608

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi mentioned this pull request Jun 27, 2024
Closed
christarazi added a commit to christarazi/cilium that referenced this pull request Jun 28, 2024
@christarazi
policy/api: Fix bug that skips other selectors if ToEndpoints is empty
69c22b0 
As reported in ciliumGH-33432, do not skip other selectors in the case
ToEndpoints is empty. For example, if the user defined a ToCIDR with an
empty ToEndpoints, then
getDestinationEndpointSelectorsWithRequirements() /
GetSourceEndpointSelectorsWithRequirements() returns nil, causing the
ToCIDRs section to be skipped. Instead, return the aggregated selectors,
which aggregates selectors such as ToCIDRs, prior to the call to the
aforementioned functions inside SetAggregatedSelectors().

Fixes: e97df7b ("policy: Do not select any identity with ingress empty slices")
Fixes: 6ccd044 ("policy: Do not select any identity with egress empty slices")
Fixes: cilium#29608

Signed-off-by: Chris Tarazi <chris@isovalent.com>
christarazi added a commit to christarazi/cilium that referenced this pull request Jun 28, 2024
@christarazi
policy/api: Fix bug that skips other selectors if ToEndpoints is empty
68e810d 
As reported in ciliumGH-33432, do not skip other selectors in the case
ToEndpoints is empty. For example, if the user defined a ToCIDR with an
empty ToEndpoints, then
getDestinationEndpointSelectorsWithRequirements() /
GetSourceEndpointSelectorsWithRequirements() returns nil, causing the
ToCIDRs section to be skipped. Instead, return the aggregated selectors,
which aggregates selectors such as ToCIDRs, prior to the call to the
aforementioned functions inside SetAggregatedSelectors().

Fixes: e97df7b ("policy: Do not select any identity with ingress empty slices")
Fixes: 6ccd044 ("policy: Do not select any identity with egress empty slices")
Fixes: cilium#29608

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@pippolo84 pippolo84 mentioned this pull request Jul 1, 2024
Merged
@pippolo84 pippolo84 mentioned this pull request Jul 25, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanjsweet nathanjsweet nathanjsweet approved these changes

@qmonnet qmonnet qmonnet approved these changes

Assignees
No one assigned
Labels
area/agent Cilium agent related. kind/bug This is a bug in the Cilium logic. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. upgrade-impact This PR has potential upgrade or downgrade impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@pippolo84 @julianwiedmann @nathanjsweet @qmonnet @gandro @joestringer @aanm