-
Notifications
You must be signed in to change notification settings - Fork 208
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(connectivity): add dns rules and change protocol to ANY #1402
Conversation
/test |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See the inline comment.
- ports: | ||
- port: "53" | ||
protocol: ANY |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why are we opening the policy rules for all protocols if the intention is to only allow DNS traffic? Did you try adding a similar rule for TCP?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for asking. I should have mentioned it already. I was searching for the root cause. I did a test with TCP it didn't affect the result. The problem is that the policies with FQDNS
do not work. Of course, I am talking about the environment with the node-local-dns
It looks like it cannot detect the protocol when only the client-egress-to-fqdns-one-one-one-one
or the client-egress-only-dns
policies are applied.
I added the DNS rule (the part below) for the above policies. But the problem wasn't that something was missing.
rules:
dns:
- matchPattern: "*"
Then, I noticed that Cilium couldn't validate the protocols.
We might add a test environment with node-local-dns
deployed. I can help with it.
I noticed this problem while I was testing the new release of Cilium.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Worth noting that if this is set to ANY
and there is a rules
stanza, Cilium only supports redirecting traffic for TCP and UDP so I believe this is effectively the same as having another rule for TCP specifically.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Considering the Cilium policy behaviour for how it handles the node local DNS IP and the way that these manifests are currently working around the issue, I think that this proposal is accurate.
Switching from UDP
to ANY
is also effectively an alias for TCP and UDP anyway, and DNS can commonly go over both UDP and TCP.
Commit 7f1a3fd does not match "Signed-off-by". Please follow instructions provided in https://docs.cilium.io/en/stable/contributing/development/contributing_guide/#developer-s-certificate-of-origin |
Signed-off-by: Emin Aktaş <[email protected]> Signed-off-by: Emin Aktas <[email protected]>
7f1a3fd
to
ca6d76b
Compare
Sorry for the delay. |
Test failures -
We have similar flakes every now and then where tests involve connecting to an external entity. I've restarted the external workloads test as there were some infrastructure failures in the earlier run. |
This flaked on #2070 and a |
Connectivity tests fail with the
node-local-dns
environment. This PR adds missingDNS
rules and changes protocol fromUDP
toANY