Skip to content

policy/api: add more CRD validations #32814

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 10, 2024
Merged

policy/api: add more CRD validations #32814

merged 1 commit into from
Jun 10, 2024

Conversation

squeed
Copy link
Contributor

@squeed squeed commented May 31, 2024
edited
Loading

Copying some logic from Sanitize() in to CRD validations:

  • use the OpenAPI cidr format directly, remove baroque regex
  • add OneOf for FQDN selector pattern vs. name
  • add pre-existing MaxItems for port & ICMP rules
  • add OneOf for L7 filter types

None of these add any new restrictions; they were always in the policy engine. Now these validation errors will be caught by the apiserver.

More validation has been added to the CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy CRDs. Policies that may have been ignored by the Cilium agent will now be rejected by the Kubernetes API server.

@squeed squeed added kind/cleanup This includes no functional changes. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. release-note/misc This PR makes changes that have no direct user impact. labels May 31, 2024
@squeed squeed requested review from a team as code owners May 31, 2024 10:10
@squeed squeed requested review from learnitall and tommyp1ckles May 31, 2024 10:10
@squeed
Copy link
Contributor Author

squeed commented May 31, 2024

/test

learnitall
learnitall approved these changes May 31, 2024
View reviewed changes
Copy link
Contributor

@learnitall learnitall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Do you think it would make sense to add something to the upgrade notes? I'm assuming this wouldn't impact existing policies after an upgrade, but if folks are using a GitOps setup and reapplying resources related to these CRDs, they may run into new validation errors that weren't caught before, right?

@squeed
Copy link
Contributor Author

squeed commented Jun 3, 2024

Do you think it would make sense to add something to the upgrade notes?

@learnitall not a bad idea, I'll update the release notes. Any policies caught by this would have been silently rejected before, which is arguably worse :-).

@squeed squeed added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. and removed release-note/misc This PR makes changes that have no direct user impact. labels Jun 3, 2024
@squeed squeed removed the request for review from tommyp1ckles June 10, 2024 12:13
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 10, 2024
@squeed squeed added the dont-merge/needs-cleanup This PR requires additional development work before merging. label Jun 10, 2024
@squeed
Copy link
Contributor Author

squeed commented Jun 10, 2024

Holding until I add the release notes.

@squeed
policy/api: add more CRD validations
d543969 
Copying some logic from `Sanitize()` in to CRD validations:
- use the OpenAPI `cidr` format directly, remove baroque regex
- add OneOf for FQDN selector pattern vs. name
- add pre-existing MaxItems for port & ICMP rules
- add OneOf for L7 filter types

None of these add any new restrictions; they were always in the policy
engine. Now these validation errors will be caught by the apiserver.

Signed-off-by: Casey Callendrello <cdc@isovalent.com>
@squeed squeed force-pushed the more-policy-validations branch from 7a350f3 to d543969 Compare June 10, 2024 12:56
@squeed squeed requested a review from a team as a code owner June 10, 2024 12:56
@squeed squeed requested a review from qmonnet June 10, 2024 12:56
@squeed squeed removed the dont-merge/needs-cleanup This PR requires additional development work before merging. label Jun 10, 2024
@squeed
Copy link
Contributor Author

squeed commented Jun 10, 2024

/test

@squeed squeed removed the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 10, 2024
@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Jun 10, 2024
@squeed squeed added this pull request to the merge queue Jun 10, 2024
Merged via the queue into cilium:main with commit 17882e9 Jun 10, 2024
@squeed squeed deleted the more-policy-validations branch June 10, 2024 15:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gandro gandro gandro approved these changes

@qmonnet qmonnet qmonnet approved these changes

+1 more reviewer

@learnitall learnitall learnitall approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
kind/cleanup This includes no functional changes. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@squeed @gandro @learnitall @qmonnet