policy: use MatchExpressions to implement CIDR Except rules #35139
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/test |
doniacld
approved these changes
Oct 2, 2024
|
This really needs an e2e test, for which #35314 is first necessary. |
153bba8 to
e1410cb
Compare
|
e2e test added; this is ready for review. |
|
/test |
christarazi
approved these changes
Oct 11, 2024
|
Whoops, failing a unit test. Hold please. |
e1410cb to
0a72272
Compare
|
/test |
This change stops the manual "splitting" of Except cidrs within
ToCIDRSet rules. Rather, it uses the DoesNotExist label selector on any
excepted CIDRs.
Previously, any entries within the Except block would
cause the selected CIDR to be "split" on bit boundaries. This example
policy would cause *8* match entries to be created, rather than 1:
toCIDRSet:
- cidr: 10.0.0.0/8
except:
- 10.0.0.0/16
Starting from 3887fcc, CIDR identities are no longer special within
the policymap. This means that CIDR selectors have the exactly expected
effect, and we no longer synthesize smaller entries in the event of a
covering policy rule.
Now that CIDR selectors work exactly as expected, we can exploit this
fact, along with the LPM nature of the ipcache, to implement Except
without splitting any CIDRs.
The above example now produces the label selector string
"cidr:10.0.0.0/8 !cidr:10.0.0.0/16" which means "select all identities
with the key cidr:10.0.0.0/8 but not with the key cidr:10.0.0.0/16".
This means that all identities contained in prefix 10.0.0.0/16 will
*never* be selected by the policymap, and will thus be dropped.
This also fixes a (never shipped) bug introduced in cilium#33441 where Except
blocks stopped working with CIDRGroupRef rules.
Signed-off-by: Casey Callendrello <cdc@isovalent.com>
This creates a CiliumNetworkPolicy equivalent to another CIDR-based scenario, but uses a CiliumCIDRGroup instead of specifying the CIDR directly. This ensures that both CIDRGroups as well as Except fields work as expected. Signed-off-by: Casey Callendrello <cdc@isovalent.com>
0a72272 to
6138677
Compare
|
/test |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This change stops the manual "splitting" of Except cidrs within ToCIDRSet rules. Rather, it uses the DoesNotExist label selector on any excepted CIDRs.
Previously, any entries within the Except block would cause the selected CIDR to be "split" on bit boundaries. This example policy would cause 8 match entries to be created, rather than 1:
Starting from 3887fcc, CIDR identities are no longer special within the policymap. This means that CIDR selectors have the exactly expected effect, and we no longer synthesize smaller entries in the event of a covering policy rule.
Now that CIDR selectors work exactly as expected, we can exploit this fact, along with the LPM nature of the ipcache, to implement Except without splitting any CIDRs.
The above example now produces the label selector string
cidr:10.0.0.0/8 !cidr:10.0.0.0/16which means "select all identities with the key cidr:10.0.0.0/8 but not with the key cidr:10.0.0.0/16". This means that all identities contained in prefix 10.0.0.0/16 will never be selected by the policymap, and will thus be dropped.This also fixes a (never shipped) bug introduced in #33441 where Except blocks stopped working with CIDRGroupRef rules.