Skip to content

Fix bug that skips other selectors if ToEndpoints is empty #33439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

Fix bug that skips other selectors if ToEndpoints is empty #33439

wants to merge 2 commits into from

Conversation

christarazi
Copy link
Member

@christarazi christarazi commented Jun 27, 2024
edited
Loading

  • policy: Add test for non-empty ToCIDR and empty ToEndpoints
  • policy/api: Fix bug that skips other selectors if ToEndpoints is empty

Second commit for convenience:

policy/api: Fix bug that skips other selectors if ToEndpoints is empty

As reported in GH-33432, do not skip other selectors in the case
ToEndpoints is empty. For example, if the user defined a ToCIDR with an
empty ToEndpoints, then
getDestinationEndpointSelectorsWithRequirements() /
GetSourceEndpointSelectorsWithRequirements() returns nil, causing the
ToCIDRs section to be skipped. Instead, return the aggregated selectors,
which aggregates selectors such as ToCIDRs, prior to the call to the
aforementioned functions inside SetAggregatedSelectors().

Fixes: e97df7badd ("policy: Do not select any identity with ingress empty slices")
Fixes: 6ccd044b05 ("policy: Do not select any identity with egress empty slices")
Fixes: https://github.com/cilium/cilium/pull/29608

Fixes: #29608

cc @pippolo84

@christarazi christarazi added kind/bug This is a bug in the Cilium logic. area/daemon Impacts operation of the Cilium daemon. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels Jun 27, 2024
@christarazi christarazi changed the title pr/christarazi/fix 33432 Fix bug that skips other selectors if ToEndpoints is empty Jun 27, 2024
@christarazi
Copy link
Member Author

/test

pippolo84
pippolo84 reviewed Jun 28, 2024
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fix LGTM, thanks! 💯

Left a suggestion to adapt the test after #33439 made L4PolicyMap an interface.

@christarazi christarazi marked this pull request as ready for review June 28, 2024 22:30
@christarazi christarazi requested review from a team as code owners June 28, 2024 22:30
@christarazi christarazi requested a review from nathanjsweet June 28, 2024 22:30
@christarazi christarazi force-pushed the pr/christarazi/fix-33432 branch from 32a5910 to 69c22b0 Compare June 28, 2024 22:43
@christarazi
policy: Add test for non-empty ToCIDR and empty ToEndpoints
e8f1bd6 
As reported in cilium#33432, when the
user applies a new policy with ToCIDR set and ToEndpoints explicitly
empty, the ToCIDR section is ignored by the policy.

Add a test to show that this is incorrect. The subsequent commit
will fix the behavior.

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi
policy/api: Fix bug that skips other selectors if ToEndpoints is empty
68e810d 
As reported in ciliumGH-33432, do not skip other selectors in the case
ToEndpoints is empty. For example, if the user defined a ToCIDR with an
empty ToEndpoints, then
getDestinationEndpointSelectorsWithRequirements() /
GetSourceEndpointSelectorsWithRequirements() returns nil, causing the
ToCIDRs section to be skipped. Instead, return the aggregated selectors,
which aggregates selectors such as ToCIDRs, prior to the call to the
aforementioned functions inside SetAggregatedSelectors().

Fixes: e97df7b ("policy: Do not select any identity with ingress empty slices")
Fixes: 6ccd044 ("policy: Do not select any identity with egress empty slices")
Fixes: cilium#29608

Signed-off-by: Chris Tarazi <chris@isovalent.com>
@christarazi christarazi force-pushed the pr/christarazi/fix-33432 branch from beef887 to 68e810d Compare June 28, 2024 22:44
@christarazi
Copy link
Member Author

/test

@gandro gandro added the needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch label Jul 1, 2024
@pippolo84
Copy link
Member

I investigated in more detail the issue and I believe this is not what we want.

This fix successfully equates the two cases:

  1. apply of the policy:
apiVersion: "cilium.io/v2"
kind: CiliumNetworkPolicy
metadata:
  name: test
spec:
  endpointSelector:
    matchLabels:
      run: tmp-shell
  egress:
  - toCIDR:
    - 1.1.1.1/32
    toEndpoints: [] # <-- this
    toPorts:
      - ports:
          - port: "80"
  1. apply of the policy with a nil toEndpoints selector, then update it with an empty non-nil toEndpoints selector, ending up with the same policy as in case 1

But it does that in a way that reverts what #29608 fixed. The failed tests reflects this (as an example, see TestMergeDenyAllL3 - case 1B, that was introduced in #29608).

In other words, as suggested in the issue, the correct behavior should be that the two scenarios above ("direct" apply of the final version of the policy and apply+update) both lead to the policy denying connections to 1.1.1.1.
Quoting from the issue:

Expected

The behaviour should be consistent regardless of the order of operation on a policy.
Following result is what a user should experience at all times for above policy with toEndpoints: [] in 1.16:

$ curl -m 1 1.1.1.1
curl: (28) Connection timed out after 1002 milliseconds

$ curl -m 1 1.1.1.2
curl: (28) Connection timed out after 1001 milliseconds

This is not happening with the proposed fix, that allows the curl 1.1.1.1 in both case 1) and 2).

To get the expected behavior I think the solution should be this one, where we change the logic to compare EgressCommonRule and IngressCommonRule instances, taking into account the different semantic of nil and empty slices and propagating the update in the scenario above as expected.

@christarazi christarazi mentioned this pull request Jul 8, 2024
Merged
@christarazi
Copy link
Member Author

Closing in favor of #33506

@christarazi christarazi closed this Jul 8, 2024
@christarazi christarazi deleted the pr/christarazi/fix-33432 branch July 8, 2024 19:46
@joestringer joestringer removed the needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch label Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pippolo84 pippolo84 pippolo84 left review comments

@nathanjsweet nathanjsweet nathanjsweet approved these changes

Assignees
No one assigned
Labels
area/daemon Impacts operation of the Cilium daemon. kind/bug This is a bug in the Cilium logic. release-note/bug This PR fixes an issue in a previous release of Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@christarazi @pippolo84 @nathanjsweet @gandro @joestringer