Skip to content

Add CNP IngressDeny and EgressDeny rules validation #36598

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jan 6, 2025
Merged

Add CNP IngressDeny and EgressDeny rules validation #36598

merged 7 commits into from
Jan 6, 2025

Conversation

pippolo84
Copy link
Member

@pippolo84 pippolo84 commented Dec 13, 2024
edited
Loading

Add sanitization for IngressDeny and EgressDeny rules in CNP/CCNP.

The sanitization logic follows the same rules already applied for Ingress and Egress rules, except for the parts that are not supported in their "Deny" counterparts (e.g: no L7 rules support in IngressDeny/EgressDeny, hence no L7 rules validation).

Note to reviewers: please review commit by commit

Add IngressDeny and EgressDeny rules validation for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy

@pippolo84 pippolo84 added release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies. labels Dec 13, 2024
@pippolo84 pippolo84 force-pushed the pr/pippolo84/cnp-ingress-egress-deny-validation branch from b6000a4 to 6fa6c7d Compare December 13, 2024 17:55
@pippolo84

This comment was marked as outdated.

Sign in to view
@pippolo84 pippolo84 force-pushed the pr/pippolo84/cnp-ingress-egress-deny-validation branch from 6fa6c7d to 7a679a5 Compare December 16, 2024 18:11
@pippolo84
policy/api: Clean up errors usage in rules sanitization
51612b8 
In preparation of the subsequent commits, rework the errors usage in
rules sanitization. Specifically:

- fix some linting errors (capitalized error strings, punctuation in
  error strings, useless usage of error formatting and so on)
- use errors.Join to propagate errUnsupportedICMPWithToPorts alongside
  other possible validation errors
- fix tests to rely on require.ErrorIs when checking for a specific
  error

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
policy/api: Extract ingress common rule sanitization
6c25feb 
Extract IngressCommonRule sanitization into its own method. This will be
useful in a subsequent commit, where the sanitization for IngressDeny
rules will be added. Since IngressCommonRule is embedded into both
Ingress and IngressDeny rules, the new method can be used while
sanitizing both rule types.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
policy/api: Extract egress common rule sanitization
0ad8198 
Extract EgressCommonRule sanitization into its own method. This will be
useful in a subsequent commit, where the sanitization for EgressDeny
rules will be added. Since EgressCommonRule is embedded into both Egress
and EgressDeny rules, the new method can be used while sanitizing both
rule types.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
policy/api: Add IngressDeny validation
830de0d 
Add sanitization for IngressDeny rules. The sanitization applies the
same logic used for Ingress rules, dropping the parts that are not
relevant for the IngressDeny ones (e.g: IngressDeny has no L7 rules).

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
policy/api: Add EgressDeny validation
e4b3a63 
Add sanitization for EgressDeny rules. The sanitization applies the same
logic used for Egress rules, dropping the parts that are not relevant
for the EgressDeny ones (e.g: EgressDeny has no L7 rules).

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
policy/api: Add helpers for egress rule L3 members
4ef2020 
Add helper methods to {Egress,EgressDeny,EgressCommon}Rule to get the
list of L3 members and the list of L3 members that are not compatible
with ToPorts rules.

This simplifies the extension and reuse of the sanitization logic in
EgressCommonRule to EgressRule and EgressDenyRule.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84
policy/api: Add testing for {Ingress,Egress}Deny rules validation
6fbcc8a 
Extend the current unit tests to take into account the sanitization of
both IngressDeny and EgressDeny rules.

Signed-off-by: Fabio Falzoi <fabio.falzoi@isovalent.com>
@pippolo84 pippolo84 force-pushed the pr/pippolo84/cnp-ingress-egress-deny-validation branch from 7a679a5 to 6fbcc8a Compare December 17, 2024 21:35
@pippolo84
Copy link
Member Author

/test

@pippolo84 pippolo84 marked this pull request as ready for review December 17, 2024 21:42
@pippolo84 pippolo84 requested review from a team as code owners December 17, 2024 21:42
christarazi
christarazi approved these changes Dec 18, 2024
View reviewed changes
Copy link
Member

@christarazi christarazi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice, thanks!

learnitall
learnitall approved these changes Dec 20, 2024
View reviewed changes
Copy link
Contributor

@learnitall learnitall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀 🚢

@julianwiedmann julianwiedmann added this pull request to the merge queue Jan 6, 2025
Merged via the queue into cilium:main with commit 1fa46b2 Jan 6, 2025
74 checks passed
@squeed
Copy link
Contributor

squeed commented Jan 20, 2025

@pippolo84 this PR would fix a bug I'm seeing in v1.16, do you think it should be backported?

@squeed squeed mentioned this pull request Jan 21, 2025
Closed
@pippolo84
Copy link
Member Author

@pippolo84 this PR would fix a bug I'm seeing in v1.16, do you think it should be backported?

Since this can help to fix a bug, I'd say it qualifies for backporting. I'm (mildly) concerned that adding an additional layer of validation into v1.16 might break existing policies, but given that those policies wouldn't have worked as intended anyway (see the segfault you observed) I think backporting is the way to go. Let me take care of that 👍

@pippolo84 pippolo84 added backport/1.16 This PR represents a backport for Cilium 1.16.x of a PR that was merged to main. and removed backport/1.16 This PR represents a backport for Cilium 1.16.x of a PR that was merged to main. labels Jan 21, 2025
@pippolo84 pippolo84 added needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Jan 21, 2025
@pippolo84 pippolo84 mentioned this pull request Jan 21, 2025
Merged
1 task
@pippolo84 pippolo84 added backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. and removed needs-backport/1.16 This PR / issue needs backporting to the v1.16 branch labels Jan 21, 2025
@rastislavs rastislavs mentioned this pull request Jan 21, 2025
Merged
45 tasks
@rastislavs rastislavs added backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. and removed needs-backport/1.17 This PR / issue needs backporting to the v1.17 branch labels Jan 21, 2025
@github-actions github-actions bot added backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. and removed backport-pending/1.17 The backport for Cilium 1.17.x for this PR is in progress. backport-pending/1.16 The backport for Cilium 1.16.x for this PR is in progress. labels Jan 22, 2025
@cilium-release-bot cilium-release-bot bot mentioned this pull request Jan 24, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@christarazi christarazi christarazi approved these changes

@doniacld doniacld Awaiting requested review from doniacld doniacld is a code owner automatically assigned from cilium/sig-policy

+1 more reviewer

@learnitall learnitall learnitall approved these changes

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
backport-done/1.16 The backport for Cilium 1.16.x for this PR is done. backport-done/1.17 The backport for Cilium 1.17.x for this PR is done. release-note/minor This PR changes functionality that users may find relevant to operating Cilium. sig/policy Impacts whether traffic is allowed or denied based on user-defined policies.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@pippolo84 @squeed @christarazi @learnitall @rastislavs @julianwiedmann