Skip to content

Miscellaneous improvements to DNS introspection policies in connectivity tests #36193

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 27, 2024
Merged

Miscellaneous improvements to DNS introspection policies in connectivity tests #36193

merged 4 commits into from
Nov 27, 2024

Conversation

giorio94
Copy link
Member

Please review commit by commit, and refer to the individual messages for additional details.

@giorio94
cilium-cli: drop unused client-egress-to-fqdns-port-ranges manifest
c9c3ba4 
The manifest appears to have been introduced in 46f3918 ("connectivity:
Add Port Range Tests"), but has never been actually used. Hence, let's get
rid of it.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
cilium-cli: consolidate DNS introspection into single CNP
fc0e47f 
Multiple policies leveraged by the connectivity tests depend on DNS
introspection to support toFQDN rules. However, they are currently
not particularly consistent, each configuring the allowed DNS servers
in slightly different ways. Let's consolidate the configuration in
a single policy, which is then applied alongside all the others, to
ensure consistency and guarantee that modifications apply to all.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
cilium-cli: let DNS policies allow DNS servers in local cluster only
feac8cf 
Modify the DNS policies to specify a cluster selector to allow targeting
DNS servers in the local cluster only, matching best practices.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94 giorio94 added kind/cleanup This includes no functional changes. release-note/misc This PR makes changes that have no direct user impact. cilium-cli This PR contains changes related with cilium-cli labels Nov 26, 2024
@github-actions github-actions bot added the cilium-cli-exclusive This PR only impacts cilium-cli binary label Nov 26, 2024
@giorio94
CODEOWNERS: let cilium/fqdn own the builder/dns_only.go file
c1ddd01 
It appears to be currently owned by the clustermesh team, even if it is
not clustermesh related. Let's assign it to the fqdn team, given that
it configures DNS interception.

Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
@giorio94
Copy link
Member Author

/test

@giorio94 giorio94 marked this pull request as ready for review November 27, 2024 09:06
@giorio94 giorio94 requested review from a team as code owners November 27, 2024 09:06
giorio94
giorio94 commented Nov 27, 2024
View reviewed changes
pippolo84
pippolo84 approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@pippolo84 pippolo84 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! 💯

@maintainer-s-little-helper maintainer-s-little-helper bot added the ready-to-merge This PR has passed all tests and received consensus from code owners to merge. label Nov 27, 2024
gandro
gandro approved these changes Nov 27, 2024
View reviewed changes
Copy link
Member

@gandro gandro left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK for FQDN

@tklauser tklauser added this pull request to the merge queue Nov 27, 2024
Merged via the queue into cilium:main with commit 176c55d Nov 27, 2024
78 checks passed
@github-actions github-actions bot mentioned this pull request Dec 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gandro gandro gandro approved these changes

@tklauser tklauser tklauser approved these changes

@nebril nebril nebril approved these changes

@pippolo84 pippolo84 pippolo84 approved these changes

@marseel marseel marseel approved these changes

Assignees
No one assigned
Labels
cilium-cli This PR contains changes related with cilium-cli cilium-cli-exclusive This PR only impacts cilium-cli binary kind/cleanup This includes no functional changes. ready-to-merge This PR has passed all tests and received consensus from code owners to merge. release-note/misc This PR makes changes that have no direct user impact.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@giorio94 @gandro @tklauser @nebril @pippolo84 @marseel