Skip to content

policy: Use source pod's egress policy if available #1172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 3, 2025
Merged

policy: Use source pod's egress policy if available #1172

merged 1 commit into from
Mar 3, 2025

Conversation

jrajahalme
Copy link
Member

Enforce source pod's egress policy, if available, i.e., when the source is a local pod, even in the north/south scenario, where the Ingress IP is used as the upstream source address.

@jrajahalme jrajahalme added the bug Something isn't working label Feb 18, 2025
@jrajahalme jrajahalme requested a review from a team as a code owner February 18, 2025 12:41
@jrajahalme jrajahalme force-pushed the fix-pod-egress-enforcement branch 2 times, most recently from b08bc22 to 030d6dc Compare February 25, 2025 18:08
@jrajahalme jrajahalme removed the dont-merge/preview-only DON'T MERGE label Feb 25, 2025
@jrajahalme
Copy link
Member Author

Builder image appears broken, apt is crashing on libc update. Adding clang-tidy to to the builder image to cause a new one be built & we need it soon anyway.

@jrajahalme jrajahalme force-pushed the fix-pod-egress-enforcement branch 3 times, most recently from 982bd3f to db08b11 Compare February 25, 2025 19:07
@sayboras sayboras force-pushed the fix-pod-egress-enforcement branch from db08b11 to 9ff905c Compare February 26, 2025 02:47
@jrajahalme jrajahalme force-pushed the fix-pod-egress-enforcement branch from 9ff905c to fef3998 Compare February 26, 2025 06:44
sayboras
sayboras approved these changes Feb 27, 2025
View reviewed changes
Copy link
Member

@sayboras sayboras left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Touch base offline for some points I don't understand, thanks ✅

@jrajahalme
policy: Use source pod's egress policy also with L7LB if available
21494ef 
Enforce source pod's egress policy, if available, i.e., when the source
is a local pod, even in the north/south scenario, where the Ingress IP is
used as the upstream source address.

Signed-off-by: Jarno Rajahalme <jarno@isovalent.com>
@jrajahalme jrajahalme force-pushed the fix-pod-egress-enforcement branch from fef3998 to 21494ef Compare February 27, 2025 14:20
@jrajahalme
Copy link
Member Author

Removed stray comment.

@sayboras sayboras merged commit c3c35d5 into main Mar 3, 2025
5 checks passed
@sayboras sayboras deleted the fix-pod-egress-enforcement branch March 3, 2025 04:30
@sayboras sayboras mentioned this pull request Mar 5, 2025
Merged
1 task
sayboras added a commit to cilium/cilium that referenced this pull request Mar 7, 2025
@sayboras
connectivity: Add test for source egress in Ingress
49f7648 
Relates: cilium/proxy#1172
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit to cilium/cilium that referenced this pull request Mar 7, 2025
@sayboras
connectivity: Add test for source egress in Ingress
4f66e22 
This test will cover both positive and negative cases:

- Request from any client pods to cilium-ingress-same-node will be
  allowed.
- Request from any client pods to cilium-ingress-other-node will be
  denied.

Relates: cilium/proxy#1172
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit to cilium/cilium that referenced this pull request Mar 7, 2025
@sayboras
connectivity: Add test for source egress in Ingress
6735de5 
This test will cover both positive and negative cases:

- Request from any client pods to cilium-ingress-same-node will be
  allowed.
- Request from any client pods to cilium-ingress-other-node will be
  denied.

Relates: cilium/proxy#1172
Signed-off-by: Tam Mach <tam.mach@cilium.io>
sayboras added a commit to cilium/cilium that referenced this pull request Mar 7, 2025
@sayboras
connectivity: Add test for source egress in Ingress
33ec42c 
This test will cover both positive and negative cases:

- Request from any client pods to cilium-ingress-same-node will be
  allowed.
- Request from any client pods to cilium-ingress-other-node will be
  denied.

Relates: cilium/proxy#1172
Signed-off-by: Tam Mach <tam.mach@cilium.io>
github-merge-queue bot pushed a commit to cilium/cilium that referenced this pull request Mar 12, 2025
@sayboras
connectivity: Add test for source egress in Ingress
212c228 
This test will cover both positive and negative cases:

- Request from any client pods to cilium-ingress-same-node will be
  allowed.
- Request from any client pods to cilium-ingress-other-node will be
  denied.

Relates: cilium/proxy#1172
Signed-off-by: Tam Mach <tam.mach@cilium.io>
@GoVulnBot GoVulnBot mentioned this pull request Mar 24, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sayboras sayboras sayboras approved these changes

@mhofstetter mhofstetter Awaiting requested review from mhofstetter

Assignees
No one assigned
Labels
backport-done/1.31 bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jrajahalme @mhofstetter @sayboras @youngnick